WO2013170698A1 - Method for processing message after migration of virtual machine vm and device thereof - Google Patents

Method for processing message after migration of virtual machine vm and device thereof Download PDF

Info

Publication number
WO2013170698A1
WO2013170698A1 PCT/CN2013/074854 CN2013074854W WO2013170698A1 WO 2013170698 A1 WO2013170698 A1 WO 2013170698A1 CN 2013074854 W CN2013074854 W CN 2013074854W WO 2013170698 A1 WO2013170698 A1 WO 2013170698A1
Authority
WO
WIPO (PCT)
Prior art keywords
pcp
extended
identification
policy
opcode
Prior art date
Application number
PCT/CN2013/074854
Other languages
French (fr)
Chinese (zh)
Inventor
张大成
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2013170698A1 publication Critical patent/WO2013170698A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/485Task life-cycle, e.g. stopping, restarting, resuming execution
    • G06F9/4856Task life-cycle, e.g. stopping, restarting, resuming execution resumption being on a different machine, e.g. task migration, virtual machine migration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a packet processing method and device thereof after a virtual machine VM is migrated.
  • a virtual machine migrates in a data center or across a data center
  • the network path through which the traffic sent or received by the migrated VM flows changes, and the migrated traffic may flow through different paths.
  • Network security device When a network security device (such as a firewall) receives a message from a VM newly migrated to the security domain, it may not be able to handle it properly due to the lack of a corresponding security policy corresponding to the VM.
  • the data center has a first host and a second host, the first host is connected to the first firewall through the first switch, and the second host is connected to the second firewall through the second switch, where the first host is There is a first VM, and the packet traffic sent by the first VM is sent by the first firewall, and a security policy corresponding to the first VM is deployed on the first firewall, so that the first VM is configured.
  • a VM can communicate with the outside world through the first firewall.
  • the packet sent by the first VM is forwarded to the second firewall by the second switch, but the There is no security policy corresponding to the first VM on the firewall, which may cause the second firewall to fail to correctly process the packet sent by the first VM, and the first VM is disconnected from the outside world.
  • the device forwards the packet sent by the VM to the network security device that deploys the security policy corresponding to the VM through a Layer 2 device (such as a switch).
  • the first VM migrates from the first host to the second host, and the packet sent by the first VM passes through the second switch, the The second switch forwards the packet to the first switch, and the first switch forwards the packet to the first firewall, so that the first VM can still communicate with the outside world.
  • the packets sent by the migrated VMs are forwarded to the network security device that is deployed with the security policy corresponding to the VM.
  • the number of network nodes that the packets sent by the migrated VMs passes increases.
  • the efficiency of text forwarding is low. Summary of the invention
  • the embodiment of the present invention provides a method for processing a packet after a virtual machine VM is migrated, and a method for resolving a security policy after the virtual machine VM is migrated, and a device for forwarding the packet sent by the migrated VM to the VM
  • the corresponding network security device is processed before the migration to improve the forwarding efficiency of the VM packet.
  • the prior art can forward the packet sent by the migrated VM to the deployed VM.
  • the network security device of the security policy is processed. As a result, the number of network nodes that the packets sent by the migrated VMs passes through, that is, the VM packet forwarding path is not the optimal path, and the VM packet forwarding efficiency is low.
  • the embodiment of the present invention provides a method for processing a packet after a virtual machine VM is migrated, including: after the VM is migrated, the corresponding network security device receives the extended port control protocol (Port) sent by the network device after the VM is migrated.
  • a Control Protocol (PCP) policy update message the extended PCP policy update message carrying an identifier type of the VM, an identifier of the VM, and a security policy corresponding to the VM, an identifier type of the VM, the VM And the security policy corresponding to the VM is pre-stored on the network device;
  • PCP Control Protocol
  • the network security device applies a security policy corresponding to the VM, and processes the received packet from the VM.
  • the embodiment of the present invention provides another method for processing a message after migration of a virtual machine VM, including: After the VM is migrated, the network device obtains the identifier type of the VM and the identifier of the VM, and the network device pre-stores the identifier type of the VM, the identifier of the VM, and a security policy corresponding to the VM.
  • the network device constructs an extended port control protocol (PCP) policy update message according to the identifier type of the VM and the identifier of the VM, where the extended PCP policy update message carries the identifier type of the VM and the identifier of the VM. And a security policy corresponding to the VM;
  • PCP extended port control protocol
  • an embodiment of the present invention provides a network security device, including:
  • a receiving unit configured to receive, after the VM is migrated, an extended port control protocol (PCP) policy update message sent by the network device, where the extended PCP policy update message carries an identifier type of the VM, an identifier of the VM, and the a security policy corresponding to the VM, the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM are pre-stored on the network device;
  • PCP extended port control protocol
  • An execution unit is configured to apply a security policy corresponding to the VM, and process the received packet from the VM.
  • an embodiment of the present invention provides a network device, including:
  • a receiving unit configured to obtain an identifier type of the VM and an identifier of the VM after the VM is migrated
  • a storage unit configured to pre-store an identifier type of the VM, an identifier of the VM, and a security corresponding to the VM Strategy
  • Constructing an update message unit configured to construct an extended PCP policy update message according to the identifier type of the VM and the identifier of the VM, where the extended PCP policy update message carries the identifier type of the VM, and the VM Identifying and a security policy corresponding to the VM;
  • FIG. 1 is a schematic diagram of networking of VM migration in an embodiment of the present invention
  • FIG. 2 is a schematic diagram of networking of VM migration in an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for processing a message after migration of a virtual machine VM according to an embodiment of the present invention
  • FIG. 4 is a flowchart of another method for processing a message after migration of a virtual machine VM according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of a network security device according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of still another network security device according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a network device according to an embodiment of the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The technical solutions of the embodiments of the present invention are further described in detail below with reference to the accompanying drawings and embodiments.
  • FIG. 1 is a schematic diagram of networking of VM migration in an embodiment of the present invention.
  • the first host is connected to the first network security device through the first switch, and the second host is connected to the second network security device through the second switch.
  • the first network security device and the second network security device are network devices with security functions, such as firewalls, routers, switches, and the like.
  • the security policies corresponding to the first VM and the second VM are pre-stored and deployed in the first network security.
  • the first VM and the second VM can communicate with the outside world through the first network security device, and the second network security
  • the security policy corresponding to the first VM and the second VM is not pre-stored and deployed on the entire device.
  • the first VM is migrated to the second host.
  • FIG. 2 a schematic diagram of the networking of VM migration in an embodiment of the present invention, the difference between FIG. 2 and FIG.
  • the embodiment of the present invention provides a method for resolving a security policy loss after a virtual machine VM is migrated.
  • the method may be applied to the second network security device shown in FIG.
  • the second network security device shown in FIG. The method includes:
  • the corresponding network security device receives the extended PCP policy update message sent by the network device, and the extended PCP policy update message carries the identifier type of the VM and the identifier of the VM. And the security policy corresponding to the VM, the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM are pre-stored on the network device. For example, after the event that the first VM migrates to the second host occurs, the second network security device has at least two methods to receive the extended PCP policy update sent by the network device that pre-stores the first VM security policy. Message.
  • the first method includes: the first host or the second host sends a migration notification message of the first VM to the network device that stores the first VM security policy, and triggers the network device to send the extended PCP policy update to the second network security device.
  • the second method includes: the first host or the second host sends a migration notification message of the first VM to the second network security device, and triggers the second network security device to send the extension to the network device that pre-stores the first VM security policy.
  • a PCP policy request message after receiving the extended PCP policy request message, the network device sends an extended PCP policy update message to the second network security device, where the extended PCP policy update message is the extended PCP policy request message. The response of the text.
  • FIG. 1 is a first network security device
  • FIG. 2 is a third-party server, or a first network security device, or a third-party server and a A network security device.
  • the execution process of the second method is as follows: After the first VM on the first host migrates to the second host, the first host or the second host sends the migration notification packet of the first VM to the second network security device.
  • the migration notification message carries the identifier type of the first VM and the identifier of the first VM.
  • the identifier type of the first VM is a Media Access Control (MAC) address type
  • the identifier of the first VM is the MAC address of the first VM
  • the identifier type of the first VM is an Internet Protocol (Internet Protocol,
  • Internet Protocol Internet Protocol
  • the first VM identifies the IP address of the first VM.
  • the second network security device receives the migration notification message, and constructs an extended PCP policy request packet, where the extended PCP policy request packet is carried.
  • the identifier is used to identify the PCP packet that is a security policy of the requesting/confirming VM, and further includes an identifier type of the first VM and an identifier of the first VM.
  • the extended PCP policy is sent to a device that pre-stores the first VM security policy, such as a third-party server or a first network security device, or a third-party server and a first network security device.
  • the device that pre-stores the first VM security policy determines the report after receiving the extended PCP policy request message sent by the second network security device.
  • the message is a packet requesting the VM security policy, and the security policy corresponding to the first VM is queried according to the identifier type of the first VM and the identifier of the first VM that are carried in the extended PCP policy request packet.
  • Constructing an extended PCP policy update message where the extended PCP policy update message is The response of the extended PCP policy request message is described.
  • the extended PCP policy update packet carries a packet type identifier, where the identifier is used to identify the PCP packet that is the security policy of the requesting/updating VM, and further carries the identifier type of the first VM, The identifier of the first VM and the security policy corresponding to the first VM.
  • the existing PCP Request (Request) message format is defined as follows:
  • Opcode field indicates the classification of the action performed by the PCP message.
  • the Opcode-specific information field is the payload corresponding to the Opcode field and is an optional field.
  • PCP Options field is an extension field corresponding to the Opcode field and is an optional field.
  • the existing PCP packet format is extended to the extended PCP policy request message and the extended PCP policy update message by the following method:
  • Opcode takes a new enumeration value (unlike the enumeration value of Opcode in the existing PCP), indicating the security policy for requesting/confirming the VM. Define a new Opcode-specific information as follows: 0 1 2 3 01234567890123456789012345678901
  • the a) protocol sub-field and the reserved (reserved) sub-field are used to match the PCP packet definition style, and the value may be any value.
  • b) Length field used to indicate the length of the subsequent ID Type subfield and ID (ID) subfield.
  • ID Type subfield which is used to identify the identification type of the VM.
  • the identifier type of the VM which can be a MAC address type, or an IP address type, or other types.
  • PCP Options is empty, ie PCP Options are not included.
  • Opcode takes a new enumeration value (unlike the enumeration value of Opcode in the existing PCP), indicating that the security policy for requesting/updating the VM can be the same as or different from the value of Opcode in the extended PCP policy request.
  • Opcode-specific information which is the same as the content in the extended PCP policy request message.
  • a new PCP Options as follows: 0 1 2 3
  • the a) protocol sub-field and the reserved (reserved) sub-field are used to match the PCP packet definition style, and the value may be any value.
  • b) Length field used to indicate the length of the Policy subfield.
  • c) Policy subfield which is used to carry the security policy of the VM. For example, there may be multiple ways to distinguish between an extended PCP policy request message and an extended PCP policy update message. For example, the value of Opcode in the extended PCP policy request message and the extended PCP policy update message may be different.
  • the value of the packet can also be determined by the PCP Options field in the packet. When there is a PCP Options field in the packet, the PCP policy update packet is extended for the extended PCP policy update packet.
  • the extended PCP policy request packet can be extended from the PCP request request packet.
  • the extended PCP policy update packet can be extended from the PCP request Request packet or extended from the PCP response Response packet.
  • the execution process of the first method is described in detail as follows: After the first VM migrates from the first host to the second host, the first host or the second host goes to a device that pre-stores the VM security policy, for example, The first network security device, or the third-party server, or the first network security device and the third-party server, send the migration notification message of the first VM.
  • the extended PCP policy update message is configured, and the extended PCP policy update message is sent to the second network security device.
  • the method for constructing the extended PCP policy update message is the same as the method for constructing the extended PCP policy update message in the second method, and details are not described herein again.
  • the network security device applies a security policy corresponding to the VM, and processes the received packet from the VM. For example, the second network security device determines, according to the security policy corresponding to the first VM, whether it conflicts with the locally configured security policy, and if there is a conflict, adjusts the local according to the security policy corresponding to the first VM. The configured security policy; if there is no conflict, keep the locally configured security policy unchanged. The second network The security device performs corresponding processing on the received packet from the first VM according to the security policy after the security policy corresponding to the first VM is applied.
  • the security policy corresponding to the first VM is to allow the video stream sent by the first VM to be sent. If the security policy locally configured by the second network security device allows the video stream message sent by any virtual machine to pass, the security policy corresponding to the first VM is to allow the first VM to send The video stream packets pass without conflict.
  • the method for processing the packet after the virtual machine VM is migrated is used to receive the extended PCP policy update packet sent by the network device, and the security policy corresponding to the VM is applied to the VM after the VM migration.
  • the network security device does not need to forward the packets sent by the migrated VM to the corresponding network security device before the VM migration, so that the network node that the packet sent by the migrated VM passes can be reduced, and the VM is improved. Packet forwarding efficiency.
  • the embodiment of the present invention provides a method for processing a message after a virtual machine VM is migrated, which can be applied to the first network security device shown in FIG. 1, and can also be applied to the first device shown in FIG.
  • a network security device and/or a third server including:
  • the network device obtains the identifier type of the VM and the identifier of the VM, where the network device pre-stores the identifier type of the VM, the identifier of the VM, and a security policy corresponding to the VM.
  • the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM are pre-stored on the network device, such as the second network security device shown in FIG. 1, or in FIG.
  • the second network security device and/or the third server are shown.
  • FIG. 1 and FIG. 2 when the first VM is migrated from the first host to the second host, refer to the first method and the second method described in FIG.
  • the device receives the migration notification message of the first VM sent by the first host or the second host, or receives the extension sent by the second network security device.
  • the identifier type of the first VM and the identifier of the first VM carried in the PCP policy request packet, the migration notification packet of the first VM, or the extended PCP policy request packet.
  • the network device constructs an extended PCP policy update packet according to the identifier type of the VM and the identifier of the VM, where the extended PCP policy update packet carries an identifier type of the VM, an identifier of the VM, and The security policy corresponding to the VM.
  • the network device queries the security policy corresponding to the first VM according to the identifier type of the first VM and the identifier of the first VM, and constructs an extended PCP policy update packet, and the extended PCP policy update packet carries the first The identification type of the VM, the identifier of the first VM, and the security policy corresponding to the first VM.
  • the detailed process and the method for extending the PCP refer to the first method, the second method, and the method for extending the PCP described in the embodiment shown in FIG. 3, and details are not described herein again.
  • the network device sends the extended PCP policy update packet to a corresponding network security device after the VM is migrated. For example, the network device sends an extended PCP policy update message to the second network security device.
  • the method for processing the packet after the virtual machine VM is migrated is sent to the corresponding network security device after the VM is migrated, so that the VM is migrated after the VM is migrated.
  • the network security device can obtain the security policy corresponding to the VM, so the corresponding network security device can apply the security policy corresponding to the VM to process the packet from the VM, and the migration does not need to be performed after the migration.
  • the packets sent by the VM are forwarded to the corresponding network security device before the VM migration, so as to improve the forwarding efficiency of the VM packets.
  • an embodiment of the present invention provides a network security device, including:
  • the receiving unit 501 is configured to receive, after the VM is migrated, an extended PCP policy update message sent by the network device, where the extended PCP policy update message carries an identifier type of the VM, an identifier of the VM, and a corresponding to the VM.
  • the security policy, the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM are pre-stored on the network device.
  • the executing unit 502 is configured to apply a security policy corresponding to the VM, and process the received packet from the VM.
  • the PCP policy update message includes: a first opcode (Opcode) field, an first opcode-specific information field, and a PCP option field, the first Opcode field. And a packet type of the extended PCP, where the first Opcode-specific information field carries an identifier type of the VM and an identifier of the VM, and the PCP Options field carries a security policy corresponding to the VM.
  • the receiving unit 501 is further configured to receive a migration notification message of the VM, where the migration notification message carries an identifier type of the VM and an identifier network security device of the VM.
  • the network security device may further include: a configuration request message unit 503, configured to construct an extended PCP policy request message according to the migration notification message, where the extended PCP policy request message includes a second Opcode field and a second Opcode-specific information field, the second Opcode field is used to identify a packet type of the extended PCP, and the second Opcode-specific information field carries an identifier type of the VM and an identifier of the VM.
  • the sending unit 504 is configured to send the extended PCP policy request message to the network device.
  • the extended PCP policy update message is a response to the extended PCP policy request message.
  • the network security device applies the extended PCP policy update message sent by the network device to the network security device corresponding to the VM after the VM is migrated.
  • the packets sent by the migrated VM are forwarded to the corresponding network security device before the VM is migrated, so that the forwarding efficiency of VM packets can be improved.
  • an embodiment of the present invention provides a network device, including: a receiving unit 702, configured to obtain an identifier type of the VM and an identifier of the VM after the VM is migrated, and a storage unit 701, configured to: The identifier type of the VM, the identifier of the VM, and a security policy corresponding to the VM are pre-stored.
  • the configuration update message unit 703 is configured to construct an extended PCP policy update message according to the identifier type of the VM and the identifier of the VM and the security policy corresponding to the VM, where the extended PCP policy update message carries the The identification type of the VM, the identifier of the VM, and the security policy corresponding to the VM.
  • the sending unit 704 is configured to send the extended PCP policy update message to the corresponding network security device after the VM migration.
  • the extended PCP policy update message carries the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM, including: the extended PCP policy update message includes a first operation code Opcode. a field, a first opcode specific information Opcode-specific information field, and a PCP option Options field, the first Opcode field is used to identify a packet type of the extended PCP, and the first Opcode-specific information field carries an identifier of the VM A type and an identifier of the VM, where the PCP Options field carries a security policy corresponding to the VM.
  • the receiving unit 702 is specifically configured to: Receiving a migration notification message of the VM, where the migration notification message carries an identifier type of the VM and an identifier of the VM.
  • the receiving unit 702 is specifically configured to: receive an extended PCP policy request message sent by the corresponding network security device after the VM migration, where the extended PCP policy request message includes a second Opcode field and a An Opcode-specific information field, the second Opcode field is used to identify a packet type of the extended PCP, and the second Opcode-specific information field carries an identifier type of the VM and an identifier of the VM.
  • the network device provided by the embodiment of the present invention after the VM is migrated, sends an extended PCP policy update message to the corresponding network security device after the VM is migrated, so that the corresponding network security device after the VM migration can obtain the VM. Corresponding security policy. Therefore, the corresponding network security device after the VM migration can apply the security policy corresponding to the VM to process the packet from the VM. Therefore, the packet sent by the migrated VM does not need to be forwarded to the network.
  • the corresponding network security device is processed before the VM is migrated, so that the efficiency of VM packet forwarding can be improved.
  • the units in the embodiments shown in Figures 5-7 can be combined into one or more units. Also for example, the units can all be implemented in hardware.

Abstract

Disclosed is a method for processing a message after the migration of a virtual machine VM, comprising: after the migration of a VM, applying a security policy corresponding to the VM to a network security device corresponding to the VM after the migration. Also provided are a corresponding network security device and network device. After the migration of a VM, by applying a security policy corresponding to the VM to a network security device corresponding to the VM after the migration, the technical solution of the embodiments of the present invention does not need to forward a message sent by the VM after the migration to the network security device corresponding to the VM before the migration for processing, thus improving the message forwarding efficiency of the VM.

Description

虚拟机 VM迁移后的报文处理的方法及其设备  Method and device for processing message after virtual machine VM migration
本申请要求于 2012年 5月 16日提交中国专利局、 申请号为 201210151792.3、发 明名称为" 虚拟机 VM迁移后的报文处理的方法及其设备" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及通信技术领域,具体涉及一种虚拟机 VM迁移后的报文处理的方法及其 设备。 背景技术 虚拟机( Virtual Machine, VM )在数据中心内 ,或跨数据中心迁移时,会导致发 生迁移的 VM发送或接收的流量流经的网络路径发生改变,迁移后的流量可能会流经不 同的网络安全设备。 这样当一个网络安全设备(比如说防火墙)接收到一个新迁移到本 安全域的 VM发出的报文时,它可能因为缺乏相关的对应此 VM的安全策略而无法正确 处理。  This application claims the priority of the Chinese patent application filed on May 16, 2012, the Chinese Patent Office, the application number is 201210151792.3, and the invention name is "the method of processing the message after the migration of the virtual machine VM and its equipment". This is incorporated herein by reference. The present invention relates to the field of communications technologies, and in particular, to a packet processing method and device thereof after a virtual machine VM is migrated. BACKGROUND When a virtual machine (VM) migrates in a data center or across a data center, the network path through which the traffic sent or received by the migrated VM flows changes, and the migrated traffic may flow through different paths. Network security device. Thus, when a network security device (such as a firewall) receives a message from a VM newly migrated to the security domain, it may not be able to handle it properly due to the lack of a corresponding security policy corresponding to the VM.
例如,数据中心内有第一主机和第二主机,所述第一主机通过第一交换机与第一防 火墙相连,所述第二主机通过第二交换机与第二防火墙相连,所述第一主机上有第一 VM,此时所述第一 VM发出的报文流量是经过所述第一防火墙的 ,所述第一防火墙上 部署有与所述第一 VM对应的安全策略,以使得所述第一 VM能通过所述第一防火墙和 外界通信。 当所述第一 VM从所述第一主机迁移到所述第二主机后,所述第一 VM发出 的报文,将通过所述第二交换机转给所述第二防火墙,但所述第二防火墙上没有对应所 述第一 VM的安全策略,可能导致所述第二防火墙无法正确处理所述第一 VM发来的报 文,所述第一 VM与外界通信中断。 现有技术通过二层设备(如交换机),将 VM发出的报文转发到部署了与该 VM对 应的安全策略的网络安全设备进行处理。 以上面提到的场景为例,当所述第一 VM从所 述第一主机迁移到所述第二主机后,所述第一 VM发出的报文经过所述第二交换机时, 所述第二交换机将该报文转给所述第一交换机,所述第一交换机将此报文转给所述第一 防火墙,从而使得所述第一 VM仍可以和外界通信。 由于需要将迁移后的 VM发出的报 文经过辗转的路径,转发给部署了与该 VM对应的安全策略的网络安全设备处理,导致 迁移后的 VM发出的报文经过的网络节点增多 , VM报文转发的效率低。 发明内容 For example, the data center has a first host and a second host, the first host is connected to the first firewall through the first switch, and the second host is connected to the second firewall through the second switch, where the first host is There is a first VM, and the packet traffic sent by the first VM is sent by the first firewall, and a security policy corresponding to the first VM is deployed on the first firewall, so that the first VM is configured. A VM can communicate with the outside world through the first firewall. After the first VM is migrated from the first host to the second host, the packet sent by the first VM is forwarded to the second firewall by the second switch, but the There is no security policy corresponding to the first VM on the firewall, which may cause the second firewall to fail to correctly process the packet sent by the first VM, and the first VM is disconnected from the outside world. The device forwards the packet sent by the VM to the network security device that deploys the security policy corresponding to the VM through a Layer 2 device (such as a switch). Taking the scenario mentioned above as an example, when the first VM migrates from the first host to the second host, and the packet sent by the first VM passes through the second switch, the The second switch forwards the packet to the first switch, and the first switch forwards the packet to the first firewall, so that the first VM can still communicate with the outside world. The packets sent by the migrated VMs are forwarded to the network security device that is deployed with the security policy corresponding to the VM. As a result, the number of network nodes that the packets sent by the migrated VMs passes increases. The efficiency of text forwarding is low. Summary of the invention
本发明实施例提供一种虚拟机 VM迁移后的报文处理的方法用于解决虚拟机 VM迁 移后的安全策略丢失的方法及其设备,不需要将迁移后的 VM发出的报文转发给 VM迁移 前对应的网络安全设备进行处理,从而提高 VM报文的转发效率,可以解决现有技术因 由于需要将迁移后的 VM发出的报文,经过辗转的路径,转发给部署了与该 VM对应的安 全策略的网络安全设备处理,导致迁移后的 VM发出的报文经过的网络节点增多,即 VM 报文转发路径不是最优路径, VM报文转发效率低的问题。  The embodiment of the present invention provides a method for processing a packet after a virtual machine VM is migrated, and a method for resolving a security policy after the virtual machine VM is migrated, and a device for forwarding the packet sent by the migrated VM to the VM The corresponding network security device is processed before the migration to improve the forwarding efficiency of the VM packet. The prior art can forward the packet sent by the migrated VM to the deployed VM. The network security device of the security policy is processed. As a result, the number of network nodes that the packets sent by the migrated VMs passes through, that is, the VM packet forwarding path is not the optimal path, and the VM packet forwarding efficiency is low.
一方面,本发明实施例提供一种虚拟机 VM迁移后的报文处理的方法,包括: VM迁移后,所述 VM迁移后对应的网络安全设备接收网络设备发来的扩展端口控制 协议 (Port Control Protocol, PCP)策略更新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略,所述 VM的标识类型、 所 述 VM的标识以及所述 VM对应的安全策略预先存储在所述网络设备上;  On the one hand, the embodiment of the present invention provides a method for processing a packet after a virtual machine VM is migrated, including: after the VM is migrated, the corresponding network security device receives the extended port control protocol (Port) sent by the network device after the VM is migrated. a Control Protocol (PCP) policy update message, the extended PCP policy update message carrying an identifier type of the VM, an identifier of the VM, and a security policy corresponding to the VM, an identifier type of the VM, the VM And the security policy corresponding to the VM is pre-stored on the network device;
所述网络安全设备应用所述 VM对应的安全策略,对接收到的来自所述 VM的报文进 行处理。  The network security device applies a security policy corresponding to the VM, and processes the received packet from the VM.
另一方面,本发明实施例提供又一种虚拟机 VM迁移后的报文处理的方法包括: VM迁移后,网络设备获得所述 VM的标识类型和所述 VM的标识,所述网络设备预 先存储了所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略; On the other hand, the embodiment of the present invention provides another method for processing a message after migration of a virtual machine VM, including: After the VM is migrated, the network device obtains the identifier type of the VM and the identifier of the VM, and the network device pre-stores the identifier type of the VM, the identifier of the VM, and a security policy corresponding to the VM.
所述网络设备根据所述 VM的标识类型和所述 VM的标识,构造扩展端口控制协议 PCP策略更新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM的标 识以及所述 VM对应的安全策略;  The network device constructs an extended port control protocol (PCP) policy update message according to the identifier type of the VM and the identifier of the VM, where the extended PCP policy update message carries the identifier type of the VM and the identifier of the VM. And a security policy corresponding to the VM;
所述网络设备向所述 VM迁移后对应的网络安全设备发送所述扩展 PCP策略更新报 文。  And sending, by the network device, the extended PCP policy update message to the corresponding network security device after the VM is migrated.
另一方面,本发明实施例提供一种网络安全设备,包括:  On the other hand, an embodiment of the present invention provides a network security device, including:
接收单元,用于在 VM迁移后,接收网络设备发来的扩展端口控制协议 PCP策略更 新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM的标识以及所述 VM对应的安全策略,所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略 预先存储在所述网络设备上;  a receiving unit, configured to receive, after the VM is migrated, an extended port control protocol (PCP) policy update message sent by the network device, where the extended PCP policy update message carries an identifier type of the VM, an identifier of the VM, and the a security policy corresponding to the VM, the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM are pre-stored on the network device;
执行单元,用于应用所述 VM对应的安全策略,对接收到的来自所述 VM的报文进行 处理。  An execution unit is configured to apply a security policy corresponding to the VM, and process the received packet from the VM.
另一方面,本发明实施例提供一种网络设备,包括:  On the other hand, an embodiment of the present invention provides a network device, including:
接收单元,用于在 VM迁移后,获得所述 VM的标识类型和所述 VM的标识; 存储单元,用于预先存储所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的 安全策略;  a receiving unit, configured to obtain an identifier type of the VM and an identifier of the VM after the VM is migrated, and a storage unit, configured to pre-store an identifier type of the VM, an identifier of the VM, and a security corresponding to the VM Strategy
构造更新报文单元,用于根据所述 VM的标识类型和所述 VM的标识,构造扩展 PCP 策略更新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM的标识以 及所述 VM对应的安全策略;  Constructing an update message unit, configured to construct an extended PCP policy update message according to the identifier type of the VM and the identifier of the VM, where the extended PCP policy update message carries the identifier type of the VM, and the VM Identifying and a security policy corresponding to the VM;
发送单元,用于向所述 VM迁移后对应的网络安全设备发送所述扩展 PCP策略更新 报文。 本发明实施例提供的用于解决虚拟机 VM迁移后的安全策略丢失的方法、以及设备, 在 VM迁移后,将 VM对应的安全策略,应用到 VM迁移后对应的网络安全设备上,不需 要将迁移后的 VM发出的报文转发给 VM迁移前对应的网络安全设备进行处理,从而提高 VM报文的转发效率。 附图说明 图 1是本发明一个实施例中 VM迁移的组网示意图 ; And a sending unit, configured to send the extended PCP policy update message to the corresponding network security device after the VM migration. After the VM is migrated, the security policy corresponding to the VM is applied to the corresponding network security device after the VM migration, which is not required by the embodiment of the present invention. The packets sent by the migrated VM are forwarded to the network security device corresponding to the VM before the VM is migrated, so as to improve the forwarding efficiency of VM packets. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a schematic diagram of networking of VM migration in an embodiment of the present invention;
图 2是本发明一个实施例中 VM迁移的组网示意图 ;  2 is a schematic diagram of networking of VM migration in an embodiment of the present invention;
图 3是本发明实施例提供的一种虚拟机 VM迁移后的报文处理的方法的流程图 ; 图 4是本发明实施例提供的又一种虚拟机 VM迁移后的报文处理的方法的流程图 ; 图 5是本发明实施例提供的一种网络安全设备的示意图 ;  FIG. 3 is a flowchart of a method for processing a message after migration of a virtual machine VM according to an embodiment of the present invention; FIG. 4 is a flowchart of another method for processing a message after migration of a virtual machine VM according to an embodiment of the present invention; FIG. 5 is a schematic diagram of a network security device according to an embodiment of the present invention;
图 6是本发明实施例提供的又一种网络安全设备的示意图 ;  6 is a schematic diagram of still another network security device according to an embodiment of the present invention;
图 7是本发明实施例提供的一种网络设备的示意图。 具体实施方式 下面通过附图和实施例,对本发明实施例的技术方案做进一步的详细描述。 如图 1所示,本发明一个实施例中 VM迁移的组网示意图。第一主机通过第一交换机 与第一网络安全设备相连,第二主机通过第二交换机与第二网络安全设备相连。 第一网 络安全设备和第二网络安全设备,是具有安全功能的网络设备,如防火墙,路由器,交 换机等。 一开始,第一主机上有两个虚拟机 VM,分别为第一 VM和第二 VM,所述第一 VM和所述第二 VM对应的安全策略预先存储并部署在所述第一网络安全设备上,以使得 所述第一 VM和所述第二 VM能通过所述第一网络安全设备和外界通信,此时第二网络安 全设备上没有预先存储并部署所述第一 VM和所述第二 VM对应的安全策略。 之后,所述 第一 VM迁移到所述第二主机上。 如图 2所示,本发明一个实施例中 VM迁移的组网示意图 ,图 2与图 1的区别是,第一 VM和第二 VM对应的安全策略,除了预先存储并部署在第一网络安全设备上,也预先存 储在第三方服务器上,第三方服务器可以与第一网络安全设备以及第二网络安全设备通 信。 如图 3所示,本发明实施例提供一种用于解决虚拟机 VM迁移后的安全策略丢失的方 法,举例来说,可以应用于图 1所示的第二网络安全设备,也可以应用于图 2所示的第二 网络安全设备。 所述方法包括: FIG. 7 is a schematic diagram of a network device according to an embodiment of the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The technical solutions of the embodiments of the present invention are further described in detail below with reference to the accompanying drawings and embodiments. FIG. 1 is a schematic diagram of networking of VM migration in an embodiment of the present invention. The first host is connected to the first network security device through the first switch, and the second host is connected to the second network security device through the second switch. The first network security device and the second network security device are network devices with security functions, such as firewalls, routers, switches, and the like. Initially, there are two virtual machine VMs on the first host, which are respectively a first VM and a second VM, and the security policies corresponding to the first VM and the second VM are pre-stored and deployed in the first network security. Device, so that the first VM and the second VM can communicate with the outside world through the first network security device, and the second network security The security policy corresponding to the first VM and the second VM is not pre-stored and deployed on the entire device. Thereafter, the first VM is migrated to the second host. As shown in FIG. 2, a schematic diagram of the networking of VM migration in an embodiment of the present invention, the difference between FIG. 2 and FIG. 1 is that the security policy corresponding to the first VM and the second VM is stored in advance and deployed in the first network security. The device is also pre-stored on a third-party server, and the third-party server can communicate with the first network security device and the second network security device. As shown in FIG. 3, the embodiment of the present invention provides a method for resolving a security policy loss after a virtual machine VM is migrated. For example, the method may be applied to the second network security device shown in FIG. The second network security device shown in FIG. The method includes:
301、VM迁移后,所述 VM迁移后对应的网络安全设备接收网络设备发来的扩展 PCP 策略更新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM的标识以 及所述 VM对应的安全策略,所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安 全策略预先存储在所述网络设备上。 举例来说,当第一 VM迁移到第二主机上的事件发生后,第二网络安全设备至少有 两种方法可以接收到预先存储了第一 VM安全策略的网络设备发来的扩展 PCP策略更新 报文。 第一种方法包括:第一主机或第二主机向预先存储了第一 VM安全策略的网络设备 发送第一 VM的迁移通知报文,触发该网络设备向第二网络安全设备发送扩展 PCP策略 更新报文。 第二种方法包括:第一主机或第二主机向第二网络安全设备发送第一 VM的迁移通 知报文,触发第二网络安全设备向预先存储了第一 VM安全策略的网络设备发送扩展 PCP策略请求报文;该网络设备收到扩展 PCP策略请求报文后,向第二网络安全设备发 送扩展 PCP策略更新报文,所述扩展 PCP策略更新报文是对所述扩展 PCP策略请求报文 的响应。 上述两种方法中的预先存储了第一 VM安全策略的网络设备,在图 1是第一网络安全 设备,在图 2中是第三方服务器,或者第一网络安全设备,或者第三方服务器和第一网 络安全设备。 After the VM is migrated, the corresponding network security device receives the extended PCP policy update message sent by the network device, and the extended PCP policy update message carries the identifier type of the VM and the identifier of the VM. And the security policy corresponding to the VM, the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM are pre-stored on the network device. For example, after the event that the first VM migrates to the second host occurs, the second network security device has at least two methods to receive the extended PCP policy update sent by the network device that pre-stores the first VM security policy. Message. The first method includes: the first host or the second host sends a migration notification message of the first VM to the network device that stores the first VM security policy, and triggers the network device to send the extended PCP policy update to the second network security device. Message. The second method includes: the first host or the second host sends a migration notification message of the first VM to the second network security device, and triggers the second network security device to send the extension to the network device that pre-stores the first VM security policy. a PCP policy request message; after receiving the extended PCP policy request message, the network device sends an extended PCP policy update message to the second network security device, where the extended PCP policy update message is the extended PCP policy request message. The response of the text. The network device in which the first VM security policy is pre-stored in the above two methods, in FIG. 1 is a first network security device, in FIG. 2 is a third-party server, or a first network security device, or a third-party server and a A network security device.
对第二种方法的执行过程,详细说明如下: 第一主机上的第一 VM迁移到第二主机后,第一主机或第二主机向第二网络安全设 备发送第一 VM的迁移通知报文,该迁移通知报文中携带第一 VM的标识类型以及第一 VM的标识。 当第一 VM的标识类型是媒体接入控制( Media Access Control , MAC )地 址类型时,第一 VM的标识是第一 VM的 MAC地址;当第一 VM的标识类型是互联网协议 (Internet Protocol, ΙΡμ也址类型时,第一 VM的标识第一 VM的 IP地址。 第二网络安全设备接收到该迁移通知报文后,构造扩展 PCP策略请求报文,所述扩 展 PCP策略请求报文中携带报文类型标识,该标识用来标识该 PCP报文是请求 /确认 VM 的安全策略的 PCP报文,此外还携带第一 VM的标识类型以及第一 VM的标识。 所述第二 网络安全设备构造所述扩展 PCP策略请求报文之后, 向预先存储第一 VM安全策略的设 备,例如第三方服务器或者第一网络安全设备,或者第三方服务器和第一网络安全设备, 发送所述扩展 PCP策略请求报文。 所述预先存储第一 VM安全策略的设备收到所述第二网络安全设备发来的所述扩展 PCP策略请求报文后,判定该报文是请求 VM安全策略的报文,根据所述扩展 PCP策略 请求报文中携带的所述第一 VM的标识类型以及所述第一 VM的标识,查询到所述第一 VM对应的安全策略,构造扩展 PCP策略更新报文,所述扩展 PCP策略更新报文是对所 述扩展 PCP策略请求报文的响应。所述扩展 PCP策略更新报文携带报文类型标识,该标 识用来标识该 PCP报文是请求 /更新 VM的安全策略的 PCP报文,此外还携带所述第一 VM的标识类型、 所述第一 VM的标识以及所述第一 VM对应的安全策略。 向所述第二网 络安全设备发送所述扩展 PCP策略更新报文。 下面通过举例,对如何从现有 PCP报文,扩展成为扩展 PCP策略请求报文和扩展 PCP策略更新报文进行描述。 这里仅为举例,不构成具体限定。 现有 PCP请求( Request )报文格式定义如下: The execution process of the second method is as follows: After the first VM on the first host migrates to the second host, the first host or the second host sends the migration notification packet of the first VM to the second network security device. The migration notification message carries the identifier type of the first VM and the identifier of the first VM. When the identifier type of the first VM is a Media Access Control (MAC) address type, the identifier of the first VM is the MAC address of the first VM; when the identifier type of the first VM is an Internet Protocol (Internet Protocol, The first VM identifies the IP address of the first VM. The second network security device receives the migration notification message, and constructs an extended PCP policy request packet, where the extended PCP policy request packet is carried. a packet type identifier, the identifier is used to identify the PCP packet that is a security policy of the requesting/confirming VM, and further includes an identifier type of the first VM and an identifier of the first VM. After the extended PCP policy request message is configured, the extended PCP policy is sent to a device that pre-stores the first VM security policy, such as a third-party server or a first network security device, or a third-party server and a first network security device. And the device that pre-stores the first VM security policy determines the report after receiving the extended PCP policy request message sent by the second network security device. The message is a packet requesting the VM security policy, and the security policy corresponding to the first VM is queried according to the identifier type of the first VM and the identifier of the first VM that are carried in the extended PCP policy request packet. Constructing an extended PCP policy update message, where the extended PCP policy update message is The response of the extended PCP policy request message is described. The extended PCP policy update packet carries a packet type identifier, where the identifier is used to identify the PCP packet that is the security policy of the requesting/updating VM, and further carries the identifier type of the first VM, The identifier of the first VM and the security policy corresponding to the first VM. Sending the extended PCP policy update message to the second network security device. The following describes how to extend an existing PCP packet to an extended PCP policy request packet and an extended PCP policy update packet. This is merely an example and is not specifically limited. The existing PCP Request (Request) message format is defined as follows:
0 1 2 3 0 1 2 3
01234567890123456789012345678901 01234567890123456789012345678901
| Version = 1 |R| Opcode | Reserved | | Version = 1 |R| Opcode | Reserved |
Requested Lifetime (32 bits) Requested Lifetime (32 bits)
PCP Client's IP Address (128 bits) (optional) Opcode-specific information PCP Client's IP Address (128 bits) (optional) Opcode-specific information
(optional) PCP Options (optional) PCP Options
说明: PCP回应( Response )报文结构类似,在此不再赘述。 其中 : 操作码( Opcode )字段:表明 PCP报文所执行的动作的分类 操作码特定信息( Opcode-specific information )字段:是对应 Opcode字段的净荷, 是一个可选字段。 NOTE: The structure of the PCP response (Response) message is similar, and is not mentioned here. Where: Opcode field: indicates the classification of the action performed by the PCP message. The Opcode-specific information field is the payload corresponding to the Opcode field and is an optional field.
PCP选项( Options )字段:是对应 Opcode字段的扩展字段,是一个可选字段。 本发明实施例中 ,通过下述方法,将现有 PCP报文格式,扩展为扩展 PCP策略请求 报文和扩展 PCP策略更新报文: PCP Options field: is an extension field corresponding to the Opcode field and is an optional field. In the embodiment of the present invention, the existing PCP packet format is extended to the extended PCP policy request message and the extended PCP policy update message by the following method:
( 1 )对于扩展 PCP策略请求报文 (1) For extended PCP policy request messages
Opcode取值为一个新的枚举值(与现有 PCP中 Opcode的枚举值不同) ,表示请求 /确认 VM的安全策略。 定义一个新的 Opcode-specific information如下: 0 1 2 3 01234567890123456789012345678901 Opcode takes a new enumeration value (unlike the enumeration value of Opcode in the existing PCP), indicating the security policy for requesting/confirming the VM. Define a new Opcode-specific information as follows: 0 1 2 3 01234567890123456789012345678901
Protocol Reserved (24 bits) Protocol Reserved (24 bits)
Length | ID Type Length | ID Type
ID ID
其中 , a) 协议( Protocol )子字段和保留( Reserved )子字段,用于与 PCP报文定义风格 保持一致,其取值可以为任意值。 b) 长度( Length )子字段,用于表明后续标识类型( ID Type )子字段和标识( ID ) 子字段的长度。 c) ID Type子字段,用于标识 VM的标识类型。 VM的标识类型,可以是 MAC地址类 型,或 IP地址类型,或其他类型。 d)标识( ID )子字段,用于标识 VM,与 ID Type相关。 例如当 ID Type的值为 MAC 地址类型时, ID的值为 VM的 MAC地址。 PCP Options为空,即不包括 PCP Options。 ( 2 )对于扩展 PCP策略更新报文 The a) protocol sub-field and the reserved (reserved) sub-field are used to match the PCP packet definition style, and the value may be any value. b) Length field, used to indicate the length of the subsequent ID Type subfield and ID (ID) subfield. c) ID Type subfield, which is used to identify the identification type of the VM. The identifier type of the VM, which can be a MAC address type, or an IP address type, or other types. d) Identification (ID) subfield for identifying the VM, related to the ID Type. For example, when the value of the ID Type is a MAC address type, the value of the ID is the MAC address of the VM. PCP Options is empty, ie PCP Options are not included. (2) For extended PCP policy update messages
Opcode取值为一个新的枚举值(与现有 PCP中 Opcode的枚举值不同) ,表示请求 /更新 VM的安全策略,可以与扩展 PCP策略请求中 Opcode的取值相同 ,也可以不同。 Opcode takes a new enumeration value (unlike the enumeration value of Opcode in the existing PCP), indicating that the security policy for requesting/updating the VM can be the same as or different from the value of Opcode in the extended PCP policy request.
Opcode-specific information,与上述扩展 PCP策略请求报文中的内容相同。 定义一个新的 PCP Options如下: 0 1 2 3 Opcode-specific information, which is the same as the content in the extended PCP policy request message. Define a new PCP Options as follows: 0 1 2 3
01234567890123456789012345678901 01234567890123456789012345678901
Protocol | Reserved | Length Protocol | Reserved | Length
Policy Policy
其中 , a) 协议( Protocol )子字段和保留( Reserved )子字段,用于与 PCP报文定义风格 保持一致,其取值可以为任意值。 b) 长度( Length )子字段,用于表明策略( Policy )子字段的长度。 c) Policy子字段,用于携带 VM的安全策略。 举例来说,可以有多种方式来区分扩展 PCP策略请求报文和对于扩展 PCP策略更新 报文,例如可以将扩展 PCP策略请求报文和扩展 PCP策略更新报文中的 Opcode的值定 为不同的值,也可以通过报文中是否有 PCP Options字段来判断,当报文中有 PCP Options字段时,为扩展 PCP策略更新报文扩展 PCP策略更新报文,否则为扩展 PCP策 略请求报文。 扩展 PCP策略请求报文,可以从 PCP请求 Request报文为基础扩展;扩展 PCP策略 更新报文,可以从 PCP请求 Request报文为基础扩展,也可以从 PCP回应 Response报 文为基础扩展。 对第一种方法的执行过程,详细说明如下: 第一 VM从第一主机迁移到第二主机后,所述第一主机或所述第二主机向预先存储 所述 VM安全策略的设备,例如第一网络安全设备,或第三方服务器,或第一网络安全 设备和第三方服务器,发送所述第一 VM的迁移通知报文。所述预先存储所述 VM安全策略 的设备收到所述第一 VM的迁移通知报文后,根据所述第一 VM的迁移通知报文中携带的 所述第一 VM的标识类型以及所述第一 VM的标识,查询到所述第一 VM对应的安全策略, 构造扩展 PCP策略更新报文,向第二网络安全设备发送扩展 PCP策略更新报文。具体构 造扩展 PCP策略更新报文的方法,与上述第二种方法中构造扩展 PCP策略更新报文的方 法相同 ,在此不再赘述。 The a) protocol sub-field and the reserved (reserved) sub-field are used to match the PCP packet definition style, and the value may be any value. b) Length field, used to indicate the length of the Policy subfield. c) Policy subfield, which is used to carry the security policy of the VM. For example, there may be multiple ways to distinguish between an extended PCP policy request message and an extended PCP policy update message. For example, the value of Opcode in the extended PCP policy request message and the extended PCP policy update message may be different. The value of the packet can also be determined by the PCP Options field in the packet. When there is a PCP Options field in the packet, the PCP policy update packet is extended for the extended PCP policy update packet. Otherwise, the PCP policy request packet is extended. The extended PCP policy request packet can be extended from the PCP request request packet. The extended PCP policy update packet can be extended from the PCP request Request packet or extended from the PCP response Response packet. The execution process of the first method is described in detail as follows: After the first VM migrates from the first host to the second host, the first host or the second host goes to a device that pre-stores the VM security policy, for example, The first network security device, or the third-party server, or the first network security device and the third-party server, send the migration notification message of the first VM. And after the device that pre-stores the VM security policy receives the migration notification message of the first VM, according to the identifier type of the first VM carried in the migration notification message of the first VM, and the The identifier of the first VM is queried to the security policy corresponding to the first VM, the extended PCP policy update message is configured, and the extended PCP policy update message is sent to the second network security device. The method for constructing the extended PCP policy update message is the same as the method for constructing the extended PCP policy update message in the second method, and details are not described herein again.
302、 所述网络安全设备应用所述 VM对应的安全策略,对接收到的来自所述 VM的 报文进行处理。 举例来说,所述第二网络安全设备根据所述第一 VM对应的安全策略,判断是否和 本地配置的安全策略有冲突,如果有冲突的话,按照所述第一 VM对应的安全策略调整 本地配置的安全策略;如果没有冲突的话,保持本地配置的安全策略不变。 所述第二网 络安全设备对接收到的来自所述第一 VM的报文,按照应用了所述第一 VM对应的安全策 略后的安全策略进行相应的处理。 例如,如果所述第二网络安全设备本地配置的安全策 略是不允许任何虚拟机发送的视频流报文通过,所述第一 VM对应的安全策略是允许所 述第一 VM发送的视频流报文通过,则发生冲突;如果所述第二网络安全设备本地配置 的安全策略允许来自任何虚拟机发送的视频流报文通过,所述第一 VM对应的安全策略 是允许所述第一 VM发送的视频流报文通过,则不冲突。 本发明实施例提供的虚拟机 VM迁移后的报文处理的方法,在 VM迁移后,通过接收 网络设备发来的扩展 PCP策略更新报文,将 VM对应的安全策略,应用到 VM迁移后对应 的网络安全设备上,因此不需要将迁移后的 VM发出的报文转发到该 VM迁移前对应的网 络安全设备进行处理,从而可以减少迁移后的 VM发出的报文经过的网络节点,提高 VM 报文的转发效率。 302. The network security device applies a security policy corresponding to the VM, and processes the received packet from the VM. For example, the second network security device determines, according to the security policy corresponding to the first VM, whether it conflicts with the locally configured security policy, and if there is a conflict, adjusts the local according to the security policy corresponding to the first VM. The configured security policy; if there is no conflict, keep the locally configured security policy unchanged. The second network The security device performs corresponding processing on the received packet from the first VM according to the security policy after the security policy corresponding to the first VM is applied. For example, if the security policy locally configured by the second network security device does not allow the video stream message sent by any virtual machine to pass, the security policy corresponding to the first VM is to allow the video stream sent by the first VM to be sent. If the security policy locally configured by the second network security device allows the video stream message sent by any virtual machine to pass, the security policy corresponding to the first VM is to allow the first VM to send The video stream packets pass without conflict. After the VM is migrated, the method for processing the packet after the virtual machine VM is migrated is used to receive the extended PCP policy update packet sent by the network device, and the security policy corresponding to the VM is applied to the VM after the VM migration. The network security device does not need to forward the packets sent by the migrated VM to the corresponding network security device before the VM migration, so that the network node that the packet sent by the migrated VM passes can be reduced, and the VM is improved. Packet forwarding efficiency.
如图 4所示,本发明实施例提供一种虚拟机 VM迁移后的报文处理的方法,可以应用 于图 1所示的第一网络安全设备,也可以应用于图 2中所示的第一网络安全设备和 /或第 三服务器,包括: As shown in FIG. 4, the embodiment of the present invention provides a method for processing a message after a virtual machine VM is migrated, which can be applied to the first network security device shown in FIG. 1, and can also be applied to the first device shown in FIG. A network security device and/or a third server, including:
401、 VM迁移后,网络设备获得所述 VM的标识类型和所述 VM的标识,所述网络设 备预先存储了所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略。 上述 401中 ,所述 VM的标识类型、所述 VM的标识以及所述 VM对应的安全策略预先 存储在所述网络设备上,例如图 1所示的第二网络安全设备,或图 2中所示的第二网络安 全设备和 /或第三服务器。 如图 1和图 2所示,当第一 VM从第一主机迁移到第二主机时, 请参考图 3所示的实施例中 301所描述的第一种方法和第二方法,所述网络设备收到第一 主机或第二主机发来的第一 VM的迁移通知报文,或收到第二网络安全设备发来的扩展 PCP策略请求报文,第一 VM的迁移通知报文或扩展 PCP策略请求报文中携带的第一 VM 的标识类型和第一 VM的标识。 401. After the VM is migrated, the network device obtains the identifier type of the VM and the identifier of the VM, where the network device pre-stores the identifier type of the VM, the identifier of the VM, and a security policy corresponding to the VM. In the foregoing 401, the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM are pre-stored on the network device, such as the second network security device shown in FIG. 1, or in FIG. The second network security device and/or the third server are shown. As shown in FIG. 1 and FIG. 2, when the first VM is migrated from the first host to the second host, refer to the first method and the second method described in FIG. 3 in the embodiment shown in FIG. The device receives the migration notification message of the first VM sent by the first host or the second host, or receives the extension sent by the second network security device. The identifier type of the first VM and the identifier of the first VM carried in the PCP policy request packet, the migration notification packet of the first VM, or the extended PCP policy request packet.
402、 所述网络设备根据所述 VM的标识类型和所述 VM的标识,构造扩展 PCP策略 更新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM的标识以及所 述 VM对应的安全策略。 举例来说,所述网络设备根据第一 VM的标识类型和第一 VM的标识,查询到第一 VM 对应的安全策略,构造扩展 PCP策略更新报文,扩展 PCP策略更新报文中携带第一 VM 的标识类型、 第一 VM的标识和第一 VM对应的安全策略。 详细过程和扩展 PCP的方法,请参考图 3所示的实施例中 301所描述的第一种方法、 第二种方法和扩展 PCP的方法,在此不再赘述。 402. The network device constructs an extended PCP policy update packet according to the identifier type of the VM and the identifier of the VM, where the extended PCP policy update packet carries an identifier type of the VM, an identifier of the VM, and The security policy corresponding to the VM. For example, the network device queries the security policy corresponding to the first VM according to the identifier type of the first VM and the identifier of the first VM, and constructs an extended PCP policy update packet, and the extended PCP policy update packet carries the first The identification type of the VM, the identifier of the first VM, and the security policy corresponding to the first VM. For the detailed process and the method for extending the PCP, refer to the first method, the second method, and the method for extending the PCP described in the embodiment shown in FIG. 3, and details are not described herein again.
403、所述网络设备向所述 VM迁移后对应的网络安全设备发送所述扩展 PCP策略更 新报文。 举例来说,所述网络设备向第二网络安全设备发送扩展 PCP策略更新报文。 本发明实施例提供的虚拟机 VM迁移后的报文处理的方法,在 VM迁移后,通过向所 述 VM迁移后对应的网络安全设备发送扩展 PCP策略更新报文,使得所述 VM迁移后对应 的网络安全设备可以获得所述 VM对应的安全策略,因此 VM迁移后对应的网络安全设备 可以应用所述 VM对应的安全策略对所述来自所述 VM的报文进行处理,不需要将迁移后 的 VM发出的报文转发给 VM迁移前对应的网络安全设备进行处理,从而提高 VM报文的 转发效率。 403. The network device sends the extended PCP policy update packet to a corresponding network security device after the VM is migrated. For example, the network device sends an extended PCP policy update message to the second network security device. After the VM is migrated, the method for processing the packet after the virtual machine VM is migrated is sent to the corresponding network security device after the VM is migrated, so that the VM is migrated after the VM is migrated. The network security device can obtain the security policy corresponding to the VM, so the corresponding network security device can apply the security policy corresponding to the VM to process the packet from the VM, and the migration does not need to be performed after the migration. The packets sent by the VM are forwarded to the corresponding network security device before the VM migration, so as to improve the forwarding efficiency of the VM packets.
请参考图 5,本发明的一个实施例提供一种网络安全设备,包括: 接收单元 501 ,用于在 VM迁移后,接收网络设备发来的扩展 PCP策略更新报文,所 述扩展 PCP策略更新报文携带所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的 安全策略,所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略预先存储 在所述网络设备上。 执行单元 502,用于应用所述 VM对应的安全策略,对接收到的来自所述 VM的报文 进行处理。 举例来说,所述 PCP策略更新报文,包括: 第一操作码( Opcode )字段、 第一操作码特定信息( Opcode-specific information ) 字段和 PCP选项( Options )字段,所述第一Opcode字段用于标识扩展 PCP的报文类 型,所述第一 Opcode-specific information字段携带所述 VM的标识类型和所述 VM的标 识,所述 PCP Options字段携带所述 VM对应的安全策略。 举例来说,如图 6所示,所述接收单元 501还用于接收所述 VM的迁移通知报文,所 述迁移通知报文携带所述 VM的标识类型以及所述 VM的标识网络安全设备;所述网络安 全设备,还可以包括: 构造请求报文单元 503,用于根据所述迁移通知报文,构造扩展 PCP策略请求报文, 所述扩展 PCP策略请求报文包括第二 Opcode字段和第二 Opcode-specific information 字段,所述第二 Opcode字段用于标识扩展 PCP的报文类型,所述第二 Opcode-specific information字段携带所述 VM的标识类型以及所述 VM的标识。 发送单元 504,用于向所述网络设备发送所述扩展 PCP策略请求报文;相应地,所 述扩展 PCP策略更新报文是对所述扩展 PCP策略请求报文的响应。 本发明实施例提供的网络安全设备,在 VM迁移后,通过接收网络设备发来的扩展 PCP策略更新报文,将 VM对应的安全策略,应用到 VM迁移后对应的网络安全设备上, 不需要将迁移后的 VM发出的报文转发给该 VM迁移前对应的网络安全设备进行处理,从 而可以提高 VM报文的转发效率。 Referring to FIG. 5, an embodiment of the present invention provides a network security device, including: The receiving unit 501 is configured to receive, after the VM is migrated, an extended PCP policy update message sent by the network device, where the extended PCP policy update message carries an identifier type of the VM, an identifier of the VM, and a corresponding to the VM. The security policy, the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM are pre-stored on the network device. The executing unit 502 is configured to apply a security policy corresponding to the VM, and process the received packet from the VM. For example, the PCP policy update message includes: a first opcode (Opcode) field, an first opcode-specific information field, and a PCP option field, the first Opcode field. And a packet type of the extended PCP, where the first Opcode-specific information field carries an identifier type of the VM and an identifier of the VM, and the PCP Options field carries a security policy corresponding to the VM. For example, as shown in FIG. 6, the receiving unit 501 is further configured to receive a migration notification message of the VM, where the migration notification message carries an identifier type of the VM and an identifier network security device of the VM. The network security device may further include: a configuration request message unit 503, configured to construct an extended PCP policy request message according to the migration notification message, where the extended PCP policy request message includes a second Opcode field and a second Opcode-specific information field, the second Opcode field is used to identify a packet type of the extended PCP, and the second Opcode-specific information field carries an identifier type of the VM and an identifier of the VM. The sending unit 504 is configured to send the extended PCP policy request message to the network device. Correspondingly, the extended PCP policy update message is a response to the extended PCP policy request message. The network security device provided by the embodiment of the present invention applies the extended PCP policy update message sent by the network device to the network security device corresponding to the VM after the VM is migrated. The packets sent by the migrated VM are forwarded to the corresponding network security device before the VM is migrated, so that the forwarding efficiency of VM packets can be improved.
请参考图 7,本发明的一个实施例提供一种网络设备,包括: 接收单元 702,用于在 VM迁移后,获得所述 VM的标识类型和所述 VM的标识; 存储单元 701 ,用于预先存储所述 VM的标识类型、所述 VM的标识以及所述 VM对应 的安全策略。 构造更新报文单元 703,用于根据所述 VM的标识类型和所述 VM的标识和所述 VM对 应的安全策略,构造扩展 PCP策略更新报文,所述扩展 PCP策略更新报文携带所述 VM 的标识类型、 所述 VM的标识以及所述 VM对应的安全策略。 发送单元 704,用于向所述 VM迁移后对应的网络安全设备发送所述扩展 PCP策略更 新报文。 举例来说,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM的标识以 及所述 VM对应的安全策略,包括: 所述扩展 PCP策略更新报文包括第一操作码 Opcode字段、 第一操作码特定信息 Opcode-specific information字段和 PCP选项 Options字段,所述第一Opcode字段用于 标识扩展 PCP的报文类型,所述第一Opcode-specific information字段携带所述 VM的标 识类型和所述 VM的标识,所述 PCP Options字段携带所述 VM对应的安全策略。 举例来说,所述接收单元 702具体用于: 接收所述 VM的迁移通知报文,所述迁移通知报文携带所述 VM的标识类型以及所述 VM的标识。 又举例来说,所述接收单元 702具体用于: 接收所述 VM迁移后对应的网络安全设备发来的扩展 PCP策略请求报文,所述扩展 PCP策略请求报文包括第二 Opcode字段和第二 Opcode-specific information字段,所述 第二 Opcode字段用于标识扩展 PCP的报文类型,所述第二 Opcode-specific information 字段携带所述 VM的标识类型以及所述 VM的标识。 本发明实施例提供的网络设备,在 VM迁移后,通过向所述 VM迁移后对应的网络安 全设备发送扩展 PCP策略更新报文,使得所述 VM迁移后对应的网络安全设备可以获得 所述 VM对应的安全策略, 因此,所述 VM迁移后对应的网络安全设备可以应用所述 VM 对应的安全策略处理来自所述 VM的报文,因此,不需要将迁移后的 VM发出的报文转发 给该 VM迁移前对应的网络安全设备进行处理,从而可以提高 VM报文转发的效率。 举例来说,图 5〜图 7所示实施例中的单元可以合并为一个或者多个单元。 又举例来说,所述单元均可通过硬件来实现。 本领域普通技术人员可以理解上述实 施例的各种方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序 可以存储于一计算机可读存储介质中 ,举例来说,存储介质可以包括:只读存储器、 随 即读取存储器、 磁盘或光盘等。 以上对本发明实施例所提供的虚拟机 VM迁移后的报文处理的方法及其设备进行了 详细介绍 ,但以上实施例不应理解为对本发明的限制。 本技术领域的技术人员在上述实 施例掲露的技术范围内 ,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内, 本发明的保护范围以权利要求为准。 Referring to FIG. 7, an embodiment of the present invention provides a network device, including: a receiving unit 702, configured to obtain an identifier type of the VM and an identifier of the VM after the VM is migrated, and a storage unit 701, configured to: The identifier type of the VM, the identifier of the VM, and a security policy corresponding to the VM are pre-stored. The configuration update message unit 703 is configured to construct an extended PCP policy update message according to the identifier type of the VM and the identifier of the VM and the security policy corresponding to the VM, where the extended PCP policy update message carries the The identification type of the VM, the identifier of the VM, and the security policy corresponding to the VM. The sending unit 704 is configured to send the extended PCP policy update message to the corresponding network security device after the VM migration. For example, the extended PCP policy update message carries the identifier type of the VM, the identifier of the VM, and the security policy corresponding to the VM, including: the extended PCP policy update message includes a first operation code Opcode. a field, a first opcode specific information Opcode-specific information field, and a PCP option Options field, the first Opcode field is used to identify a packet type of the extended PCP, and the first Opcode-specific information field carries an identifier of the VM A type and an identifier of the VM, where the PCP Options field carries a security policy corresponding to the VM. For example, the receiving unit 702 is specifically configured to: Receiving a migration notification message of the VM, where the migration notification message carries an identifier type of the VM and an identifier of the VM. For example, the receiving unit 702 is specifically configured to: receive an extended PCP policy request message sent by the corresponding network security device after the VM migration, where the extended PCP policy request message includes a second Opcode field and a An Opcode-specific information field, the second Opcode field is used to identify a packet type of the extended PCP, and the second Opcode-specific information field carries an identifier type of the VM and an identifier of the VM. The network device provided by the embodiment of the present invention, after the VM is migrated, sends an extended PCP policy update message to the corresponding network security device after the VM is migrated, so that the corresponding network security device after the VM migration can obtain the VM. Corresponding security policy. Therefore, the corresponding network security device after the VM migration can apply the security policy corresponding to the VM to process the packet from the VM. Therefore, the packet sent by the migrated VM does not need to be forwarded to the network. The corresponding network security device is processed before the VM is migrated, so that the efficiency of VM packet forwarding can be improved. For example, the units in the embodiments shown in Figures 5-7 can be combined into one or more units. Also for example, the units can all be implemented in hardware. One of ordinary skill in the art can understand that all or part of the various methods of the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium, for example, storage. The medium may include: a read only memory, a read-only memory, a magnetic disk or an optical disk, and the like. The method and device for processing the message after the migration of the virtual machine VM provided by the embodiment of the present invention are described in detail above, but the above embodiments are not to be construed as limiting the present invention. It is to be understood by those skilled in the art that the scope of the present invention is intended to be included within the scope of the present invention.

Claims

权利要求 Rights request
1、 一种虚拟机 VM迁移后的报文处理的方法,其特征在于,包括: 1. A method for processing packets after virtual machine VM migration, which is characterized by including:
VM迁移后,所述 VM迁移后对应的网络安全设备接收网络设备发来的扩展端口控制 协议 PCP策略更新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM 的标识以及所述 VM对应的安全策略,所述 VM的标识类型、 所述 VM的标识以及所述 VM 对应的安全策略预先存储在所述网络设备上; After the VM is migrated, the network security device corresponding to the VM migration receives an extended Port Control Protocol PCP policy update message sent from the network device. The extended PCP policy update message carries the identification type of the VM, the The identification and the security policy corresponding to the VM, the identification type of the VM, the identification of the VM, and the security policy corresponding to the VM are pre-stored on the network device;
所述网络安全设备应用所述 VM对应的安全策略,对接收到的来自所述 VM的报文进 行处理。 The network security device applies the security policy corresponding to the VM to process the received message from the VM.
2、 根据权利要求 1所述的方法,所述扩展 PCP策略更新报文携带所述 VM的标识类 型、 所述 VM的标识以及所述 VM对应的安全策略,包括: 2. The method according to claim 1, the extended PCP policy update message carries the identification type of the VM, the identification of the VM and the security policy corresponding to the VM, including:
所述扩展 PCP策略更新报文包括第一操作码 Opcode字段、 第一操作码特定信息 Opcode-specific information字段和 PCP选项 Options字段,所述第一Opcode字段用于 标识扩展 PCP的报文类型,所述第一Opcode-specific information字段携带所述 VM的标 识类型和所述 VM的标识,所述 PCP Options字段携带所述 VM对应的安全策略。 The extended PCP policy update message includes a first opcode field, a first opcode-specific information field and a PCP options Options field. The first Opcode field is used to identify the message type of the extended PCP, so The first Opcode-specific information field carries the identification type of the VM and the identification of the VM, and the PCP Options field carries the security policy corresponding to the VM.
3、 根据权利要求 2所述的方法,其特征在于,在所述接收网络设备发来的扩展 PCP 策略更新报文之前,所述方法还包括: 3. The method according to claim 2, characterized in that, before receiving the extended PCP policy update message sent by the network device, the method further includes:
所述网络安全设备接收所述 VM的迁移通知报文,所述迁移通知报文携带所述 VM的 标识类型以及所述 VM的标识; The network security device receives a migration notification message of the VM, where the migration notification message carries the identification type of the VM and the identification of the VM;
所述网络安全设备根据所述迁移通知报文,构造扩展 PCP策略请求报文,所述扩展 PCP策略请求报文包括第二 Opcode字段和第二 Opcode-specific information字段,所述 第二 Opcode字段用于标识扩展 PCP的报文类型,所述第二 Opcode-specific information 字段携带所述 VM的标识类型以及所述 VM的标识; 所述网络安全设备向所述网络设备发送所述扩展 PCP策略请求报文;相应地,所述 扩展 PCP策略更新报文是对所述扩展 PCP策略请求报文的响应。 The network security device constructs an extended PCP policy request message according to the migration notification message. The extended PCP policy request message includes a second Opcode field and a second Opcode-specific information field. The second Opcode field is In order to identify the message type of the extended PCP, the second Opcode-specific information field carries the identification type of the VM and the identification of the VM; The network security device sends the extended PCP policy request message to the network device; accordingly, the extended PCP policy update message is a response to the extended PCP policy request message.
4、 一种虚拟机 VM迁移后的报文处理的方法,其特征在于,包括: 4. A method for processing packets after virtual machine VM migration, which is characterized by including:
VM迁移后, 网络设备获得所述 VM的标识类型和所述 VM的标识,所述网络设备预 先存储了所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略; After the VM is migrated, the network device obtains the identification type of the VM and the identification of the VM, and the network device pre-stores the identification type of the VM, the identification of the VM, and the security policy corresponding to the VM;
所述网络设备根据所述 VM的标识类型和所述 VM的标识,构造扩展端口控制协议 PCP策略更新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM的标 识以及所述 VM对应的安全策略; The network device constructs an extended port control protocol PCP policy update message according to the identification type of the VM and the identification of the VM, and the extended PCP policy update message carries the identification type of the VM and the identification of the VM. and the security policy corresponding to the VM;
所述网络设备向所述 VM迁移后对应的网络安全设备发送所述扩展 PCP策略更新报 文。 The network device sends the extended PCP policy update message to the corresponding network security device after the VM is migrated.
5、 根据权利要求 4所述的方法,所述扩展 PCP策略更新报文携带所述 VM的标识类 型、 所述 VM的标识以及所述 VM对应的安全策略,包括: 5. The method according to claim 4, the extended PCP policy update message carries the identification type of the VM, the identification of the VM and the security policy corresponding to the VM, including:
所述扩展 PCP策略更新报文包括第一操作码 Opcode字段、 第一操作码特定信息 Opcode-specific information字段和 PCP选项 Options字段,所述第一Opcode字段用于 标识扩展 PCP的报文类型,所述第一Opcode-specific information字段携带所述 VM的标 识类型和所述 VM的标识,所述 PCP Options字段携带所述 VM对应的安全策略。 The extended PCP policy update message includes a first opcode field, a first opcode-specific information field and a PCP options Options field. The first Opcode field is used to identify the message type of the extended PCP, so The first Opcode-specific information field carries the identification type of the VM and the identification of the VM, and the PCP Options field carries the security policy corresponding to the VM.
6、 根据权利要求 5所述的方法,其特征在于,所述网络设备获得所述 VM的标识类 型和所述 VM的标识,包括: 6. The method according to claim 5, wherein the network device obtains the identification type of the VM and the identification of the VM, including:
所述网络设备接收所述 VM的迁移通知报文,所述迁移通知报文携带所述 VM的标识 类型以及所述 VM的标识。 The network device receives a migration notification message of the VM, and the migration notification message carries the identification type of the VM and the identification of the VM.
7、 根据权利要求 5所述的方法,其特征在于,所述网络设备获得所述 VM的标识类 型和所述 VM的标识,包括: 所述网络设备接收所述 VM迁移后对应的网络安全设备发来的扩展 PCP策略请求报 文,所述扩展 PCP策略请求报文包括第二 Opcode和第二 Opcode-specific information字 段,所述第二 Opcode字段用于标识扩展 PCP的报文类型,所述第二 Opcode-specific information字段携带所述 VM的标识类型以及所述 VM的标识。 7. The method according to claim 5, wherein the network device obtains the identification type of the VM and the identification of the VM, including: The network device receives an extended PCP policy request message sent by the corresponding network security device after the VM is migrated. The extended PCP policy request message includes a second Opcode and a second Opcode-specific information field. The second The Opcode field is used to identify the message type of the extended PCP, and the second Opcode-specific information field carries the identification type of the VM and the identification of the VM.
8、 一种网络安全设备,其特征在于,包括: 8. A network security device, characterized by including:
接收单元,用于在 VM迁移后,接收网络设备发来的扩展端口控制协议 PCP策略更 新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、所述 VM的标识以及所述 VM对应的安全策略,所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略 预先存储在所述网络设备上; A receiving unit configured to receive an extended port control protocol PCP policy update message sent by the network device after the VM is migrated. The extended PCP policy update message carries the identification type of the VM, the identification of the VM and the The security policy corresponding to the VM, the identification type of the VM, the identification of the VM, and the security policy corresponding to the VM are pre-stored on the network device;
执行单元,用于应用所述 VM对应的安全策略,对接收到的来自所述 VM的报文进行 处理。 An execution unit is used to apply the security policy corresponding to the VM and process the received message from the VM.
9、 根据权利要求 8所述的网络安全设备,其特征在于,所述 PCP策略更新报文,包 括: 9. The network security device according to claim 8, wherein the PCP policy update message includes:
第一操作码 Opcode字段、 第一操作码特定信息 Opcode-specific information字段和 PCP选项 Options字段,所述第一 Opcode字段用于标识扩展 PCP的报文类型,所述第 -Opcode-specific information字段携带所述 VM的标识类型和所述 VM的标识,所述 PCP Options字段携带所述 VM对应的安全策略。 The first Opcode field, the first Opcode-specific information field and the PCP Options Options field. The first Opcode field is used to identify the message type of extended PCP. The -Opcode-specific information field carries The identification type of the VM and the identification of the VM, and the PCP Options field carries the security policy corresponding to the VM.
10、 根据权利要求 9所述的网络安全设备,其特征在于,所述接收单元还用于接收 所述 VM的迁移通知报文,所述迁移通知报文携带所述 VM的标识类型以及所述 VM的标 识; 10. The network security device according to claim 9, wherein the receiving unit is further configured to receive a migration notification message of the VM, and the migration notification message carries the identification type of the VM and the VM identification;
所述网络安全设备还包括构造请求报文单元,用于根据所述迁移通知报文,构造扩 展 PCP策略请求报文 , 所述扩展 PCP策略请求报文包括第二 Opcode字段和第二 Opcode-specific information字段,所述第二 Opcode字段用于标识扩展 PCP的报文类 型,所述第二 Opcode-specific information字段携带所述 VM的标识类型以及所述 VM的 标识; The network security device further includes a construction request message unit, configured to construct an extended PCP policy request message according to the migration notification message. The extended PCP policy request message includes a second Opcode field and a second Opcode-specific information field, the second Opcode field is used to identify the message type of extended PCP Type, the second Opcode-specific information field carries the identification type of the VM and the identification of the VM;
所述网络安全设备还包括发送单元,用于向所述网络设备发送所述扩展 PCP策略请 求报文;相应地,所述扩展 PCP策略更新报文是对所述扩展 PCP策略请求报文的响应。 The network security device further includes a sending unit configured to send the extended PCP policy request message to the network device; accordingly, the extended PCP policy update message is a response to the extended PCP policy request message. .
11、 一种网络设备,其特征在于,包括: 11. A network device, characterized by including:
接收单元,用于在 VM迁移后,获得所述 VM的标识类型和所述 VM的标识; 存储单元,用于预先存储所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的 安全策略; A receiving unit, used to obtain the identification type of the VM and the identification of the VM after the VM is migrated; A storage unit, used to pre-store the identification type of the VM, the identification of the VM and the security information corresponding to the VM. Strategy;
构造更新报文单元,用于根据所述 VM的标识类型和所述 VM的标识,构造扩展端口控 制协议 PCP策略更新报文,所述扩展 PCP策略更新报文携带所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略; Construct an update message unit, configured to construct an extended port control protocol PCP policy update message according to the identification type of the VM and the identification of the VM, where the extended PCP policy update message carries the identification type of the VM, the The identification of the VM and the security policy corresponding to the VM;
发送单元,用于向所述 VM迁移后对应的网络安全设备发送所述扩展 PCP策略更新 报文。 A sending unit, configured to send the extended PCP policy update message to the corresponding network security device after the VM is migrated.
12、根据权利要求 11所述的网络设备,其特征在于,所述扩展 PCP策略更新报文携 带所述 VM的标识类型、 所述 VM的标识以及所述 VM对应的安全策略,包括: 12. The network device according to claim 11, wherein the extended PCP policy update message carries the identification type of the VM, the identification of the VM and the security policy corresponding to the VM, including:
所述扩展 PCP策略更新报文包括第一操作码 Opcode字段、 第一操作码特定信息 Opcode-specific information字段和 PCP选项 Options字段,所述第一Opcode字段用于 标识扩展 PCP的报文类型,所述第一Opcode-specific information字段携带所述 VM的标 识类型和所述 VM的标识,所述 PCP Options字段携带所述 VM对应的安全策略。 The extended PCP policy update message includes a first opcode field, a first opcode-specific information field and a PCP options Options field. The first Opcode field is used to identify the message type of the extended PCP, so The first Opcode-specific information field carries the identification type of the VM and the identification of the VM, and the PCP Options field carries the security policy corresponding to the VM.
13、 根据权利要求 12所述的网络设备,其特征在于,所述接收单元具体用于: 接收所述 VM的迁移通知报文,所述迁移通知报文携带所述 VM的标识类型以及所述 VM的标识。 13. The network device according to claim 12, wherein the receiving unit is specifically configured to: receive a migration notification message of the VM, where the migration notification message carries the identification type of the VM and the The ID of the VM.
14、 根据权利要求 12所述的网络设备,其特征在于,所述接收单元具体用于: 接收所述 VM迁移后对应的网络安全设备发来的扩展 PCP策略请求报文,所述扩展 PCP策略请求报文包括第二 Opcode字段和第二 Opcode-specific information字段,所述 第二 Opcode字段用于标识扩展 PCP的报文类型,所述第二 Opcode-specific information 字段携带所述 VM的标识类型以及所述 VM的标识。 14. The network device according to claim 12, characterized in that the receiving unit is specifically used for: Receive an extended PCP policy request message sent by the corresponding network security device after the VM is migrated. The extended PCP policy request message includes a second Opcode field and a second Opcode-specific information field. The second Opcode field is In order to identify the message type of the extended PCP, the second Opcode-specific information field carries the identification type of the VM and the identification of the VM.
PCT/CN2013/074854 2012-05-16 2013-04-27 Method for processing message after migration of virtual machine vm and device thereof WO2013170698A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210151792.3 2012-05-16
CN201210151792.3A CN103428106B (en) 2012-05-16 2012-05-16 The method of the Message processing after virtual machine VM migration and equipment thereof

Publications (1)

Publication Number Publication Date
WO2013170698A1 true WO2013170698A1 (en) 2013-11-21

Family

ID=49583109

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/074854 WO2013170698A1 (en) 2012-05-16 2013-04-27 Method for processing message after migration of virtual machine vm and device thereof

Country Status (2)

Country Link
CN (1) CN103428106B (en)
WO (1) WO2013170698A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9325663B2 (en) 2014-09-15 2016-04-26 Sprint Communications Company L.P. Discovery of network address allocations and translations in wireless communication systems

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106034115B (en) * 2015-03-13 2020-01-31 中兴通讯股份有限公司 Method, device and system for realizing virtual network
CN108092810A (en) * 2017-12-13 2018-05-29 锐捷网络股份有限公司 A kind of virtual machine management method, VTEP equipment and management equipment
CN111510435B (en) * 2020-03-25 2022-02-22 新华三大数据技术有限公司 Network security policy migration method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090249438A1 (en) * 2008-03-27 2009-10-01 Moshe Litvin Moving security for virtual machines
CN102413041A (en) * 2011-11-08 2012-04-11 华为技术有限公司 Method, device and system for moving security policy
CN102739645A (en) * 2012-04-23 2012-10-17 杭州华三通信技术有限公司 Method and device for migrating virtual machine safety policy

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025535B (en) * 2010-11-17 2012-09-12 福建星网锐捷网络有限公司 Virtual machine management method and device and network equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090249438A1 (en) * 2008-03-27 2009-10-01 Moshe Litvin Moving security for virtual machines
CN102413041A (en) * 2011-11-08 2012-04-11 华为技术有限公司 Method, device and system for moving security policy
CN102739645A (en) * 2012-04-23 2012-10-17 杭州华三通信技术有限公司 Method and device for migrating virtual machine safety policy

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"State Migration, draft-gu-opsawg-policies-migration-02", 5 March 2012 (2012-03-05), Retrieved from the Internet <URL:tools.ietf.org/html/draft-gu-opsawg-policies-migration-02> *
"Survey and Gap Analysis for State Migration in Data Center, draft-wang-opsawg-policies-migration-gap-analysis-01", 31 October 2011 (2011-10-31), Retrieved from the Internet <URL:tools.ietf.org/html/draft-wang-opsawg-policies-migration-gap-analysis-01> *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9325663B2 (en) 2014-09-15 2016-04-26 Sprint Communications Company L.P. Discovery of network address allocations and translations in wireless communication systems
US9705794B2 (en) 2014-09-15 2017-07-11 Sprint Communications Company L.P. Discovery of network address allocations and translations in wireless communication systems

Also Published As

Publication number Publication date
CN103428106B (en) 2016-11-23
CN103428106A (en) 2013-12-04

Similar Documents

Publication Publication Date Title
EP2728470B1 (en) Method and apparatus for configuring network policy of virtual networks
US10284431B2 (en) Distributed operating system for network devices
EP3304812B1 (en) Method and system for resynchronization of forwarding states in a network forwarding device
BR112020023244A2 (en) message and system for influence of application function on the traffic route
US10263808B2 (en) Deployment of virtual extensible local area network
US20100333189A1 (en) Method and system for enforcing security policies on network traffic
US9967346B2 (en) Passing data over virtual links
US10050859B2 (en) Apparatus for processing network packet using service function chaining and method for controlling the same
WO2013185644A1 (en) Method and device thereof for automatically finding and configuring virtual network
JP2011040928A (en) Network system, packet forwarding apparatus, packet forwarding method, and computer program
WO2017133647A1 (en) Packet processing method, traffic classifier, and service function instance
EP3494670B1 (en) Method and apparatus for updating multiple multiprotocol label switching (mpls) bidirectional forwarding detection (bfd) sessions
WO2015014187A1 (en) Data forwarding method and apparatus that support multiple tenants
WO2013059991A1 (en) Data message processing method and system, message forwarding device
WO2021047320A1 (en) Method and apparatus for determining forwarding path
US9967140B2 (en) Virtual links for network appliances
JPWO2014054768A1 (en) Communication system, virtual network management apparatus, virtual network management method and program
US8995337B2 (en) Method and apparatus for managing the mobility of mobile networks
JP2019515553A (en) Packet transmission
WO2013170698A1 (en) Method for processing message after migration of virtual machine vm and device thereof
JP7216120B2 (en) BGP message sending method, BGP message receiving method, and device
JP2011159247A (en) Network system, controller, and network control method
WO2013107056A1 (en) Message forwarding method and device
WO2015024388A1 (en) Host route acquisition method, device and system
WO2014067055A1 (en) Method and device for refreshing flow table

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13791367

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13791367

Country of ref document: EP

Kind code of ref document: A1