CN115514691A - SDN inter-domain cooperative forwarding control architecture and method based on block chain - Google Patents

SDN inter-domain cooperative forwarding control architecture and method based on block chain Download PDF

Info

Publication number
CN115514691A
CN115514691A CN202211079285.3A CN202211079285A CN115514691A CN 115514691 A CN115514691 A CN 115514691A CN 202211079285 A CN202211079285 A CN 202211079285A CN 115514691 A CN115514691 A CN 115514691A
Authority
CN
China
Prior art keywords
domain
policy
sdn
strategy
block chain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211079285.3A
Other languages
Chinese (zh)
Other versions
CN115514691B (en
Inventor
马莹莹
常朝稳
苏玉
王兆成
秦晰
韩培胜
沈晓力
黄继海
代署光
刘秋菊
张伟锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of the Chinese People's Liberation Army Cyberspace Force
Zhengzhou Institute of Technology
Original Assignee
Zhengzhou Institute of Technology
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Institute of Technology, Information Engineering University of PLA Strategic Support Force filed Critical Zhengzhou Institute of Technology
Priority to CN202211079285.3A priority Critical patent/CN115514691B/en
Publication of CN115514691A publication Critical patent/CN115514691A/en
Application granted granted Critical
Publication of CN115514691B publication Critical patent/CN115514691B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of internet, and particularly relates to a cooperative forwarding control architecture and method between SDN domains based on a block chain, wherein a block chain function node and an SDN controller of each SDN domain are deployed in an SDN domain local server, the block chain function node forms a block chain network in a P2P mode, a block chain global account book is stored in each SDN domain, and a local application program interface is utilized to realize interaction between a block chain-based policy forwarding control application and the controller and the block chain, wherein the policy forwarding control application comprises: the system comprises a domain information manager used for registering and dynamically updating domain information, generating domain information transaction and uploading the domain information transaction to a block chain, a policy manager used for formulating an inter-domain forwarding control policy, generating a policy transaction and uploading the policy transaction to the block chain, and a policy coordination engine used for executing attribute mapping, policy matching and path synthesis by inquiring a local cache and acquiring a global coordination policy. The invention controls the forwarding path of the SDN cross-domain data flow through a strategy facing to the data flow and the path attribute, and realizes the high-efficiency and safe forwarding control between SDN domains by using a block chain.

Description

SDN inter-domain cooperative forwarding control architecture and method based on block chain
Technical Field
The invention belongs to the technical field of internet, and particularly relates to an SDN inter-domain cooperative forwarding control architecture and method based on a block chain.
Background
With the continuous enrichment and development of internet services and applications, user requirements gradually change from simple accessibility to requirements in various aspects such as security, quality of service, traffic engineering and the like, which puts higher requirements on network expression capability and network management and control capability. The SDN is used as a novel network system architecture, has the characteristics of forwarding control separation, logic concentration and open programmability, and provides a good foundation for flexible and efficient network forwarding control. With the wide application of the SDN in the fields of cloud, data center, mobile communication network, internet of things, industrial internet, and the like, how to implement the cross-domain forwarding control of the SDN is an urgent problem to be solved.
Currently, most SDN forwarding control schemes are concentrated in the SDN domain, and few schemes related to the SDN inter-domain forwarding control are provided. In the existing scheme, a policy-based SDN security architecture PbSA has a cross-domain forwarding control function. The PbSA transmits a policy through a policy token on an SDN data plane by defining a security policy paradigm facing to data flow and a path, the policy token is transmitted along with a data packet, and the policy token is uploaded to an SDN controller and combined with the policy of a transmission domain to jointly determine the next forwarding domain of the data packet when the policy token reaches one transmission domain. However, this solution suffers from the following 2 disadvantages: on one hand, when strategy conflict exists between the source domain and the transmission domain, data transmission interruption can be caused; on the other hand, the policy token is forwarded through the data plane, and the policy transfer faces potential safety hazards because a safety technology is not adopted.
The blockchain technology is widely applied to data sharing and access control, but the blockchain technology has not been researched to be used for cross-domain forwarding control of the SDN. Because the research purposes and objects of forwarding control and access control are different, and more importantly, compared with access control, forwarding control has higher sensitivity to time delay and computational overhead, how to reasonably apply a zone chain to SDN inter-domain policy forwarding control needs to be further researched, that is, on the basis of providing security and building trusted service, the influence on data forwarding is kept in a reasonable range, and the influence on data forwarding is reduced as much as possible.
In the research of combining the block chain with the SDN, the architecture thereof differs according to different research targets. In the first category, the blockchain and the SDN are deployed independently and remotely via REST APIs. However, since the two are deployed independently, the remote communication overhead is large, and meanwhile, a security mechanism needs to be introduced to ensure the security of the SDN and the block link point remote communication, the computation and the delay overhead are further increased, so that the method is not suitable for delay sensitive application. In the second category, the block chain nodes communicate through the SDN network infrastructure, i.e., data forwarding between the block chain nodes is centrally controlled by the SDN controller. The disadvantages of this kind of solution are that the block chain nodes are controlled by the SDN controller, the essential property of block chain decentralization is lost, once the SDN controller is attacked successfully, the attacker can control the communication of the whole block chain network, thereby seriously threatening the security and credibility of the block chain service. In the third category, a block chain is deployed to an SDN control plane, and the method is suitable for cross-domain management of the SDN, but no research has been provided for a solution for forwarding control between SDN domains. In summary, for the challenges faced by the SDN inter-domain forwarding control and the deficiencies of the prior art, no good solution exists at present.
Disclosure of Invention
Therefore, the invention provides a cooperative forwarding control architecture and method between SDN domains based on a block chain, which are used for controlling forwarding paths of SDN cross-domain data flows through a strategy from the aspect of safety, realizing physical isolation and channelization management of the forwarding paths of the data flows, realizing efficient and safe forwarding control between the SDN domains by using the block chain, and facilitating actual scene application.
According to the design scheme provided by the invention, an inter-SDN domain cooperative forwarding control architecture based on a block chain is provided, which comprises the following steps: the strategy forwarding control application based on the block chain is characterized in that the block chain function nodes of each SDN domain and an SDN controller are deployed in a local server of the SDN domain, the block chain function nodes form a block chain network in a P2P mode, a block chain global account book is stored in each SDN domain, and interaction between the strategy forwarding control application and the controller and the block chain is achieved through a local application program interface. Wherein the policy forwarding control application comprises: the system comprises a domain information manager for registering and dynamically updating domain information, generating domain information transaction and uploading to a block chain, a policy manager for formulating an inter-domain forwarding control policy and generating policy transaction and uploading to the block chain, and a policy coordination engine for acquiring a global coordination policy by querying a local cache of an SDN controller to execute attribute mapping, policy matching and path synthesis.
As an inter-domain collaborative forwarding control architecture of an SDN based on a block chain, further, a block chain function node performs domain information publishing or updating by using a domain information management intelligent contract, performs policy publishing or updating by using a policy management intelligent contract, performs uplink confirmation on the published or updated domain information or policy information by using a consensus mechanism, writes the confirmed domain information and policy into a book database of each account domain SDN block chain node, and then dynamically synchronizes the domain information and policy information in an intelligent contract account to a local cache of an SDN controller in real time, thereby finally realizing secure and trusted domain information and policy sharing in a distributed inter-domain environment.
Further, based on the above framework, the present invention further provides a method for controlling inter-domain cooperative forwarding in an SDN based on a block chain, which includes the following steps:
uploading domain information and a cross-domain forwarding strategy of each SDN domain to a block chain, issuing or updating the domain information and the cross-domain forwarding strategy by an intelligent contract in the block chain, and synchronizing the issued or updated domain information and the forwarding control strategy to a local cache by using a block chain function node;
aiming at a new data flow received by an entrance switch, by inquiring a flow table, if a matched flow table entry exists, forwarding according to the matched flow table entry, if the matched flow table entry does not exist, uploading a data flow first packet to an SDN controller through a pack-in message, and the SDN baseline controller acquires a global cooperation strategy through interacting with a strategy cooperation engine;
the SDN baseline controller combines a network view of a full-local level according to the obtained global cooperative strategy and obtains a domain-level forwarding path meeting the global strategy constraint through inter-domain path calculation; and distributing the path segments to the forwarding domain controller by utilizing east-west directional interfaces among the SDN controllers, and issuing a flow table entry by each SDN controller according to the path segments to realize cross-domain forwarding control.
As the inter-domain collaborative forwarding control method for the SDN based on the block chain, further, in the release or update of domain information and cross-domain forwarding strategies by the block chain, domain information of each SDN domain is generated into domain information transaction and uploaded to the block chain through a signature; the cross-domain forwarding strategy of each domain is encapsulated into strategy transaction and uploaded to the block chain through a signature; and the block chain signature checking transaction realizes the release and update of the domain information or the forwarding control strategy by calling a domain information management contract or a strategy management contract, and dynamically synchronizes the domain information in the intelligent contract and the forwarding control strategy in the strategy management contract to a local cache in real time by utilizing a block chain function node.
As the inter-SDN domain collaborative forwarding control method based on the block chain of the present invention, further, the domain information uploaded to each SDN domain on the block chain at least includes: entity attribute information and an identifier mapping relationship, wherein the entity attribute information comprises: the domain, user and device information in the domain, the identification mapping relation comprises: and the mapping relation among the IP address, the user identification and the equipment identification.
As the inter-SDN domain collaborative forwarding control method based on the blockchain, further, a cross-domain forwarding policy uploaded to each SDN domain on the blockchain is represented by a tuple, and a specific paradigm is represented as: policy = < domID, policyID, policyType, srcAP, dstAP, servAP, path, action >, wherein domID represents a domain identifier for making a policy, policyID represents an identifier of the policy in the domain, policyType represents a policy type, the policy type is divided into an originating policy for restricting originating data flow of the domain and a bearer policy for filtering data flow from other domains, srcAP represents an originating attribute constraint for data flow, dstAP represents a destination attribute constraint for data flow, servAP represents a network service attribute constraint for data flow, path represents a Path constraint for data flow, and action represents a forwarding action on a policy constraint Path for data flow satisfying the policy constraint.
As the inter-domain collaborative forwarding control method for the SDN based on the block chain, further, in the step of acquiring the global collaborative policy by interacting the SDN baseline controller with the policy collaborative engine, first, a critical field of a header of a data packet is acquired by analyzing a flow policy request, and a domain information in a local cache of the SDN controller is queried to map a data flow network identifier and a service attribute; then, reading a policy set in a local cache of the SDN controller according to the data stream attribute, and obtaining a matching policy set through policy matching; and finally, acquiring a global cooperative strategy with global path constraint by performing path synthesis on the matching strategy set.
As the inter-domain collaborative forwarding control method for the SDN based on the block chain, when mapping the data flow network identifier and the service attribute, the source IP, the destination IP, and the port number or the protocol type are read according to the key field of the header of the data packet; acquiring attribute name value pair sets of a source domain, a source user and source equipment according to a source IP to form a source attribute of a data stream; acquiring attribute name value pair sets of a destination domain, a destination user and destination equipment according to a destination IP to form a destination attribute of the data stream; acquiring network service attributes according to port numbers or protocol types; combining the source attribute, the destination attribute and the network service attribute to form a service attribute set of the data stream, and generating a corresponding stream identifier according to a key field of the data stream; and the mapping between the data stream network identifier and the service attribute is completed by combining the stream identifier and the service attribute set.
As the inter-domain collaborative forwarding control method for the SDN based on the block chain, further, when a matching policy set is obtained through policy matching, first, a sourcing policy of a source domain is obtained according to a source domain identifier of a data stream and a bearer policy of each domain is obtained according to a policy type, and the sourcing policy and the bearer policy constitute a relevant policy set; then, for each strategy in the relevant strategy set, if the attribute set of the data stream meets all attribute predicate constraints in the strategy, the corresponding strategy is used as a matching strategy, otherwise, the next strategy is traversed until all strategies in the relevant strategy set are traversed, and then the matching strategy set is obtained.
As the SDN inter-domain cooperative forwarding control method based on the block chain in the present invention, further, when performing path synthesis, a global cooperative policy with global path constraints is obtained by matching policy types, path constraints, and actions in a policy set, where the global cooperative policy is obtained by matching policy types, path constraints, and actions in the policy set, and specifically includes the following situations: for each source policy in the matching policy set, if the action is forward, writing the path constraint into the flow path constraint, and if the action is drop, writing the flow path constraint after negating the path constraint; for each bearer policy in the matching policy set, if the path constraint is not null, violating the convention, reporting an error, if the path constraint is null and the action is drop, negating the corresponding domain identifier and writing the corresponding domain identifier into the flow path constraint, and if the path constraint is null and the action is forward, not affecting data forwarding until all bearer policies are traversed; finally, the joint flow identifier, flow path constraints and action forward constitute a global collaborative policy with global path constraints.
The invention has the beneficial effects that:
the invention ensures the friendliness of cross-domain policy control by using the policy paradigm which is defined from the service level and faces the data flow and the path attribute, and avoids unnecessary interference brought to the policy control by the ambiguity and the dynamic property of the IP address; the inter-domain strategy sharing and strategy cooperation of the SDN are utilized to solve the problems of inter-domain strategy agnostic and strategy conflict; the block chain technology provides security and credibility services for SDN inter-domain policy forwarding control, and the method has a good application prospect.
Description of the drawings:
fig. 1 is a schematic diagram of an inter-SDN domain cooperative forwarding control architecture in an embodiment;
fig. 2 is a schematic diagram of a working principle of an inter-SDN domain cooperative forwarding control architecture in the embodiment;
fig. 3 is a schematic diagram of a cooperative forwarding control flow between SDN domains in the embodiment;
fig. 4 is a format schematic of the transaction message in the embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
As early as in Ethane, SDN, data forwarding is controlled based on custom policies. Currently, a consensus is reached for implementing SDN forwarding control based on policies. However, in policy-based SDN inter-domain forwarding control, the following challenges are faced: (1) what inter-domain policy paradigm is defined; (2) How to solve the cross-domain strategy unknown problem and the strategy conflict problem; (3) How to implement secure trusted policy forwarding control in a distributed untrusted environment. (4) how to cope with the latency sensitivity of forwarding control. An embodiment of the present invention, as shown in fig. 1, provides an inter-SDN domain cooperative forwarding control architecture based on a block chain, including: the strategy forwarding control application based on the block chain is characterized in that a block chain function node and an SDN controller of each SDN domain are deployed in an SDN domain local server, the block chain function node forms a block chain network in a P2P mode, a block chain global account book is stored in each SDN domain, and interaction between the strategy forwarding control application and the controller and between the strategy forwarding control application and the block chain is realized by utilizing a local application program interface, wherein the strategy forwarding control application comprises: the system comprises a domain information manager used for registering and dynamically updating domain information, generating domain information transaction and uploading the domain information transaction to a block chain, a policy manager used for formulating an inter-domain forwarding control policy, generating a policy transaction and uploading the policy transaction to the block chain, and a policy cooperation engine used for executing attribute mapping, policy matching and path synthesis by inquiring a local cache and acquiring a global cooperation policy.
In the architecture shown in fig. 1, both the blockchain node function and the SDN controller of each domain are deployed in a local server in the SDN domain, and the policy forwarding control application based on the blockchain interacts with the controller and the blockchain through a local application program interface. The blockchain function nodes of each domain are used as accounting nodes of the blockchain, and a blockchain network is formed in a P2P mode, so that a blockchain global account book is stored in each SDN domain. By synchronizing the blockchain account data into the local cache of the SDN controller, the block chain-based policy forwarding control application locally extended by the SDN controller can quickly read the credible global shared data. Because network topology information is needed for realizing forwarding control, the east-west bridge WE-bridge of each domain positioned at a network system layer safely and quickly exchanges inter-domain network views through Json files in a full mesh connection mode based on an SSL protocol, so that a network view at a full local level is provided for each domain. And each domain controller can dynamically acquire the global network view between the SDN domains in real time through the east-west bridge WE-bridge. The control functions of the SDN domains are safe and credible, namely an SDN network operating system related to SDN control, a block chain-based policy forwarding control application and an east-west Bridge WE-Bridge component are safe and credible.
The BPCF-SDNs ensure the authenticable and the integrity of uploading domain information and strategy information of each SDN domain based on a transaction signature mechanism; automatic and transparent domain information and strategy release and update are realized through an intelligent contract technology; based on an account state mechanism, the latest state of the global area information and the strategy is ensured to be stored in the current block, the latest state is prevented from being obtained by traversing the whole block chain in the UTXO mode, and the data retrieval rate is improved; based on a consensus mechanism of PBFT (Practical Byzantine Fault-tolerant algorithm), the credibility of cross-domain shared data can be effectively ensured; and finally, based on block chain type storage, the difficult tampering and traceability of domain information and strategies are guaranteed, and safe and credible SDN domain information and strategy sharing is finally realized.
In the embodiment of the present disclosure, referring to fig. 2, the policy-based SDN inter-domain forwarding control is divided into three layers of logic, namely, policy, routing and forwarding. First, a policy should be management friendly as a high level logic. That is, the network administrator is interested in a certain type of data flow at the service level, not a certain data flow at the network level. On the other hand, it is considered that the IP address cannot intuitively express the business logic, and has dynamic variability. If the strategy uses the IP address to identify the data flow, the friendliness of strategy management and control is necessarily influenced, and the strategy of an application layer needs to be dynamically configured along with the IP address, so that the complexity and the error rate of strategy configuration are increased unnecessarily. Therefore, a policy paradigm facing data flow and path attributes is designed from a service level, the friendliness of cross-domain policy control is ensured, and unnecessary interference brought to policy control by the ambiguity and the dynamic property of the IP address is avoided. Secondly, because each management domain independently makes a forwarding control strategy, the transmission domain does not know the strategy constraint of the originating domain in the data stream transmission process, and thus the data stream cannot be forwarded according to the strategy constraint of the originating domain. Therefore, in the embodiment of the scheme, the problem of agnostic cross-domain strategy is solved through strategy sharing. Similarly, since the originating domain does not know the filtering rule of the transmission domain on the service flow, the data transmission may be interrupted due to the conflict between the bearer policy and the originating policy, and in this embodiment, the policy conflict is cooperatively solved through the policy. Namely, the premise of implementing cross-domain policy management and control in the embodiment of the present disclosure is to implement SDN inter-domain policy sharing and policy coordination. Thirdly, because the inter-domain communication environment lacks security and credibility, how to ensure the security and credibility of the SDN inter-domain policy sharing and collaboration is a difficult problem. The block chain technology is used as a distributed book technology for deeply fusing multiple technologies such as a P2P network, cryptography, an intelligent contract, a consensus mechanism and the like, and can provide automatic, transparent, safe and credible data sharing service in a distributed untrusted environment. Therefore, in the embodiment of the present disclosure, a block chaining technology is applied to provide security and credibility services for SDN inter-domain policy forwarding control. Fourth, forwarding control has delay sensitivity, and a large amount of computation and delay overhead are introduced by using a block chain technology, so in the implementation example of the present embodiment, a physically centralized and logically isolated architecture is designed, a block chain node function is deployed on a local controller, so that an SDN can safely and efficiently exchange data with a block chain, and meanwhile, a forwarding control function is separated from a block chain-based data sharing function, and forwarding control based on policy coordination is locally executed on the controller, thereby avoiding introducing excessive delay while ensuring security.
Further, based on the above architecture, an embodiment of the present invention further provides a method for controlling inter-SDN domain cooperative forwarding based on a block chain, where the method includes the following steps:
uploading domain information and a cross-domain forwarding strategy of each SDN domain to a block chain, issuing or updating the domain information and the cross-domain forwarding strategy by an intelligent contract in the block chain, and synchronizing the issued or updated domain information and the forwarding control strategy to a local cache by using a block chain function node;
aiming at a new data flow received by an entrance switch, forwarding according to a matching flow table item if the matching flow table item exists by inquiring the flow table, uploading a data flow first packet to an SDN controller if the matching flow table item does not exist, and interacting the SDN baseline controller with a policy coordination engine in a policy forwarding control application expanded by the controller to acquire a global coordination policy;
the SDN base line controller combines a network view of a global level according to the obtained global cooperation strategy, and obtains a domain level forwarding path meeting the global strategy constraint through inter-domain path calculation; and distributing inter-domain path segments to the forwarding domain controllers by using east-west directional interfaces among the SDN controllers, and issuing flow table entries by each domain SDN controller according to the inter-domain path segments to finally realize cross-domain forwarding control.
Referring to fig. 3, the cooperative forwarding control flow can be divided into the following three stages:
(1) And an information sharing stage: the domain information manager of each domain generates domain information transaction and signature according to the attribute information of entities such as domains, users and equipment in the domain and the mapping relation between the IP address and the user identification and the equipment identification, and uploads the domain information transaction and signature to the block chain; and carrying out check-signing transaction on the blockchain and realizing domain information release or update by calling a domain information management intelligent contract. The strategy manager of each domain formulates a cross-domain forwarding control strategy, packages the strategy into strategy transaction and signs, uploads the strategy transaction to a block chain, checks the sign transaction of the block chain, and realizes strategy release or update by calling a strategy management intelligent contract. Each domain blockchain function node dynamically synchronizes domain information in the domain information management contract account and policies in the policy management contract account to a local cache of the SDN controller. Therefore, the SDN domain information and strategy sharing which is safe and reliable is achieved in the information sharing stage.
(2) Strategy cooperation stage: when the new flow reaches the inlet switch, the inlet switch inquires the flow table, and if a matching flow table entry exists, the new flow is forwarded according to the matching flow table entry; and if the data stream does not exist, uploading the data stream head packet to the controller through the pack-in message. The SDN baseline controller uploads a flow strategy request containing a cross-domain data flow head packet to a strategy cooperation engine of a strategy forwarding control application through a flow strategy requester. The strategy cooperation engine executes attribute mapping, strategy matching and path synthesis by inquiring local cache data to obtain a global cooperation strategy. And the strategy cooperation engine issues the global cooperation strategy of the data flow to the SDN baseline controller.
(3) A path generation stage: and the controller receives the global cooperative strategy and delivers the global cooperative strategy to the inter-domain path calculation component. The inter-domain path calculation component is combined with a full-local-level network view provided by the WE-bridge component to calculate a domain-level forwarding path meeting the constraint of the global cooperative strategy, path segments are distributed to controllers of the forwarding domain through east-west interfaces among the controllers, and each SDN domain controller issues a flow table item according to the path segments, so that cross-domain strategy-oriented forwarding control is realized.
Further, the domain information uploaded to each SDN domain on the blockchain at least includes: entity attribute information and an identifier mapping relationship, wherein the entity attribute information comprises: the domain, user and device information in the domain, the identification mapping relation comprises: and the mapping relation among the IP address, the user identification and the equipment identification.
In the forwarding strategy making process in the embodiment of the present disclosure, a strategy paradigm is obtained by:
describing an Attribute Attribute as a variable with a certain data type and Value range, abstractable as < attr, value >, where attr denotes the Attribute name, value denotes the Value range of the Attribute, value = { Value = { (Value) 1 ,value 2 ,...,value x I.e. each attribute has its own attribute name and corresponding value range. Attributes in embodiments of the present disclosure are used to describe data flows and paths. The attribute categories include domain, user, device, service. Wherein,
the domain attribute is as follows: including a domain identifier, a network address, an ingress or egress gateway identification for the domain, a domain type (e.g., business domain, government domain) or a socially legal name for the domain, a security level for the domain, a trust level for the domain, etc.;
the user attribute is as follows: having user identifiers, units, departments, levels, etc. to which the user belongs;
the device attribute is as follows: including device identifier, MAC address, device location, department affiliated, privacy level, etc.;
service attribute: the policy is a policy that is specified by a service identifier, a protocol, a port number, a service type, etc., and the message type or the service type targeted by the policy is specified by the protocol, the port number or a custom service type.
The attribute name value pair avp is used for representing a concrete value of an attribute, and can be abstracted to binary < attr, value > -to represent attr = value. The collection of attribute-name-value pairs may be represented by AVP. The embodiment of the present disclosure describes attributes of a domain, a user, a device, and a service using a set of attribute name value pairs, which is shown in table 1 in detail.
TABLE 1 Attribute name-value pair Table
Figure BDA0003833070510000071
Figure BDA0003833070510000081
For example, domAVP { < domID,001>, < dom _ net,202.20.2.0/24>, < dom _ type, EDU >, < dom _ sl,3>, < dom _ tl =2> } indicates that the subnet address of the 001 field is 202.20.2.0/24, which belongs to the organization of education type, and the security level of the field is 3 and the trust level is 2.
usernavp { < userID,00001>, < user _ org, organization a >, < user _ prepare, depalmentb >, < user _ type, manager >, < user _ tl,2> } indicates that the user identified as "00001" is "depalmentb" from "organization na" and has the role of "manager" and the trust level of "2" level.
devAVP { < devID,00001>, < dev _ MAC,4f 3 e.
servAVP = { < servID,0001>, < serv _ type, vedioconferencing > < ser _ protocol, SIP >, < ser _ dport,5060> } indicates that the type of the network service with the service identifier of "0001" is "vedioconferencing", the used protocol is "SIP", and the corresponding port number is "5060".
servAVP { < servID,0002>, < serv _ type, dual 11>, < ser _ protocol, https >, < ser _ dport,443> } indicates that the network service with service identification "0002" is "dual 11", the protocol used is "https", and the corresponding port number is "443".
In the embodiment of the present disclosure, a data stream (dataflow) can be abstracted into a seven-tuple < SrcDom, srcsuser, srcdv, destDom, destUser, destDev, serv >, i.e., a dataflow is represented by a set of attributes of a source domain, a source user, a source device, a destination domain, a destination user, a destination device, and a network service of the dataflow.
The source attribute of a data stream may be composed of a set of attribute name value pairs of its source domain, source user, and source device, and may be formally expressed as: srcvavp = { srcdomAVP, srreuseravp, srcdavp }.
The destination attribute of a data stream may be formed by a set of attribute name value pairs of a destination domain, a destination user and a destination device, and is formally expressed as: dstAVP = { dstdomAVP, dstuserAVP, dstdevAVP }.
Thus, one data stream may be represented as dataslow = srcvavpudstavvpuservavp.
The attribute predicate ap is used for limiting the value range of the attribute, and ap can be abstracted to a triple < attr,. Varies, value >, wherein. Varies belongs to { =, <, ≦ >, > or not, in, not in, and between }. In this case, the attribute predicates are used as attribute constraints in the policy paradigm.
The attribute predicate evaluation refers to a given attribute name-value pair avp and an attribute predicate ap, the evaluation result of the ap on the avp is true, and only if the attribute names of the two are the same and the attribute value in the avp belongs to a value range limited by the ap, the evaluation result can be formally defined as:
Figure BDA0003833070510000093
the forwarding control strategy paradigm facing data flow and path attributes can be designed as follows:
policy=<domID,policyID,policyType,SrcAP,DstAP,ServAP,Path,action>
wherein, domID: a domain identifier indicating that the policy is formulated; policyID: the identification of the policy in the domain is represented, and the combination of domID and policyID can uniquely indicate one policy in a multi-domain environment; policyType: the strategy type is represented, the strategy is divided into 2 types, and policyType = SOURCE represents the SOURCE sending strategySlightly, for restricting the data flow originated in the local domain, policyType = TRANSFER represents the bearer policy for filtering the data flow from other domains; srcAP: expressing the source attribute constraint of the data stream, and comprising a source domain attribute predicate, a source user predicate constraint and a source equipment attribute predicate through logical conjunction, namely
Figure BDA0003833070510000091
DstAP: expressing the destination attribute constraint of the data stream, and comprising destination domain attribute predicate, destination user attribute predicate and destination equipment attribute predicate through logical conjunction, namely
Figure BDA0003833070510000092
SerVap: expressing the service attribute constraint of data flow, and forming by logical conjunction of attribute predicates such as protocol, port number or self-defined service type, i.e. servAP = ServAP 1 ∧servap 2 ,...∧servap g (ii) a And (4) Path: representing Path constraints on data flows, and comprising logical conjunction of attribute predicates such as security level, trust level or domain identification of a transmission domain, namely Path = Path 1 ∧pathap 2 ∧...∧pathap p A security level, a trust level, or a domain that must or cannot be traversed by the data stream that may be used by the source domain to define the domain that transports the originating data stream; action represents the forwarding action on the policy constraint path for the data flow meeting the policy constraint, including drop and forward.
The policy type, path constraints, and action union may determine a forwarding path decision for a data flow, as shown in table 2. In this embodiment, the source domain of the appointed data stream may define a forwarding path of the originating data stream, and the transmission domain may not define a forwarding path of the originating data stream of other domains, but has a right to determine whether to carry the data stream, that is, has a right to determine to receive and forward the data stream or discard the data stream.
Table 2 forwarding control implications for policy
Figure BDA0003833070510000101
One data stream is matched with one strategy and only if for each attribute predicate in the strategy, the value of the attribute name value pair corresponding to the data stream belongs to the value range of the attribute predicate, and the formalized expression is as follows:
Figure BDA0003833070510000102
the embodiment of the scheme comprises domain information transaction and policy transaction, wherein the transaction format is shown in fig. 4, in a general transaction format (a), an ID represents a transaction identifier; PK represents a public key of a block chain account of each domain, a policy forwarding control application of each SDN domain has a public and private key pair, the public key is used as a unique identifier of the external account on the block chain, and the private key is used for signing a transaction uploaded to the block chain by the external account; txType: a type of transaction; txData: transaction data; tp represents a timestamp of the transaction release; sign is the signature of the transaction initiating account to the transaction; the domain information transaction format is shown as (b), the transaction data is DomInf, the DomInf is stored in a key-value pair form and comprises a domain identifier, a set of mapping relations between IP addresses in the SDN domain and user identifiers and device identifiers, and a set of attribute name-value pairs of the domain, the user and the device, and the formal representation of the set is shown as (d); the policy transaction format is shown in (c), the transaction data is PolicySet, which is stored in a key-value pair form and includes a domain identifier and an originating policy set and a bearer policy set formulated by the SDN domain, and the formal representation is shown in (e).
The domain information management intelligent Contract DIM Contract realizes domain information release or update through a domain information release DomInfPublish interface, and can be designed as shown in an algorithm 1. The domain information transaction domInfTx calls a domInfPublish interface to write the mapping relation between the IP address in the domInf and the entity and the attribute information of the entity into the DIM Contract account by taking domID as an index. And the block chain function node of each domain synchronizes the data in the DIM Contract account into a local cache of the SDN controller, and the local cache is recorded as DomInfDB.
Figure BDA0003833070510000111
The policy management Contract PM context implements policy publishing and updating through PolicyPublish interface, which may be designed as shown in algorithm 2. Policy transaction PolicyTx writes the policy in PolicySet into the PM conteract account by field identification and policy type by calling PolicyPublish interface. And the block chain function node of each domain synchronizes the data in the PM Contract account to a local cache of the SDN controller, and the cache is recorded as PolicyDB.
Figure BDA0003833070510000112
Further, in the embodiment of the present disclosure, in acquiring a global cooperative policy by interacting an SDN baseline controller with a policy cooperation engine, first, a critical field of a header of a data packet is acquired by parsing a flow policy request, and a data flow network identifier and a service attribute are mapped by querying a DomInfDB in a local cache of the SDN controller; then, performing policy matching on policyDB in a local cache of the SDN controller according to the data flow attribute to obtain a matching policy set; and finally, performing path synthesis on the matching strategy set to obtain a global cooperative strategy of global path constraint.
When a new flow arrives, the policy coordination engine is triggered to execute the policy coordination algorithm, which can be designed as shown in algorithm 3. The policy coordination algorithm policycollaparate () is implemented by 3 functional steps of attribute mapping AttibuteMap (), policy matching PolicyMatch () and path synthesis pathsynthesis () as follows:
(1) Acquiring the header of a data flow header packet by analyzing flowPolicyRequest, and mapping attributes corresponding to the data flow, namely mapAttributeMap (lines 1-2), according to a network identification field in the header;
(2) PolicyMatch () executes policy matching according to the data stream attributes to obtain all policies that constrain the data stream, namely a matching policy set matchPolicySet (line 3);
(3) Pathsynthesis () performs path synthesis on the matching policy set, returning the global path constraints (lines 4-5) for the data stream.
Figure BDA0003833070510000113
Figure BDA0003833070510000121
Further, when mapping the data stream network identifier and the service attribute, reading a source IP, a destination IP and a port number or a protocol type according to a key field of a data packet header; acquiring attribute name value pair sets of a source domain, a source user and source equipment according to a source IP (Internet protocol), and forming source attributes of a data stream; acquiring attribute name value pair sets of a destination domain, a destination user and destination equipment according to a destination IP (Internet protocol), and forming destination attributes of the data stream; taking the port number or the protocol type as a service identifier, and acquiring the network service attribute according to the port number or the protocol type; combining the source attribute, the destination attribute and the network service attribute to form a service attribute set of the data stream, and generating a corresponding stream identifier according to the key field of the data stream; the mapping between the data stream network identity and the service attributes is done by combining the stream identity with the set of service attributes.
And the attribute mapping function AttributeMap () maps the data stream attributes according to the key fields of the data stream head packet. The method is to inquire DomInfDB, firstly mapping corresponding identification according to the key field of the data packet header, then mapping corresponding attribute according to the identification, and finally combining the attributes to form the data stream attribute. AttributeMap () can be designed as shown in Algorithm 4:
(1) Reading a source ip, and acquiring an attribute name value pair set of a source domain, a source user and source equipment from the DomInfDB according to the source ip to form a source attribute (lines 2-4) of a data stream;
(2) Reading a destination ip, and acquiring attribute name value pair sets of a destination domain, a destination user and destination equipment from the DomInfDB according to the destination ip to form a destination attribute (lines 5-7) of the data stream;
(3) Reading a port number or a protocol type as a service identifier, reading the port number by using the port number, reading the protocol type by using an un-port number, and acquiring a set of attribute name value pairs of the network service from the DomInfDB according to the port number or the protocol type (lines 8-9);
(4) Combining the originating attribute, the destination attribute and the network service attribute to form an attribute set FlowAttr set (line 10) corresponding to the data flow;
(5) Generating a corresponding flow identifier FlowSN (line 11) according to a key field of the data flow packet header;
(6) The stream identification is joined with the stream attribute set and returned as the attribute mapping function result (lines 12-13).
Figure BDA0003833070510000122
Figure BDA0003833070510000131
Further, in this embodiment, when a matching policy set is obtained through policy matching, first, a sourcing policy is obtained according to a source domain identifier of a data stream, a bearer policy of each domain is obtained according to a policy type, and the sourcing policy and the bearer policy form a relevant policy set; then, for each strategy in the relevant strategy set, if the attribute set of the data stream meets all attribute predicate constraints in the strategy, the corresponding strategy is used as a matching strategy, otherwise, the next strategy is traversed until all strategies in the relevant strategy set are traversed, and then a matching strategy set is obtained.
The policy matching executes policy matching according to the data flow attribute to obtain a policy set that constrains the data flow forwarding path, and it can be designed as shown in algorithm 5, and the policy match () algorithm flow is as follows:
(1) Initializing a data flow attribute set flowAVP as an attribute set of a flow requesting to forward, wherein an attribute matching mark is 0, and a source policy set src policy set, a bearer policy set transferpolicy set, a relevant policy set relevantpolicy set and a matching policy set matchpolicy set are all null (line 1);
(2) Reading the originating policy (line 2) of the domain from the policyDB according to the source domain identification of the data stream;
(3) Reading the load-bearing strategy (line 3) of each domain from the policyDB according to the strategy type TRANSFER;
(4) The originating policy and the bearer policy form a related policy set (line 4);
(5) For each policy in the relevant policy set, if the data stream attribute set meets all attribute predicate constraints of the policy, the policy is a matching policy; otherwise, traversing the next strategy until all the strategies are traversed. (lines 5-11)
(6) The matching policy set (line 12) is returned.
Figure BDA0003833070510000132
Further, in the embodiment of the present disclosure, performing path synthesis, and obtaining a global cooperative policy of global path constraints by matching policy types, path constraints, and actions in a policy set, where the obtaining of the global cooperative policy by matching policy types, path constraints, and actions in the policy set specifically includes the following situations: for each source policy in the matching policy set, if the action is forward, writing the path constraint into the flow path constraint, and if the action is drop, writing the flow path constraint after negating the path constraint; for each bearer policy in the matching policy set, if the path constraint is not null, violating the convention, reporting an error, if the path constraint is null and the action is drop, negating the corresponding domain identifier and writing the reversed domain identifier into the flow path constraint, and if the path constraint is null and the action is forward, not affecting data forwarding until all bearer policies are traversed; finally, the joint flow identifier, flow path constraints and action forward constitute a global collaborative policy with global path constraints.
The path synthesis algorithm performs path constraint synthesis on the matching policy set of the stream to obtain global path constraint, and may be designed as shown in algorithm 6, where the pathsynthesis () algorithm flow is as follows:
(1) Initializing a path constraint flowPath of the flow as a complete set, a path variable path and an action variable action as null, and a global cooperative policy collaborative policy as null (line 1);
(2) For each source policy in the matching policy set, writing the path constraint into the flow path constraint if the action is forward, and writing the path constraint into the flow path constraint after negating the path constraint if the action is drop (line 2-4, lines 5-13);
(3) For each bearing strategy in the matching strategy set, if the constraint is not null, the convention is violated, and an error is reported; if the path constraint is empty and the action is drop, the domain identification is written into the path constraint in an negation mode; if the path constraint is empty and the action is forward, then data forwarding is not affected (lines 2-4, lines 14-25);
(4) Join flow identifier, flow path constraints and forward actions as a global cooperative policy and return (lines 31-32).
Figure BDA0003833070510000141
Figure BDA0003833070510000151
In the embodiment of the scheme, the fine-grained control can be performed on the data stream forwarding path from the service management perspective based on the attribute rather than the forwarding control strategy paradigm of the IP; the method based on the attribute provides uniform and flexible expression capability for the SDN cross-domain forwarding strategy; domain information and strategy sharing based on a block chain is realized, the problem of agnostic cross-domain strategy is solved, the safety and the credibility of strategy transmission in a distributed non-trust environment are ensured, cross-domain forwarding control based on a global cooperation strategy is realized innovatively, and the problem of cross-domain strategy conflict is eliminated; the method has the advantages that a physically centralized and logically isolated architecture is realized, and the functions of block chain nodes are deployed on a local controller, so that the SDN can safely and efficiently exchange data with the block chains; by means of a function model combining on-chain and under-chain, forwarding control and a block chain are separated, strategy cooperation is executed on a local controller, strategy cooperation based on trusted data is achieved, excessive delay and complex calculation brought to data stream forwarding by the strategy cooperation executed on the chain are avoided, and deployment and implementation are facilitated.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: those skilled in the art can still make modifications or changes to the embodiments described in the foregoing embodiments, or make equivalent substitutions for some features, within the scope of the disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. An inter-SDN domain cooperative forwarding control architecture based on a blockchain, comprising: the strategy forwarding control application based on the block chain is characterized in that the block chain function nodes of each SDN domain and an SDN controller are deployed in a local server of the SDN domain, the block chain function nodes form a block chain network in a P2P mode, a block chain global account book is stored in each SDN domain, and the interaction between the strategy forwarding control application and the controller and the block chain is realized by utilizing a local application program interface, wherein the strategy forwarding control application comprises the following steps: the system comprises a domain information manager used for registering and dynamically updating domain information, generating domain information transaction and uploading the domain information transaction to a block chain, a policy manager used for formulating an inter-domain forwarding control policy, generating a policy transaction and uploading the policy transaction to the block chain, and a policy cooperation engine used for executing attribute mapping, policy matching and path synthesis by inquiring a local cache and acquiring a global cooperation policy.
2. The inter-domain collaborative forwarding control architecture for SDNs based on blockchains according to claim 1, wherein the blockchain function nodes utilize a consensus mechanism to perform uplink acknowledgement on published or updated domain information or policy information, write the uplink acknowledgement into an account book database of each SDN domain blockchain node, and dynamically synchronize the domain information and policy information of an intelligent contract account in the consensus mechanism to a local cache of the SDN controller in real time.
3. An SDN inter-domain cooperative forwarding control method based on a block chain, characterized in that, based on the architecture implementation of claim 1, the method comprises the following steps:
uploading domain information and a cross-domain forwarding strategy of each SDN domain to a block chain, issuing or updating the domain information and the cross-domain forwarding strategy by an intelligent contract in the block chain, and synchronizing the issued or updated domain information and the forwarding control strategy to a local cache of an SDN controller by using a block chain function node;
for a new data flow received by an entrance switch, forwarding according to a flow rule by inquiring a flow table if a matched flow table entry exists, uploading a data flow first packet to an SDN controller if the flow table entry does not exist, and interacting the SDN baseline controller and a strategy coordination engine to acquire a global coordination strategy;
the SDN baseline controller combines a network view of a full-local level according to the obtained global cooperative strategy and obtains a domain-level forwarding path meeting the global strategy constraint through inter-domain path calculation; and distributing the path segments to the forwarding domain controller by utilizing east-west directional interfaces among the SDN controllers, and issuing a flow table entry by each SDN controller according to the path segments to realize cross-domain forwarding control.
4. The inter-domain collaborative forwarding control method for the SDN based on the block chain according to claim 3, wherein in the issuing or updating of the domain information and the cross-domain forwarding policy by the block chain, the domain information of each SDN domain is generated into a domain information transaction, which is signed and then uploaded to the block chain, the block chain verifies the signature of the domain information transaction, if the domain information transaction is verified, a domain information management intelligent contract is invoked to implement the issuing and updating of the domain information, and the domain information in the domain information management intelligent contract account is synchronized to a local cache of the SDN controller by using a function node of the block chain; the cross-domain forwarding strategies of the SDN domains are packaged into strategy transactions, the strategy transactions are uploaded to a block chain after signature, the signature of the strategy transactions is verified by the block chain, the strategy management contract is called to realize the release and the update of the forwarding control strategies when the strategy transactions are verified, and the forwarding control strategies in the intelligent contract account for strategy management are synchronized to the local cache of the SDN controller by using the block chain function nodes.
5. The inter-domain collaborative forwarding control method for SDNs based on a blockchain according to claim 3 or 4, wherein the domain information uploaded to each SDN domain on the blockchain at least includes: entity attribute information and an identifier mapping relationship, wherein the entity attribute information comprises: the mapping relation of the domain, the user and the equipment information in the domain comprises the following steps: and the mapping relation among the IP address, the user identification and the equipment identification.
6. The inter-domain collaborative forwarding control method for SDNs based on a blockchain according to claim 3 or 4, wherein the cross-domain forwarding policy uploaded to each SDN domain on the blockchain is represented by a tuple, and a specific paradigm is represented as:
policy = < domID, policyID, policyType, srcAP, dstAP, servAP, path, action >, wherein domID represents a domain identifier for making a policy, policyID represents an identifier of the policy in the domain, policyType represents a policy type, the policy type is divided into an originating policy for restricting originating data flow of the domain and a bearer policy for filtering data flow from other domains, srcAP represents an originating attribute constraint for data flow, dstAP represents a destination attribute constraint for data flow, servAP represents a network service attribute constraint for data flow, path represents a Path constraint for data flow, and action represents a forwarding action on a policy constraint Path for data flow satisfying the policy constraint.
7. The method of claim 3, wherein in acquiring the global coordination policy by interaction between the SDN baseline controller and the policy coordination engine, a key field of a packet header is acquired by parsing a stream policy request, and a data stream network identifier is mapped with a service attribute by querying locally cached domain information; then, reading a strategy set of the local cache according to the data stream attribute, and obtaining a matching strategy set through strategy matching; and finally, performing path synthesis on the matching strategy set to obtain a global cooperative strategy of global path constraint.
8. The inter-domain collaborative forwarding control method for SDN based on a blockchain according to claim 7, wherein when mapping a data flow network identifier and a service attribute, a source IP, a destination IP, and a port number or a protocol type are read according to a key field of a header of a data packet; acquiring attribute name value pair sets of a source domain, a source user and source equipment according to a source IP (Internet protocol), and forming source attributes of a data stream; acquiring attribute name value pair sets of a destination domain, a destination user and destination equipment according to a destination IP (Internet protocol), and forming a destination attribute of the data stream; acquiring a network service attribute value pair set according to the port number or the protocol type, and using the network service attribute value pair set as the network service attribute of the data stream; combining the source attribute, the destination attribute and the network service attribute to form a service attribute set of the data stream, and generating a corresponding stream identifier according to a key field at the head part of the data stream; and the mapping between the data stream network identifier and the service attribute is completed by combining the stream identifier and the service attribute set.
9. The inter-domain collaborative forwarding control method for SDN based on a block chain according to claim 7, wherein when obtaining the matching policy set through policy matching, first, a source policy of a source domain is obtained according to a source domain identifier of a data stream and a bearer policy of each domain is obtained according to a policy type, and the source policy of the source domain and the bearer policy of each domain form a relevant policy set; then, for each strategy in the relevant strategy set, if the attribute set of the data stream meets all attribute predicate constraints in the strategy, the corresponding strategy is used as a matching strategy, otherwise, the next strategy is traversed until all strategies in the relevant strategy set are traversed, and then a matching strategy set is obtained.
10. The SDN inter-domain cooperative forwarding control method according to claim 7, wherein when performing path synthesis, the global cooperative policy with global path constraints is obtained by matching policy types, path constraints, and actions in the policy set, where obtaining the global cooperative policy from the policy types, path constraints, and actions in the matching policy set specifically includes the following situations: for each source policy in the matching policy set, if the action is forward, writing the path constraint into the flow path constraint, and if the action is drop, writing the flow path constraint after negating the path constraint; for each bearer policy in the matching policy set, if the path constraint is not null, violating the convention, reporting an error, if the path constraint is null and the action is drop, negating the corresponding domain identifier and writing the reversed domain identifier into the flow path constraint, and if the path constraint is null and the action is forward, not affecting data forwarding until all bearer policies are traversed; finally, the joint flow identifier, flow path constraints and action forward constitute a global collaborative policy with global path constraints.
CN202211079285.3A 2022-09-05 2022-09-05 SDN inter-domain cooperative forwarding control system and method based on block chain Active CN115514691B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211079285.3A CN115514691B (en) 2022-09-05 2022-09-05 SDN inter-domain cooperative forwarding control system and method based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211079285.3A CN115514691B (en) 2022-09-05 2022-09-05 SDN inter-domain cooperative forwarding control system and method based on block chain

Publications (2)

Publication Number Publication Date
CN115514691A true CN115514691A (en) 2022-12-23
CN115514691B CN115514691B (en) 2023-06-27

Family

ID=84502369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211079285.3A Active CN115514691B (en) 2022-09-05 2022-09-05 SDN inter-domain cooperative forwarding control system and method based on block chain

Country Status (1)

Country Link
CN (1) CN115514691B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871718A (en) * 2016-03-21 2016-08-17 东南大学 SDN (Software-Defined Networking) inter-domain routing implementation method
US20190014124A1 (en) * 2017-07-10 2019-01-10 Cisco Technology, Inc. End-to-end policy management for a chain of administrative domains
CN109246176A (en) * 2018-07-03 2019-01-18 北京邮电大学 Based on the multi-controller synchronous method and device of block chain in software defined network
US20190260714A1 (en) * 2018-02-19 2019-08-22 Electronics And Telecommunications Research Institute Decentralized software-defined networking method and apparatus
CN110417739A (en) * 2019-06-27 2019-11-05 华东师范大学 It is a kind of based on block chain technology safety Netowrk tape in measurement method
WO2020112436A1 (en) * 2018-11-26 2020-06-04 The University Of Akron 3s-chain: smart, secure, and software-defined networking (sdn)-powered blockchain-powered networking and monitoring system
US20200374127A1 (en) * 2019-05-21 2020-11-26 The University Of Akron Blockchain-powered cloud management system
CN112235252A (en) * 2020-09-21 2021-01-15 西安电子科技大学 Block chain-based security identification method, security identification system and storage medium
US20210160171A1 (en) * 2019-11-22 2021-05-27 Guangzhou University Blockchain-based verifiable inter-domain routing validation method
CN113572734A (en) * 2021-06-24 2021-10-29 福建师范大学 Cross-domain access control method based on block chain in mobile edge calculation
CN114827002A (en) * 2022-03-17 2022-07-29 西安电子科技大学 Multi-domain network security path calculation method, system, device, medium and terminal
CN114844902A (en) * 2022-06-30 2022-08-02 南京邮电大学 SDN controller and equipment interaction method based on block chain technology

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871718A (en) * 2016-03-21 2016-08-17 东南大学 SDN (Software-Defined Networking) inter-domain routing implementation method
US20190014124A1 (en) * 2017-07-10 2019-01-10 Cisco Technology, Inc. End-to-end policy management for a chain of administrative domains
US20190260714A1 (en) * 2018-02-19 2019-08-22 Electronics And Telecommunications Research Institute Decentralized software-defined networking method and apparatus
CN109246176A (en) * 2018-07-03 2019-01-18 北京邮电大学 Based on the multi-controller synchronous method and device of block chain in software defined network
WO2020112436A1 (en) * 2018-11-26 2020-06-04 The University Of Akron 3s-chain: smart, secure, and software-defined networking (sdn)-powered blockchain-powered networking and monitoring system
US20200374127A1 (en) * 2019-05-21 2020-11-26 The University Of Akron Blockchain-powered cloud management system
CN110417739A (en) * 2019-06-27 2019-11-05 华东师范大学 It is a kind of based on block chain technology safety Netowrk tape in measurement method
US20210160171A1 (en) * 2019-11-22 2021-05-27 Guangzhou University Blockchain-based verifiable inter-domain routing validation method
CN112235252A (en) * 2020-09-21 2021-01-15 西安电子科技大学 Block chain-based security identification method, security identification system and storage medium
CN113572734A (en) * 2021-06-24 2021-10-29 福建师范大学 Cross-domain access control method based on block chain in mobile edge calculation
CN114827002A (en) * 2022-03-17 2022-07-29 西安电子科技大学 Multi-domain network security path calculation method, system, device, medium and terminal
CN114844902A (en) * 2022-06-30 2022-08-02 南京邮电大学 SDN controller and equipment interaction method based on block chain technology

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
ANICHUR RAHMAN;MD. JAHIDUL ISLAM;ANTONIO MONTIERI;MOSTOFA KAMAL NASIR;MD. MAHFUZ REZA;SHAHAB S. BAND;ANTONIO PESCAPE;MAHEDI HASAN;: "SmartBlock-SDN: An Optimized Blockchain-SDN Framework for Resource Management in IoT", 《WFFJ》, vol. 9 *
YINGYING MA, ZHAOCHENG WANG, CHAOWEN CHANG, PING WU: "BPFC-SDNs: A Blockchain-Based and Policy-Oriented Forwarding Control for the SDN Interdomain", 《SECURITY AND COMMUNICATION NETWORKS》 *
李萍: "基于多控制器的软件定义网络安全关键技术研究", 《WFCD》 *
马莹莹; 王哲: "区块链关键技术研究", 《福建电脑》 *

Also Published As

Publication number Publication date
CN115514691B (en) 2023-06-27

Similar Documents

Publication Publication Date Title
Aboodi et al. Survey on the Incorporation of NDN/CCN in IoT
Ali et al. Secure data provenance in cloud-centric internet of things via blockchain smart contracts
US11823141B2 (en) Blockchain network interaction controller
WO2019201043A1 (en) Network communication method, system and device, and storage medium
CN107395500B (en) Intelligent network architecture integrating perception, calculation and storage and implementation method
CN108667681A (en) Routing for Multi-path route tracks
TW200803303A (en) Inter-proximity communication within a rendezvous federation
CN112702402A (en) System, method, device, processor and storage medium for realizing government affair information resource sharing and exchange based on block chain technology
Shen et al. Trustworthiness evaluation-based routing protocol for incompletely predictable vehicular ad hoc networks
Vu et al. An efficient peer-to-peer bitcoin protocol with probabilistic flooding
WO2016141846A1 (en) Data message transmission method and edge routing bridge device
Qiao et al. Credible routing scheme of SDN-based cloud using blockchain
Song et al. Exploring Reliable Decentralized Networks with Smart Collaborative Theory
Liu et al. A novel routing verification approach based on blockchain for inter-domain routing in smart metropolitan area networks
Dutta et al. Information Centric Networks (ICN)
Li et al. DIBN: A decentralized information-centric blockchain network
Jingjing et al. The deployment of routing protocols in distributed control plane of SDN
CN115514691A (en) SDN inter-domain cooperative forwarding control architecture and method based on block chain
Kodeswaran et al. Enforcing security in semantics driven policy based networks
Gedeon et al. Sunstone: Navigating the way through the fog
Neto et al. Transformation based routing overlay for privacy and reusability in multi-domain iot
Song et al. Research on Blockchain-Based FinTech Trust Evaluation Mechanism
Ma et al. BPFC‐SDNs: A Blockchain‐Based and Policy‐Oriented Forwarding Control for the SDN Interdomain
Kang et al. Blockchain document forwarding and proof method based on NDN network
CN114401199A (en) Hierarchical network capability model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: No. 18, Ying Cai street, Hui Ji District, Zhengzhou, Henan Province

Patentee after: ZHENGZHOU University OF TECHNOLOGY

Country or region after: China

Patentee after: Information Engineering University of the Chinese People's Liberation Army Cyberspace Force

Address before: No. 18, Ying Cai street, Hui Ji District, Zhengzhou, Henan Province

Patentee before: ZHENGZHOU University OF TECHNOLOGY

Country or region before: China

Patentee before: Information Engineering University of Strategic Support Force,PLA