CN116389018A - Data transmission method and system in software defined wide area network SD-WAN - Google Patents

Data transmission method and system in software defined wide area network SD-WAN Download PDF

Info

Publication number
CN116389018A
CN116389018A CN202111658851.1A CN202111658851A CN116389018A CN 116389018 A CN116389018 A CN 116389018A CN 202111658851 A CN202111658851 A CN 202111658851A CN 116389018 A CN116389018 A CN 116389018A
Authority
CN
China
Prior art keywords
wan
message
node
edge node
ipsec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111658851.1A
Other languages
Chinese (zh)
Inventor
莫志威
欧亮
林力帆
付日哨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111658851.1A priority Critical patent/CN116389018A/en
Publication of CN116389018A publication Critical patent/CN116389018A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Programmable Controllers (AREA)

Abstract

The disclosure relates to the technical field of communication, and relates to a data transmission method and system in a software defined wide area network (SD-WAN), a storage medium and electronic equipment. The method comprises the following steps: the SD-WAN edge node receives configuration parameters of an Internet security protocol IPSec tunnel issued by the SD-WAN controller, wherein the configuration parameters at least comprise Internet security protocol IPSec parameters and SRv parameters, and SRv parameters are used for indicating a transmission node path for transmitting a message to a destination SD-WAN edge node; encapsulating the user message with a message header comprising IPSec parameters and SRv parameters to obtain an encapsulated message; and sending the encapsulation message to the Internet so that the encapsulation message is transmitted to the destination SD-WAN edge node according to the transmission node path. The SD-WAN edge node in the disclosure designates a forwarding path of the user message according to the configuration parameters of the IPSec tunnel issued by the SD-WAN controller, and realizes a programmable network.

Description

Data transmission method and system in software defined wide area network SD-WAN
Technical Field
The present disclosure relates to the field of communication technologies, and more particularly, to a data transmission method in a software defined wide area network SD-WAN, a data transmission system in a software defined wide area network SD-WAN, a computer storage medium, and an electronic device.
Background
SD-WAN (Software Defined Wide Area Network ) is a service formed by applying SDN (Software Defined Network ) technology to a wide area network scenario, and is used for connecting enterprise networks, data centers, internet applications, cloud services, and the like in a wide geographic location.
In the related art, the SD-WAN edge nodes are connected through the internet security protocol IPSec (Internet Protocol Security, internet security protocol), and the propagation path of the IPSec packet in the internet is determined according to the route in the internet switch, however, if the channel between the SD-WAN edge nodes includes multiple segments of IPSec tunnels, multiple IPSec decapsulations are required when each segment of IPSec tunnels transmits data, the transmission efficiency is low, resource consumption is caused, and the data propagation path can only be determined uniquely according to the route in the internet switch, and cannot be adjusted in time according to the network transmission condition.
It should be noted that the information of the present invention in the above background section is only for enhancing understanding of the background of the present disclosure, and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
The disclosure aims to provide a data transmission method and system in a software defined wide area network SD-WAN, a computer storage medium and an electronic device, so as to at least avoid and overcome problems of low data transmission efficiency, high resource loss, indiscriminate transmission paths between SD-WAN edge nodes, and the like caused by the defects of related technologies to at least a certain extent.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the present disclosure, there is provided a data transmission method in a software defined wide area network SD-WAN, comprising: the SD-WAN edge node receives configuration parameters of an Internet security protocol IPSec tunnel issued by the SD-WAN controller, wherein the configuration parameters at least comprise Internet security protocol IPSec parameters and SRv parameters, and the SRv parameters are used for indicating a transmission node path for transmitting a message to a destination SD-WAN edge node; encapsulating the received user message with a message header comprising the IPSec parameters and SRv parameters to obtain an encapsulated message; and sending the encapsulation message to the Internet so that the encapsulation message is transmitted to the destination SD-WAN edge node according to the transmission node path.
In an exemplary embodiment of the present disclosure, the encapsulating the received user packet includes encapsulating a packet header including the IPSec parameter and the SRv parameter, and includes: encapsulating an IPSec message header for the user message according to the IPSec parameter; and encapsulating an internet protocol version 6 IPv6 message header with a segmented routing header SRH before the IPSec message header according to the SRv6 parameter to obtain the encapsulated message.
In an exemplary embodiment of the present disclosure, the segment routing header SRH includes at least a segment routing node list having a sequence, where each node in the segment routing node list has a corresponding IPv6 node address; the sending the encapsulation message to the internet, so that the encapsulation message is transmitted to the destination SD-WAN edge node according to the transmission node path, including: and sending the encapsulation message to the Internet, so that the encapsulation message is sequentially transmitted to IPv6 node addresses corresponding to all nodes according to the sequence, and finally transmitted to the destination SD-WAN edge node.
In an exemplary embodiment of the disclosure, the IPSec tunnel is configured to connect the SD-WAN edge node and a user network corresponding to the destination SD-WAN edge node; and when the SD-WAN edge node receives the configuration parameters of the Internet security protocol IPSec tunnel issued by the SD-WAN controller, the destination SD-WAN edge node corresponding to the SD-WAN edge node simultaneously receives the configuration parameters so as to de-encapsulate the received encapsulated message and send the encapsulated message to a corresponding user network.
In an exemplary embodiment of the present disclosure, the configuration parameters are determined by the SD-WAN controller according to network transmission conditions between the SD-WAN edge node and the destination SD-WAN edge node.
According to one aspect of the present disclosure, there is provided a data transmission system in a software defined wide area network, SD-WAN, the system comprising an SD-WAN controller, an SD-WAN edge node and a destination SD-WAN edge node connected to the SD-WAN edge node through an internet security protocol, IPSec, tunnel; the SD-WAN controller is configured to issue configuration parameters of the IPSec tunnel to the SD-WAN edge node, where the configuration parameters at least include an IPSec parameter of an internet security protocol and a SRv parameter, and the SRv parameter is configured to instruct a transmission node path of the packet to the destination SD-WAN edge node; the SD-WAN edge node is used for encapsulating the received user message header comprising the IPSec parameters and SRv parameters to obtain an encapsulated message, and sending the encapsulated message to the Internet so that the encapsulated message is transmitted to the destination SD-WAN edge node according to the transmission node path.
In one exemplary embodiment of the present disclosure, the SD-WAN edge node comprises: the IPSec encapsulation module is used for encapsulating the IPSec message header for the user message according to the IPSec parameters; SRv6 encapsulation module for encapsulating the internet protocol version 6 IPv6 message header with the segment routing header SRH before the IPSec message header according to the SRv parameter to obtain the encapsulated message; the segment routing header SRH at least comprises a segment routing node list with a sequence, each node in the segment routing node list is provided with a corresponding IPv6 node address, and after the SD-WAN edge node sends the encapsulation message to the internet, the encapsulation message is sequentially transmitted to the IPv6 node addresses corresponding to the nodes according to the sequence, and finally is transmitted to the destination SD-WAN edge node.
In an exemplary embodiment of the present disclosure, the SD-WAN controller is further configured to, when issuing the configuration parameters of the IPSec tunnel to the SD-WAN edge node, simultaneously issue the configuration parameters to the destination SD-WAN edge node; the destination SD-WAN edge node is used for receiving the encapsulation message, decapsulating the encapsulation message and sending the encapsulation message to a corresponding user network.
According to one aspect of the present disclosure, there is provided a computer storage medium having stored thereon a computer program which, when executed by a processor, implements a method of data transmission in a software defined wide area network SD-WAN as described in any of the above.
According to one aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the data transmission method in the software defined wide area network SD-WAN of any one of the above via execution of the executable instructions.
According to the data transmission method in the software-defined wide area network SD-WAN in the exemplary embodiment of the disclosure, an SD-WAN edge node receives configuration parameters of an Internet security protocol IPSec tunnel issued by an SD-WAN controller, the configuration parameters comprise IPSec parameters and transmission node paths and SRv parameters for indicating a message to be transmitted to a destination SD-WAN edge node, the SD-WAN edge node packages a message header comprising the IPSec parameters and SRv parameters for a user message to obtain a packaged message, and the packaged message is sent to the Internet, so that the packaged message is transmitted to the destination SD-WAN edge node according to the transmission node paths. On the one hand, the SD-WAN edge node packages a message header comprising IPSec parameters and SRv parameters for a user message according to configuration parameters of an Internet security protocol IPSec tunnel issued by the SD-WAN controller, and SRv parameters are used for indicating a transmission node path of the message transmitted to a destination SD-WAN edge node, so that the transmission path of the packaged message in the Internet is programmable, the SD-WAN controller is used for realizing the selectivity of a data transmission path between the SD-WAN edge nodes, an optimal path can be selected according to different network transmission conditions, and the optimal path can be issued to the SD-WAN edge node in the form of the configuration parameters of the IPSec tunnel, thereby realizing the functions of protecting the transmission path, sharing the path and the like, and coordinating the data transmission efficiency and network transmission resources; on the other hand, since the IPv6 addresses in the Internet are public network addresses, the problem of crossing of a private address NAT (Network Address Translation, network address conversion) is avoided, and meanwhile, data transmission is realized by applying SRv protocol in the SD-WAN network.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings, in which:
fig. 1 is a schematic diagram showing a message format of an IPSec tunnel mode in the related art;
fig. 2 shows a schematic diagram of a SRv head structure in the related art;
fig. 3 is a schematic diagram showing the structure of an SD-WAN network in the related art;
FIG. 4 illustrates a flow chart of a method of data transmission in a software defined wide area network SD-WAN according to an exemplary embodiment of the present disclosure;
FIG. 5 illustrates a schematic diagram of a message encapsulation approach according to an exemplary embodiment of the present disclosure;
FIG. 6 illustrates a user messaging diagram according to an exemplary embodiment of the present disclosure;
fig. 7 is a schematic diagram illustrating a data transmission method in a software-defined wide area network SD-WAN according to an exemplary embodiment of the present disclosure in a practical application scenario;
FIG. 8 illustrates a schematic diagram of a data transmission system in a software defined wide area network SD-WAN according to an exemplary embodiment of the present disclosure;
FIG. 9 illustrates a schematic diagram of a storage medium according to an exemplary embodiment of the present disclosure; and
fig. 10 shows a block diagram of an electronic device according to an exemplary embodiment of the present disclosure.
In the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus detailed descriptions thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known structures, methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, these functional entities may be implemented in software, or in one or more software-hardened modules, or in different networks and/or processor devices and/or microcontroller devices.
IPSec is an open network layer security framework protocol established by the Internet engineering task force (The Internet Engineering Task Force, IETF for short), which is not a separate protocol, but rather a set of protocols and services that provide security for IP networks, i.e., a set of network layer-based, secure communication protocols that employ cryptography. Referring to fig. 1, there is shown a schematic diagram of a message format of an IPSec tunnel mode in the related art, and IPSec mainly includes: security protocols AH (Authentication Header ), ESP (Encapsulating Security Payload, encapsulating security payload), and IKE (Internet Key Exchange, password management exchange).
SRv6 (Segment Routing IPv, segment routing based on IPv6 forwarding plane), sr+ipv6, is a new generation of IP bearer protocol. Fig. 2 shows a schematic diagram of a SRv header structure in the related art, and as shown in fig. 2, the SRv header structure includes Segment routing node List [0, n ], that is, includes n Segment segments, and each Segment is a 128-bit address and is an IPv6 address. Wherein the Segment List is encoded according to SRv strategy. For example, an example portion of the SRv header is:
Address[0]:fc00:4::bb[next segment]
Address[1]:fc00:3::bb
based on SRv protocol, the output transmission is a hop-by-hop forwarding manner.
In the SD-WAN network in the related art, as shown in fig. 3, the SD-WAN edge nodes are connected through IPSec tunnels, and the propagation path of the IPSec packet in the internet is determined according to the route in the internet switch, however, if the channel between the SD-WAN edge nodes includes multiple IPSec tunnels, multiple IPSec decapsulations need to be performed when each IPSec tunnel transmits data, transmission efficiency is low, resource consumption is caused, and the data propagation path can only be determined uniquely according to the route in the internet switch, and cannot be adjusted timely according to the network transmission condition in time, and there is a problem of NAT traversal of the private address in the data transmission process.
Based on this, in the exemplary embodiments of the present disclosure, a data transmission method in a software defined wide area network SD-WAN is provided first, which is applied to an SD-WAN edge node in data transmission in the software defined wide area network SD-WAN. Referring to fig. 4, the data transmission method in the software defined wide area network SD-WAN includes the following steps:
step S410: the SD-WAN edge node receives configuration parameters of an Internet security protocol IPSec tunnel issued by the SD-WAN controller, wherein the configuration parameters at least comprise Internet security protocol IPSec parameters and SRv parameters, and SRv6 parameters are used for indicating a transmission node path for transmitting a message to a destination SD-WAN edge node;
step S420: encapsulating a message header comprising IPSec parameters and SRv parameters of the received user message to obtain an encapsulated message;
step S430: and sending the encapsulation message to the Internet so that the encapsulation message is transmitted to the destination SD-WAN edge node according to the transmission node path.
According to the data transmission method in the software-defined wide area network SD-WAN in this example embodiment, the SD-WAN edge node packages a packet header including IPSec parameters and SRv parameters for a user packet according to configuration parameters of an IPSec tunnel issued by the SD-WAN controller, and SRv parameters are used to indicate a transmission node path of the packet transmitted to the destination SD-WAN edge node, so that the transmission path of the package packet in the internet is programmable, the SD-WAN controller realizes the selectivity of the data transmission path between the SD-WAN edge nodes, and an optimal path can be selected according to different network transmission conditions and issued to the SD-WAN edge node in the form of the configuration parameters of the IPSec tunnel, thereby realizing functions of protection of the transmission path, path sharing, and the like, and coordinating data transmission efficiency and network transmission resources; since the IPv6 addresses in the Internet are public network addresses, the problem of crossing of a private address NAT (Network Address Translation ) is avoided, and meanwhile, data transmission is realized by applying SRv6 protocol in the SD-WAN network.
The data transmission method in the software defined wide area network SD-WAN in the exemplary embodiment of the present disclosure is further described below with reference to fig. 4.
In step S410, the SD-WAN edge node receives configuration parameters of the IPSec tunnel issued by the SD-WAN controller, where the configuration parameters at least include the IPSec parameters and SRv parameters, and the SRv parameters are used to indicate a transmission node path for transmitting the message to the destination SD-WAN edge node.
In an exemplary embodiment of the present disclosure, an IPSec tunnel is used to connect the SD-WAN edge node and the corresponding user network of the destination SD-WAN edge node. The configuration parameters of the IPSec tunnel at least comprise IPSec parameters and SRv parameters, wherein the IPSec parameters at least comprise address information corresponding to a destination user network, the SRv parameters at least comprise Segment routing node List Segment List with sequence, and each node in the Segment routing node List has a corresponding IPv6 node address for indicating a transmission node path for transmitting a message to a destination SD-WAN edge node. For example, the method sequentially comprises a node 1, a node 2, a node 3 and a node 4 (node 1- > node 2- > node 3- > node 4), namely, the transmission path of the message in the internet reaches each node hop by hop according to the sequence of the node 1- > node 2- > node 3- > node 4, and finally reaches the destination SD-WAN edge node.
In an exemplary embodiment, the configuration parameters of the IPSec tunnel are determined by the SD-WAN controller based on network transport conditions between the SD-WAN edge node and the destination SD-WAN edge node. For example, when the SD-WAN controller determines that the user packet is transmitted from the SD-WAN edge node to the destination SD-WAN edge node via node 1- > node 2- > node 3- > node 4 according to the current network transmission condition, if there is a possible delay in node 2, the SD-WAN controller may issue a configuration parameter of the IPSec tunnel to the SD-WAN edge node, where the SRv parameter is used to indicate that the transmission node path for transmitting the packet to the destination SD-WAN edge node is 1- > node 5- > node 3- > node 4.
According to the embodiment, the SD-WAN controller sends different configuration parameters of IPSec tunnels according to network transmission conditions, and the configuration parameters are used for indicating transmission node paths for transmitting messages to destination SD-WAN edge nodes, so that editability, adjustability and selectivity of data transmission paths are realized, adjustment can be made in real time according to actual networks, transmission conditions and the like of different transmission node paths, and further functions of path protection, path sharing and the like can be provided.
In step S420, the received user packet encapsulates a packet header including IPSec parameters and SRv parameters, and an encapsulated packet is obtained.
In an exemplary embodiment of the present disclosure, after a user packet enters an SD-WAN edge node, the user packet is encapsulated with IPSec and an internet protocol version 6 IPv6 packet header with a segment routing header SRH, to obtain an encapsulation header.
Specifically, firstly, an IPSec packet header is encapsulated for a user packet according to an IPSec parameter, and secondly, an IPv6 packet header of version 6 of the internet protocol having a segment routing header SRH is encapsulated before the IPSec packet header according to a SRv parameter, so as to obtain an encapsulated packet. Referring to fig. 5, a schematic diagram of a packet encapsulation manner according to an exemplary embodiment of the present disclosure is shown, as shown in fig. 5, in which an internet protocol version 6 IPv6 packet header encapsulating a segment routing header SRH is added in each protocol, compared to a packet encapsulation format (see fig. 1) in the related art. Because the segment routing header SRH at least comprises a segment routing node list with a sequence, and each node in the segment routing node list has a corresponding IPv6 node address, the encapsulation message is sent to the internet, so that the encapsulation message is sequentially transmitted to the IPv6 node addresses corresponding to the nodes according to the sequence, and finally transmitted to the destination SD-WAN edge node. As shown in fig. 6, the user message is transmitted by the SD-WAN edge node to the destination SD-WAN edge node hop by hop via IPv6 node 1, IPv6 node 2, IPv6 node 3 and IPv6 node 4. In the transmission process of the encapsulation message in the IPSec tunnel, multiple decapsulation is not needed, and the IPv6 node addresses in the internet are public network addresses in the transmission process, so that the problem of NAT traversal of the private address can not exist in the transmission process.
In an exemplary embodiment, when the SD-WAN edge node receives the configuration parameters of the IPSec tunnel of the internet security protocol issued by the SD-WAN controller, the destination SD-WAN edge node corresponding to the SD-WAN edge node receives the configuration parameters at the same time, so as to decapsulate the received encapsulated packet and send the encapsulated packet to the corresponding user network. With continued reference to fig. 6, when the encapsulated packet is transmitted to the destination SD-WAN edge node, the destination SD-WAN edge node decapsulates the encapsulated packet based on the received configuration parameters of the IPSec tunnel, and sends the decapsulated user packet to the user network 2.
By means of the embodiment, only configuration parameters of the IPSec tunnel are issued to the SD-WAN edge node and the corresponding destination SD-WAN edge node through the SD-WAN controller, so that data transmission based on the IPSec over SRv6 between the SD-WAN edge node and the corresponding destination SD-WAN edge node can be achieved, transmission paths are selectable and programmable, and path protection, path sharing and regulation and control of network resources can be performed through path selection.
In step S430, the encapsulated packet is sent to the internet, so that the encapsulated packet is transmitted to the destination SD-WAN edge node according to the transmission node path.
In an exemplary embodiment of the present disclosure, after the SD-WAN edge node sends the encapsulation packet to the internet, the encapsulation packet is sequentially transmitted to the IPv6 node address corresponding to each node in the internet according to the sequence, and finally is transmitted to the destination SD-WAN edge node. The step S420 is already described, and will not be described again here.
Fig. 7 is a schematic diagram of a data transmission method in a software-defined wide area network SD-WAN according to an exemplary embodiment of the present disclosure in a practical application scenario, as shown in fig. 7, according to configuration parameters of an IPSec tunnel issued by an SD-WAN controller, a user packet sent by a network user 1 (Host 1) is transmitted from Shenzhen to Beijing via an IPv6 node (Shanghai) in the internet, and reaches a network user 2 (Host 2). Correspondingly, if the SD-WAN controller detects that the transmission node path has network delay, the configuration parameter of another internet security protocol IPSec tunnel may be issued to instruct the user packet sent by the network user 1 (Host 1) to be transmitted from Shenzhen to beijing via the IPv6 node (hangzhou) in the internet and to reach the network user 2 (Host 2), thereby implementing the selectable and programmable data transmission path.
It should be noted that, the number of nodes included in the transmission node path in the above example is merely exemplary, and the number of nodes in the segment routing node list with the sequence in the disclosure may be set according to the actual data transmission requirement, which is not particularly limited in the disclosure.
In an exemplary embodiment of the present disclosure, a data transmission system in a software defined wide area network SD-WAN is also provided. Referring to fig. 8, the data transfer system 800 in the software defined wide area network SD-WAN may include an SD-WAN controller 810, an SD-WAN edge node 820, and a destination SD-WAN edge node 840 tunneled with the SD-WAN edge node 810 over an internet security protocol IPSec tunnel 830. In particular, the method comprises the steps of,
the SD-WAN controller 810 is configured to issue configuration parameters of the IPSec tunnel to the SD-WAN edge node 820, where the configuration parameters at least include an internet security protocol IPSec parameter and a SRv6 parameter, and the SRv6 parameter is configured to indicate a transmission node path for transmitting the packet to the destination SD-WAN edge node 840;
the SD-WAN edge node 820 is configured to encapsulate a header of a received user packet, where the header includes IPSec parameters and SRv parameters, to obtain an encapsulated packet, and send the encapsulated packet to the internet, so that the encapsulated packet is transmitted to the destination SD-WAN edge node 840 according to a transmission node path.
In an exemplary embodiment, the SD-WAN edge node may comprise: the IPSec encapsulation module is used for encapsulating the IPSec message header of the user message according to the IPSec parameters; SRv6 encapsulation module for encapsulating the IPv6 packet header of the 6 th version of internet protocol with the segment routing header SRH before the IPSec packet header according to SRv6 parameters to obtain an encapsulated packet; the segment routing header SRH at least includes a segment routing node list with a sequence, each node in the segment routing node list has a corresponding IPv6 node address, after the SD-WAN edge node 820 sends the encapsulation packet to the internet, the encapsulation packet is sequentially transmitted to the IPv6 node addresses corresponding to the nodes according to the sequence, and finally is transmitted to the destination SD-WAN edge node 840.
In an exemplary embodiment, SD-WAN controller 810 is further configured to, when sending the configuration parameters of the IPSec tunnel to SD-WAN edge node 820, send the configuration parameters to destination SD-WAN edge node 840 at the same time; the destination SD-WAN edge node 840 is configured to receive the encapsulated packet, decapsulate the encapsulated packet, and send the encapsulated packet to the corresponding user network.
Since the respective functional modules of the data transmission system in the software defined wide area network SD-WAN according to the exemplary embodiment of the present disclosure are the same as those in the above-described embodiment of the data transmission method in the software defined wide area network SD-WAN, the description thereof will be omitted herein.
It should be noted that although in the above detailed description several modules or units of a data transmission system in a software defined wide area network SD-WAN are mentioned, this division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, in exemplary embodiments of the present disclosure, a computer storage medium capable of implementing the above-described method is also provided. On which a program product is stored which enables the implementation of the method described above in the present specification. In some possible embodiments, the various aspects of the present disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the disclosure as described in the "exemplary methods" section of this specification, when the program product is run on the terminal device.
Referring to fig. 9, a program product 900 for implementing the above-described method according to an exemplary embodiment of the present disclosure is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
In addition, in an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided. Those skilled in the art will appreciate that the various aspects of the present disclosure may be implemented as a system, method, or program product. Accordingly, various aspects of the disclosure may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device 1000 according to such an embodiment of the present disclosure is described below with reference to fig. 10. The electronic device 1000 shown in fig. 10 is merely an example and should not be construed as limiting the functionality and scope of use of the disclosed embodiments.
As shown in fig. 10, the electronic device 1000 is embodied in the form of a general purpose computing device. Components of electronic device 1000 may include, but are not limited to: the at least one processing unit 1010, the at least one memory unit 1020, a bus 1030 connecting the various system components (including the memory unit 1020 and the processing unit 1010), and a display unit 1040.
Wherein the storage unit stores program code that is executable by the processing unit 1010 such that the processing unit 1010 performs steps according to various exemplary embodiments of the present disclosure described in the above-described "exemplary methods" section of the present specification.
The memory unit 1020 may include readable media in the form of volatile memory units such as Random Access Memory (RAM) 1021 and/or cache memory unit 1022, and may further include Read Only Memory (ROM) 1023.
Storage unit 1020 may also include a program/utility 1024 having a set (at least one) of program modules 1025, such program modules 1025 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 1030 may be representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 1000 can also communicate with one or more external devices 1100 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1000, and/or with any device (e.g., router, modem, etc.) that enables the electronic device 1000 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1050. Also, electronic device 1000 can communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 1060. As shown, the network adapter 1060 communicates with other modules of the electronic device 1000 over the bus 1030. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with the electronic device 1000, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Furthermore, the above-described figures are only schematic illustrations of processes included in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. A method for data transmission in a software defined wide area network SD-WAN, comprising:
the SD-WAN edge node receives configuration parameters of an Internet security protocol IPSec tunnel issued by the SD-WAN controller, wherein the configuration parameters at least comprise Internet security protocol IPSec parameters and SRv parameters, and the SRv parameters are used for indicating a transmission node path for transmitting a message to a destination SD-WAN edge node;
encapsulating the received user message with a message header comprising the IPSec parameters and SRv parameters to obtain an encapsulated message;
and sending the encapsulation message to the Internet so that the encapsulation message is transmitted to the destination SD-WAN edge node according to the transmission node path.
2. The method of claim 1, wherein the encapsulating the received user packet with the packet header including the IPSec parameter and the SRv parameter, to obtain an encapsulated packet, comprises:
encapsulating an IPSec message header for the user message according to the IPSec parameter;
and encapsulating an internet protocol version 6 IPv6 message header with a segmented routing header SRH before the IPSec message header according to the SRv6 parameter to obtain the encapsulated message.
3. The method according to claim 2, wherein the segment routing header SRH includes at least a segment routing node list having a sequence, and each node in the segment routing node list has a corresponding IPv6 node address;
the sending the encapsulation message to the internet, so that the encapsulation message is transmitted to the destination SD-WAN edge node according to the transmission node path, including:
and sending the encapsulation message to the Internet, so that the encapsulation message is sequentially transmitted to IPv6 node addresses corresponding to all nodes according to the sequence, and finally transmitted to the destination SD-WAN edge node.
4. A method according to any one of claims 1-3, wherein the IPSec tunnel is used for connecting the SD-WAN edge node and a user network corresponding to the destination SD-WAN edge node;
and when the SD-WAN edge node receives the configuration parameters of the Internet security protocol IPSec tunnel issued by the SD-WAN controller, the destination SD-WAN edge node corresponding to the SD-WAN edge node simultaneously receives the configuration parameters so as to de-encapsulate the received encapsulated message and send the encapsulated message to a corresponding user network.
5. The method according to claim 1, wherein the configuration parameters are determined for the SD-WAN controller according to network transmission conditions between the SD-WAN edge node and the destination SD-WAN edge node.
6. A data transmission system in a software defined wide area network SD-WAN, wherein the system comprises an SD-WAN controller, an SD-WAN edge node and a destination SD-WAN edge node connected with the SD-WAN edge node through an internet security protocol IPSec tunnel;
the SD-WAN controller is configured to issue configuration parameters of the IPSec tunnel to the SD-WAN edge node, where the configuration parameters at least include an IPSec parameter of an internet security protocol and a SRv parameter, and the SRv parameter is configured to instruct a transmission node path of the packet to the destination SD-WAN edge node;
the SD-WAN edge node is used for encapsulating the received user message header comprising the IPSec parameters and SRv parameters to obtain an encapsulated message, and sending the encapsulated message to the Internet so that the encapsulated message is transmitted to the destination SD-WAN edge node according to the transmission node path.
7. The system of claim 6, wherein the SD-WAN edge node comprises:
the IPSec encapsulation module is used for encapsulating the IPSec message header for the user message according to the IPSec parameters;
SRv6 encapsulation module for encapsulating the internet protocol version 6 IPv6 message header with the segment routing header SRH before the IPSec message header according to the SRv parameter to obtain the encapsulated message;
the segment routing header SRH at least comprises a segment routing node list with a sequence, each node in the segment routing node list is provided with a corresponding IPv6 node address, and after the SD-WAN edge node sends the encapsulation message to the internet, the encapsulation message is sequentially transmitted to the IPv6 node addresses corresponding to the nodes according to the sequence, and finally is transmitted to the destination SD-WAN edge node.
8. The system of claim 6, wherein the SD-WAN controller is further configured to simultaneously issue configuration parameters of the IPSec tunnel to the destination SD-WAN edge node while issuing the configuration parameters to the SD-WAN edge node;
the destination SD-WAN edge node is used for receiving the encapsulation message, decapsulating the encapsulation message and sending the encapsulation message to a corresponding user network.
9. A storage medium having stored thereon a computer program which, when executed by a processor, implements a method of data transmission in a software defined wide area network SD-WAN according to any of claims 1 to 5.
10. An electronic device, comprising:
a processor; and a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the data transmission method in the software defined wide area network SD-WAN of any one of claims 1 to 5 via execution of the executable instructions.
CN202111658851.1A 2021-12-30 2021-12-30 Data transmission method and system in software defined wide area network SD-WAN Pending CN116389018A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111658851.1A CN116389018A (en) 2021-12-30 2021-12-30 Data transmission method and system in software defined wide area network SD-WAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111658851.1A CN116389018A (en) 2021-12-30 2021-12-30 Data transmission method and system in software defined wide area network SD-WAN

Publications (1)

Publication Number Publication Date
CN116389018A true CN116389018A (en) 2023-07-04

Family

ID=86975579

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111658851.1A Pending CN116389018A (en) 2021-12-30 2021-12-30 Data transmission method and system in software defined wide area network SD-WAN

Country Status (1)

Country Link
CN (1) CN116389018A (en)

Similar Documents

Publication Publication Date Title
CN113132201B (en) Communication method and device between VPCs
US10122574B2 (en) Methods and apparatus for a common control protocol for wired and wireless nodes
CN103747470B (en) Method and apparatus for controlling wireless access point
US10454880B2 (en) IP packet processing method and apparatus, and network system
CN105009544A (en) Tunnel processing method for packet, switching device and control device
CN110505244B (en) Remote tunnel access technology gateway and server
CN113904866B (en) SD-WAN traffic safety treatment drainage method, device, system and medium
CN105471827A (en) Message transmission method and device
CN115189920A (en) Cross-network domain communication method and related device
CN107770027B (en) Implementation method for providing GRE tunnel service based on OpenStack architecture
CN114095587A (en) Client, message sending and receiving method, device and storage medium
EP3893435B1 (en) Method and apparatus for processing ioam information
CN114828140B (en) Service flow message forwarding method and device, storage medium and electronic equipment
CN116389018A (en) Data transmission method and system in software defined wide area network SD-WAN
CN115865845A (en) Method for realizing cross-Region virtual network communication based on SegmentRouting
CN113472625B (en) Transparent bridging method, system, equipment and storage medium based on mobile internet
CN115314562A (en) Method, device, equipment and medium for compressing header of SRv data message in cross-domain transmission
US11743180B2 (en) System and method for routing traffic onto an MPLS network
CN114615197A (en) Message forwarding method and device, electronic equipment and storage medium
CN113890824A (en) Network acceleration method, network acceleration device, gateway equipment and computer readable storage medium
CN111490986B (en) Test system and method for intrusion prevention equipment
CN113114565B (en) Data message forwarding method and device, storage medium and electronic equipment
WO2024041064A1 (en) Quic packet transmission method and related device
CN116074158A (en) Communication method, system, device, electronic equipment and storage medium
CN116938804A (en) Message forwarding method and device, computer readable storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination