WO2014101501A1 - 一种NAT实现系统、方法及Openflow交换机 - Google Patents
一种NAT实现系统、方法及Openflow交换机 Download PDFInfo
- Publication number
- WO2014101501A1 WO2014101501A1 PCT/CN2013/084236 CN2013084236W WO2014101501A1 WO 2014101501 A1 WO2014101501 A1 WO 2014101501A1 CN 2013084236 W CN2013084236 W CN 2013084236W WO 2014101501 A1 WO2014101501 A1 WO 2014101501A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- data packet
- public
- nat
- private
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000013519 translation Methods 0.000 claims abstract description 141
- 238000006243 chemical reaction Methods 0.000 claims description 100
- 238000012423 maintenance Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 abstract description 8
- 230000009471 action Effects 0.000 description 25
- 230000008859 change Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 7
- 230000004044 response Effects 0.000 description 7
- 101000652292 Homo sapiens Serotonin N-acetyltransferase Proteins 0.000 description 6
- 102100030547 Serotonin N-acetyltransferase Human genes 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000006872 improvement Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2514—Translation of Internet protocol [IP] addresses between local and global IP addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/64—Hybrid switching systems
- H04L12/6418—Hybrid transport
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2557—Translation policies or rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2564—NAT traversal for a higher-layer protocol, e.g. for session initiation protocol [SIP]
Definitions
- the present invention relates to the field of network technologies, and in particular, to a network address translation (NAT) implementation system, method, and Openflow switch.
- NAT network address translation
- NAT technology is a technology that converts private addresses into public IP addresses. This technology is widely used in Internet access methods.
- the internal network of the enterprise is a private network, and the private address can be used as the host address.
- the NAT device converts the private address of the data packet into a public IP address and sends it to the server; when the server on the Internet
- the NAT device converts the public IP address into the original private address, so that the response packet can be correctly returned to the corresponding host.
- NAT technology allows the same public IP address to correspond to the private addresses of multiple hosts, saving public IP address resources while ensuring the security of the internal network of the enterprise.
- SDN Software Defined Network
- NAT technology is a communication network implementation method.
- OpenFlow Network Switching Model
- FIG. 1 The structure of the existing Openflow network is shown in Figure 1, including: Controller (Controller) and Openflow Switch (Openflow Switch);
- the Openflow switch When the host B of the intranet of the enterprise is linked to the server D of the Internet, the Openflow switch receives the packet A from the host B having the private address B, and the Openflow switch reports the packet A event to the controller. ;
- the controller After receiving the reported event, the controller sends a flow table (Flow Table) to the In the Openflow switch, the flow table includes an action table, which indicates that the private address B of the data packet A is converted into the public IP address C, that is, the address mapping relationship between the private address B of the data packet A and the public IP address C is established;
- the Openflow switch converts the private address B into a public IP address C according to the content recorded in the flow table, and sends the data packet A by using the public IP address C.
- the controller sends the flow table to the Openflow switch at the same time.
- a group table is also sent to the Openflow switch; the group table includes a data type and a processing operation on the corresponding data type, for example, broadcasting a data packet of a Select data type, server load balancing, etc. Wait.
- the Openflow switch completes the conversion of the private address B to the public IP address C through the flow table; in addition, when the host B is linked to another server of the Internet, such as the server E, The Openflow switch and the Controller will perform an interaction according to the above technical solution; that is, in the prior art, whenever the host B has a different link (host B, a different server linked to the Internet),
- the Openflow switch receives the data packet of the host B and the private address
- the controller sends a flow table to the Openflow switch.
- the Controller When there are a large number of private network host data packets that need to be sent to the Internet by the Openflow switch, the Controller frequently The flow table will increase the number of interactions between the Openflow switch and the Controller, and prolong the delay of packet forwarding. At the same time, in addition to the transmission of data packets between the host and the server, the Internet also transmits other services, which in turn seriously affects The efficiency of Internet network transmission.
- the main purpose of the embodiments of the present invention is to provide a NAT implementation system, method, and Openflow switch, which can reduce the number of interactions between the Openflow switch and the Controller, shorten the packet forwarding delay, and improve network transmission efficiency.
- the embodiment of the present invention provides a NAT implementation system, where the system includes: a controller Controller and an Openflow switch Openflow Switch;
- the controller configured to send a flow table and an improved group table to the Openflow switch by using an Openflow protocol
- the Openflow switch is configured to receive the flow table and the improvement group table delivered by the controller by using an Openflow protocol
- the Openflow switch Receiving a data packet originating from a private network or the Internet, the Openflow switch matches the data packet that needs to be translated according to the address translation matching rule recorded in the flow table, and performs the private operation of the data packet according to the address translation rule recorded in the improved group table. The conversion between the address and the public IP address, sending the packet to the Internet or sending it to the private network.
- the Openflow switch includes: a switch control plane, an internal channel, and a switch forwarding plane;
- the switch control plane is configured to receive the flow table and the improved group table delivered by the controller by using the Openflow protocol.
- the flow table After receiving the flow table and the improved group table, performing rule matching on the received data packet attributes, when the data packet attribute can match the address translation matching rule of the flow table record, the flow table executes the Group command, and points to The improved group table generates a conversion command according to the address translation rule recorded in the improved group table, and sends a conversion command to the forwarding plane of the switch through the internal channel; the forwarding plane of the switch is configured to receive from a private network or the Internet. And sending, by the internal channel, the data packet attribute to the control plane of the Switch;
- the address translation rule recorded by the improved group table includes: a protocol type of a data packet that needs to be address translated, a public IP address range selected by a private address, The effective maintenance time of the port number range and the conversion relationship between the private address and the public IP address.
- the flow table records rules and commands, and performs command processing on data packets that can match the rules; the rules include address translation matching rules; the commands include a Group command; when a data packet can match the flow When the address record matching rule of the table record, the flow table executes a Group command, and points to an improved group table with a NAT data type.
- the switch control plane receives the flow table and the improved group table, and further includes a NAT analysis module;
- the flow table is configured to perform rule matching on the data packet attribute.
- the flow table executes a Group command, and points to the improved group table with the NAT data type. ;
- the improved group table is configured to record an address translation rule
- the NAT analysis module is configured to analyze the data packet attributes according to the IANA specification and the address translation rule, generate a conversion command, and send a command to the switch forwarding plane through the internal channel.
- the switch forwarding plane is configured to perform a NAT translation list for storing data packets after the conversion from the private address to the public IP address.
- An embodiment of the present invention further provides a NAT implementation method, where the method includes:
- the Openflow switch receives the flow table and the improved group table delivered by the controller.
- the Openflow switch matches the data packet that needs to be translated according to the address translation matching rule recorded in the flow table, and performs the private address of the data packet and the public IP address according to the address translation rule of the improved group table record. Inter-conversion, sending packets to the Internet or sending them to a private network.
- the improved group table records an address translation rule
- the content of the address translation rule record includes: The protocol type of the packet to be address-converted, the public IP address range for private address selection, the port number range, and the effective hold time of the conversion relationship between the private address and the public IP address.
- the conversion between the private address of the completed data packet and the public IP address is: according to the IANA specification and the address translation rule, determining whether the address source address and the destination address of the current data packet are private addresses or public IP addresses;
- the private address is converted into a public IP address, and the current data packet is sent to the destination address by using the converted public IP address, and saved. a NAT translation list of the current data packet;
- the destination IP address and port number of the current data packet are converted into a private address and a port number, and the current data packet is sent to the host with the link private address;
- An embodiment of the present invention provides an OpenFlow switch, where the switch includes: a switch control plane, an internal channel, and a switch forwarding plane;
- the switch control plane is configured to receive the flow table and the improved group table delivered by the controller by using the Openflow protocol.
- the flow table After receiving the flow table and the improved group table, performing rule matching on the received data packet attributes, when the data packet attribute can match the address translation matching rule of the flow table record, the flow table executes the Group command, and points to The improved group table generates a conversion command according to the address translation rule recorded in the improved group table, and sends a conversion command to the forwarding plane of the switch through the internal channel; the forwarding plane of the switch is configured to receive from a private network or the Internet. Data packet Transmitting the data packet attribute to the control plane of the Switch through the internal channel;
- the switch control plane receives the flow table and the improved group table, and further includes a NAT analysis module;
- the flow table is configured to perform rule matching on the data packet attribute.
- the flow table executes a Group command, and points to the improved group table with the NAT data type. ;
- the improved group table is configured to record an address translation rule
- the NAT analysis module is configured to analyze the data packet attributes according to the IANA specification and the address translation rule, generate a conversion command, and send a command to the switch forwarding plane through the internal channel.
- the address translation rule recorded by the improved group table includes: a protocol type of a data packet that needs to be address translated, a public IP address range selected by a private address, a port number range, a private address, and a public IP address.
- the effective maintenance time of the corresponding conversion relationship includes: a protocol type of a data packet that needs to be address translated, a public IP address range selected by a private address, a port number range, a private address, and a public IP address.
- the NAT implementation system, method, and Openflow switch provided by the embodiments of the present invention use the Openflow protocol, the Controller sends a flow table and an improved group table to an Openflow switch, and the Openflow switch receives the flow table and the improved group table, and performs rules on the received data packet. Matching, when there is a data packet matching the address translation matching rule of the flow table record, the current data packet needs to be translated, and the flow table executes the Group command, pointing to the improved group table, because the improved group table record has address translation rules, According to the address translation rule of the improved group table, the Openflow switch performs the conversion between the private address and the public IP address through the conversion command of the NAT analysis module.
- the controller does not need to frequently send the flow table and the improved group.
- Table only when the packet received by the Openflow switch is the first packet of the private network
- the flow table and the improved group table reduce the number of interactions between the Openflow switch and the Controller, shorten the packet forwarding delay, and improve the network transmission efficiency.
- FIG. 1 is a schematic structural diagram of an OpenFlow network in the prior art
- FIG. 2 is a schematic structural diagram of a NAT implementation system according to an embodiment of the present invention.
- FIG. 3 is a schematic diagram showing the composition of an entry of an improved group table according to an embodiment of the present invention.
- FIG. 4 is a schematic diagram of a NAT conversion list saving format according to an embodiment of the present invention.
- FIG. 5 is a schematic flowchart of a NAT implementation method according to an embodiment of the present invention.
- the embodiment of the present invention provides a NAT implementation system. As shown in FIG. 2, the system includes a controller 2 and an Openflow switch 3;
- the controller 2 is configured to use the Openflow protocol to send the flow table and the improved group table to the Openflow switch 3;
- the Openflow switch 3 is configured to receive, by using the Openflow protocol, the flow table and the improved group table delivered by the controller 2, and receive a data packet originating from a private network or the Internet;
- the Openflow switch 3 is further configured to match the data packet that needs to be translated according to the address translation matching rule recorded in the flow table, and perform the address conversion rule recorded in the improved group table, between the private address of the data packet and the public IP address. The conversion, sending the packet to the Internet or sending it to the private network.
- the flow table and the improved group table are preset according to the packet forwarding route; the Controller 2 may send the flow table and the improved group table to the Openflow when the system starts. Change the machine 3, or when the private network host needs to be linked to the Internet, the flow table and the improved group table are sent to the Openflow switch 3 according to the service requirements of the private network host;
- the flow table records rules and commands, and the rules include an address translation matching rule, a port number change matching rule, and the like; correspondingly, the command includes a group command, a port number change command, and the like;
- the packet executes the Group command; performs a port number change command on the data packet that can match the port number change matching rule;
- the address translation matching rule records a packet attribute that needs to perform address translation, that is, the content of the address conversion matching rule record includes: a protocol type, a source address, a port number, a destination address, and a port number of the data packet that needs to be address translated. ;
- the address translation matching rule records include: From the private network, with the source address (private address) is 192.168.0.1, the port number is 1, the destination address (public IP address) is 200.168.10.1, and the port number is 2. Packets of type Transmission Control Protocol (TCP, Traiisinission Control Protocol) require address translation.
- TCP Transmission Control Protocol
- Traiisinission Control Protocol Traiission Control Protocol
- the Openflow switch 3 matches the address translation matching rule recorded by the flow table to match the data packet that needs to be translated.
- the Openflow switch 3 performs matching of the address translation matching rule on the received data packet attribute.
- the data packet attribute includes a data packet protocol type, an address, and a port number.
- the data packet protocol type includes: a user datagram protocol TCP or a UDP (User Datagram Protocol);
- the address includes: a source address and Destination address;
- the source address refers to a private address before conversion, and the destination address refers to a server linked to the Internet;
- the source address refers to an address of a server of the Internet
- the destination address refers to a publicity used when the system receives a data packet sent by a server of the Internet. IP address.
- the matching is to determine whether the protocol type, port number, address, etc. of the current data packet is If the content of the address conversion matching rule record is met, when the content of the address conversion matching rule record is met, the current data packet is confirmed to be a data packet that needs to be address-converted; when the content of the address conversion matching rule record is not met, the current data packet is confirmed as a data packet that does not need to be address-converted; according to the address translation matching rule recorded in the flow table, when the Openflow switch 3 matches the current data packet as a data packet that needs to be address-converted, the flow table executes a Group command, and the execution is performed.
- the Group command is: Point to the improved group table with the NAT data type entry, and convert the private address of the packet with the public IP address according to the address translation rule of the improved group table record.
- the table format of the improved group table is as shown in FIG. 3, and the reason for improving the group table is that the improvement is based on the existing group table; the improved group table of the embodiment of the present invention does not change the existing one.
- the NAT data type is added to the group type entry; in combination with FIG. 3, the meaning of each entry of the improved group table is described:
- the Group Id entry indicates the sequence number ( id, identity ) of the packet that needs to be translated.
- the Group Type entry includes the data type of Select in the prior art, and includes the NAT data type.
- the data packet with the Group Id entry needs to be based on the address translation rule.
- the content of the record is subjected to address conversion; here, the contents of the address conversion rule record include: the protocol type (TCP or UDP) of the data packet to be address-converted, the public IP address range for the private address selection (or convertible), and the port number.
- TCP or UDP protocol type of the data packet to be address-converted
- the public IP address range for the private address selection (or convertible), and the port number the port number.
- the effective hold time of the conversion relationship between the range and the private address and the public IP address wherein, when the valid hold time is exceeded, if there is still no data packet for address translation, the conversion relationship between the private address and the public IP address is deleted.
- the Counters entry indicates statistics on packets that need to be translated.
- the table of the improved group table further includes two Action Lists: one is a SNAT Action List, which is an action that needs to be performed after the private address is converted into a public IP address, that is, After the data packet from the private network is translated from the private address to the public IP address, the action shown in the SNAT Action List is performed.
- the SNAT Action List action may be set according to service requirements, for example, the SNAT Action List action may be set. For: output the current data packet to a physical port that is linked to the Internet;
- the second is the DNAT Action List, which is an action that needs to be performed after the public IP address is converted into a private address.
- the action shown in the DN AT Action List is executed.
- the DN AT Action List action may be set according to a business requirement, such as the DNAT Action List action may be set to: output the current data packet to a physical port of the linked private network.
- the Openflow switch 3 includes: a switch control plane 30, an internal channel 31, and a Switch forwarding plane 32;
- the switch control plane 30 is configured to receive the flow table and the improved group table delivered by the controller 2, and receive the data packet attribute sent by the Switch forwarding plane 32 by using the Openflow protocol; receiving the flow table and the improved group table. Then, the rule is matched to the received data packet attribute. When the data packet attribute matches the address translation matching rule of the flow table record, the data packet needs to be translated, and the flow table executes the Group command.
- the improved group table the conversion command is generated according to the address translation rule of the improved group table, and the conversion command is sent to the Switch forwarding plane 32 through the internal channel 31;
- the switch forwarding plane 32 is configured to receive a data packet from a private network or the Internet and send the data packet attribute to the switch control plane 30 through the internal channel 31;
- the switch control plane 30 includes a flow table and an improved group table delivered by the controller 2, and further includes a NAT analysis module 300.
- the flow table is configured to perform rule matching on the data packet attribute. When the data packet attribute can match the address translation matching rule, the flow table executes a Group command, and points to the improved group table with the NAT data type entry. ;
- the improved group table is configured to record an address translation rule
- the NAT analysis module 300 is configured to analyze the data packet attributes according to the IANA specification and the address translation rule, generate a conversion command, and send a conversion command to the switch forwarding plane 32 through the internal channel 31;
- the matching is to determine whether the protocol type, the port number, the address, and the like of the current data packet meet the content recorded by the address translation matching rule. When the content recorded by the address translation matching rule is met, the current data packet is confirmed to be the address conversion data. package.
- the system completes the process of converting from a private address (source address) to a public IP address, and using the converted public IP address to send data to a destination address of a server linked to the Internet:
- the controller 2 delivers the flow table and the improved group table to the OpenFlow switch 3, and the switch is sent to the switch control plane 30;
- the OpenFlow switch 3 receives the flow table and the improved group table, and specifically, the switch control plane 30 receives the flow table and the improved group table;
- the switch forwarding plane 32 receives the current data packet originating from the private network, and sends the current data packet attribute to the switch control plane 30 through the internal channel 31;
- the switch control plane 30 receives the current data packet attribute and performs rule matching on the current data packet attribute.
- the matching is to determine whether the protocol type, port number, address, and the like of the current data packet meet the address translation matching rule record.
- Content when the content of the address conversion matching rule record is met, confirming that the current data packet is a data packet that needs to be address translated, the flow table executes a Group command, and the flow table points to the improvement with a NAT data type entry Group table; according to IANA regulations, the NAT analysis module 300 addresses the source address and destination of the current data packet Address analysis;
- the NAT analysis module 300 determines that the source address of the current data packet is a private address, and the destination address is a public IP address; the NAT analysis module 300 generates The private address is translated to the public IP address translation command, and the conversion command is sent to the Switch forwarding plane 32 through the internal channel 31;
- the IANA provision is: IANA retains the following three IP address blocks for the private network: 10.0.0.0 - 10.255.255.255
- the NAT analysis module 300 can determine whether the current data source address and destination address are private addresses or public IP addresses;
- the Switch forwarding plane 32 After receiving the conversion command sent by the NAT analysis module 300, the Switch forwarding plane 32 performs the conversion of the current packet private address to the corresponding public IP address according to the address translation rule recorded in the improved group table, and the current The data packet is sent to the Internet by using the public IP address.
- the content of the address translation rule recorded by the improved group table includes: a public IP address range and a port number range for private address selection (or convertible); where the Switch forwards Face 32 will select a public IP address (corresponding public IP address) and port number in the range of the convertible public IP address and port number that is in the idle state at the time of the current packet conversion, for the current packet private address translation;
- the SNAT Action List includes an action to be performed after the current packet private address is converted into the corresponding public IP address:
- the current data packet is sent to a physical port linked to the Internet, then the Switch forwarding plane 32 Send the current data packet to a physical port linked to the Internet using the corresponding public IP address;
- the NAT analysis module 300 establishes and saves a NAT translation list of the current data packet;
- the NAT conversion list save format is as shown in Figure 4, where
- the entry id is used to indicate the serial number id of the current data packet.
- the protocol type is used to indicate the protocol type. It is determined by the Openflow protocol and can be UDP or TCP.
- the entry Private IP, Port is used to indicate the private address and port number of the current data packet; the table Public IP, Port, is used to indicate the public IP address and port number of the current data packet; the entry Time out is the private address and The public IP address corresponds to the effective hold time of the conversion relationship. It is used to indicate that the valid hold time is exceeded. If there is still no data packet to be translated, the current NAT translation list is deleted.
- the system performs the process of converting the private address to the public IP address and transmitting the data to the destination address by using the converted public IP address, and the system uses the public IP address (destination address) to receive the link from the Internet to the Internet.
- the process of sending a server (source address) packet and sending the packet to a host with a private address can be:
- the switch forwarding plane 32 receives the data packet from the Internet, and sends the received current data packet attribute to the switch control plane 30 through the internal channel 31;
- the attributes of the current data packet include a packet protocol type, a source address, a destination address, and a port number:
- the switch control plane 30 receives the current data packet attribute and performs rule matching on the current data packet.
- the matching is to determine whether the protocol type, port number, address, and other information of the current data packet meet the content recorded by the address translation matching rule.
- the content of the address conversion matching rule record is met, it is confirmed that the current data packet is a data packet that needs to be address translated, and the flow table executes a Group command, and points to the improvement group table with a NAT data type entry;
- the NAT analysis module 300 determines that the source address of the current data packet is a public IP address, and the destination address is also a public IP address, a destination address, and a port number recorded in the address translation rule. When there is a range of public IP addresses and port numbers, The NAT analysis module 300 searches for all saved NAT translation lists;
- the NAT analysis module 300 When the NAT analysis module 300 can find the NAT translation list in which the address translation relationship of the current packet public IP address (destination address) is recorded, the NAT analysis module 300 generates a conversion command that converts the public IP address into a private address. And the conversion command is sent to the Switch forwarding plane 32 through the internal channel 31;
- the Switch forwarding plane 32 After receiving the conversion command sent by the NAT analysis module 300, the Switch forwarding plane 32 performs the conversion of the current IP address of the current packet to the private address, and converts the current packet destination address and port number into a corresponding private address. And a private address port number; and send the current data packet to the host having the private address and port number;
- the NAT analysis module 300 when the NAT analysis module 300 does not find a NAT translation list recorded with respect to the public IP address translation relationship, the NAT analysis module 300 will discard the current data packet.
- the Switch control plane 30, the switch forwarding plane 32, and the NAT analysis module 300 may be configured by a Central Processing Unit (CPU), or a Digital Signal Processor (DSP), or may be in the field.
- CPU Central Processing Unit
- DSP Digital Signal Processor
- An FPGA Field Programmable Gate Array or the like is implemented; the CPU, the DSP, and the FPGA may all be located in the Openflow switch 3.
- an embodiment of the present invention further provides a NAT implementation method, as shown in FIG. 5, the method includes:
- Step 401 The Openflow switch receives the flow table and the improved group table sent by the controller by using the Openflow protocol.
- Step 402 The Openflow switch receives the flow table and the improved group table, and matches the data packet that needs to be translated according to the address translation matching rule recorded in the flow table, and performs the private address of the data packet and the public IP according to the address translation rule recorded in the improved group table. Conversion between addresses, sending packets to the Internet or sending them to a private network.
- the flow table and the improved group table are pre-set according to the packet forwarding route;
- the flow table records rules such as an address translation matching rule, a port number change matching rule, and the like.
- the address translation matching rule records a packet attribute that needs to be address translated. Since the packet attribute includes: a packet protocol type (TCP or UDP), an address (source address and destination address), and a port number, then the address translation matches.
- the contents of the rule record include: the protocol type, source address and destination address, and port number of the data packet that needs to be translated;
- the Openflow switch performs matching of the address conversion matching rule on the received data packet attribute; the matching is to determine whether the protocol type, port number, address, and the like of the current data packet meet the content recorded by the address translation matching rule, and when the address is met When the content of the matching rule record is converted, it is confirmed that the current data packet is a data packet that needs to be address-converted; when the content of the address conversion matching rule record is not met, it is confirmed that the current data packet is a data packet that does not need to be address-converted.
- the enterprise first sends the data packet to the server linked to the Internet, and then receives the response data packet returned by the server; considering the interests of the enterprise, the following This rarely happens: A server that is linked to the Internet sends a packet to the private network of the enterprise, and the private network receives and returns a response packet.
- the embodiment of the present invention implements a process of converting a private address (source address) into a public IP address, and transmitting the data to the server (destination address) linked to the Internet by using the converted public IP address, which may be:
- Step 501 The controller sends the flow table and the improved group table to the OpenFlow switch by using the OpenFlow protocol, and sends the flow table to the Switch control plane.
- the address translation matching rule of the flow table record can match a data packet that needs to perform address translation
- Step 502 Using the Openflow protocol, the Openflow switch receives the flow table and the improved group table. Specifically, the switch control plane receives the flow table and the improved group table.
- Step 503 The Openflow switch receives the current data packet, and specifically receives the current data packet by the Switch forwarding plane.
- the current data packet is A
- the current data packet A is derived from the private network, and its attributes are: protocol type is TCP, source address (private address) is 192.168.0.1, host port number is 1, destination address is 200.168.38.1;
- Step 504 The switch forwarding plane sends the current data packet attribute to the switch control plane through the internal channel.
- Step 505 The switch control plane receives the current data packet attribute, and performs rule matching on the current data packet attribute.
- the switch control plane receives the data packet A attribute, and performs rule matching on the current data packet A attribute, because the data packet attribute is: the protocol type is TCP, the source address (private address) is 192.168.0.1, and the host port number is 1.
- the destination address is 200.168.38.1; when the address translation matching rule record is: the protocol type is TCP, the private address is 192.168.0.1, the host port number is 1, and the destination address is 200.168.38.1, and the address translation needs to be performed;
- the current data packet A needs to perform address translation, and the flow table executes a Group command, and points to an improved group table with a NAT data type entry;
- Step 506 the NAT analysis module analyzes the source address of the current data packet, generates a conversion command, and sends the conversion command to the forwarding plane of the Switch through the internal channel.
- the NAT analysis module is current.
- the source address and destination address of the data packet A are analyzed, and the current source address of the data packet A is a private address, and the destination address is a public IP address.
- the NAT analysis module generates a conversion from a private address to a public IP address.
- the command is sent to the forwarding plane of the Switch.
- Step 507 After receiving the conversion command sent by the NAT analysis module, the switch forwarding plane performs conversion of the current packet private address (source address) to the public IP address, and uses the public IP address.
- the server that sends the current data packet to the Internet (destination address);
- This step may be specifically: After the switch forwarding plane receives the conversion command, the current packet A private address 192.168.0.1 (source address) is converted into a public IP address of 200.168.10.1;
- the content recorded by the address translation rule includes: a public IP address range that can be selected by the source address private address 192.168.0.1 of the current packet A, and a port number range; here is an example, such as a source address private address 192.168.0.1
- the selected public IP address ranges from 200.168.10.1 to 200.168.10.100, and the port number ranges from: port number is 1-200;
- the switch forwarding plane selects 200.168.10.1 and port number 2 as the private IP address of the private address 192.168.0.1; the reason why 200.168.10.1 and port number 2 are selected is because the public port IP address 200.168.10.1 port 2 is in the current data.
- the time when packet A performs address translation is idle;
- the switch forwarding plane sends the current data packet A to the server with the destination address of 200.168.38.1 by using the translated public IP address 200.168.10.1.
- the action to be performed after the SNAT Action List includes the private address 192.168.0.1 (source address) converted to the public IP address 200.168.10.1:
- the current packet A is sent to a physical port linked to the Internet, so
- the Switch forwarding plane uses the public IP address 200.168.10.1 to send the current packet A to a physical port with a destination address of 200.168.38.1.
- Step 507 After the switch forwarding plane performs the conversion between the current packet private address and the public IP address, the NAT analysis module establishes and saves a NAT conversion list of the current data packet.
- the NAT analysis module establishes and saves the NAT translation list of the current data packet A, because the current data packet A It is the first packet from the private network. Therefore, the current packet A entry id is "1", the entry Protocol type is TCP, the private IP address of the entry is 192.168.0.1, and the port number is 1, the entry Public IP, Port The public IP address is 200.168.10.1 and the port number is 2.
- the Openflow switch converts the private address (source address) 192.168.0.1 into the public IP address 200.168.10.1, and sends the current data packet A to the destination address 200.168.38.1 by using the converted public IP address. ;
- steps 501 to 502 are first performed;
- steps 501-502 are not performed, and steps 503-507 are directly executed; that is, the implementation of the present invention
- the NAT implementation method only performs the interaction between the Openflow switch and the Controller when the current data packet is the first data packet of the private network.
- the number of interactions can be reduced, the packet forwarding delay can be shortened, and the network transmission efficiency can be improved.
- the embodiment of the present invention implements conversion from the public IP address (destination address) to a private address, and has a private
- the process of receiving the data packet by the host of the address is specifically:
- Step 601 The Openflow switch receives the current data packet, and specifically receives the current data packet by the Switch forwarding plane.
- the Openflow switch receives the packet B of the response packet A from the Internet
- the packet forwarding plane receives the packet B
- its attributes are: protocol type is TCP, destination address is 200.168.10.1, port number is 2, source The address is 200.168.38.1;
- Step 601 The switch forwarding plane sends the current data packet attribute to the switch control plane through the internal channel.
- Step 603 The switch control plane receives the current data packet attribute, and performs rule matching on the current data packet attribute.
- the packet attribute is: the protocol type is TCP, and the destination address is 200.168.10.1.
- the slogan is 2, the source address is 200.168.38.1;
- the protocol type is TCP
- the destination address is 200.168.10.1
- the host port number is 2, and the address conversion is required;
- the current data packet B needs to perform address translation, and the flow table performs Group Command, pointing to an improved group table with a NAT data type entry;
- Step 604 According to the IANA rule and the address translation rule, the NAT analysis module analyzes the current source address and the destination address of the data packet, generates a conversion command, and sends the conversion command to the switch forwarding plane through the internal channel.
- the NAT analysis module analyzes the source address and the destination address of the current data packet B, because the current data packet B destination address (public IP address) is 200.168.10.1, and the source address is 200.168.38.1; according to the IANA regulations, The NAT analysis module analyzes that the current data packet B source address is a public IP address and the destination address is also a public IP address. According to the address translation rule, the NAT analysis module determines the destination IP address range of the destination address and port number recorded in the address translation rule. Within the port number range; the NAT analysis module looks up all saved NAT translation lists;
- the NAT analysis module When the NAT analysis module can find a NAT translation list that records the address translation relationship of the current data packet destination address, that is, the public IP address, the NAT analysis module generates a conversion command converted from the public IP address (destination address) to the private address, and converts The command is sent to the Switch forwarding plane 32 through the internal channel 31;
- the NAT analysis module When the NAT analysis module cannot find the NAT translation list recorded with the conversion relationship of the public IP address (destination address), the NAT analysis module discards the current data packet.
- the NAT conversion list recorded with the address conversion relationship between the public IP address 200.168.10.1 and the private address 192.168.0.1 still exists, so the NAT analysis module
- the NAT translation list of the public IP address 200.168.10.1 address translation relationship can be found.
- the NAT analysis module generates a conversion command and sends the conversion command to the forwarding plane of the switch.
- the packet B is a response packet returned in the effective maintenance time
- the NAT conversion list recorded with the address translation relationship of the public IP address 200.168.10.1 exists in the NAT analysis module, and the NAT analysis module can find the NAT.
- Step 605 After receiving the conversion command sent by the NAT analysis module, the switch forwarding plane completes the conversion of the current data packet from the public IP address to the private address, and sends the current data packet to the host having the private address.
- the current packet B public IP address 200.168.10.1 (destination address) and port number 2 are converted into a private address 192.168.0.1, and the port number is 1;
- the action of the improved group table action list DNAT Action List is: output the current data packet to a physical port of the linked private network, and the switch forwarding plane converts the public IP address 200.168.10.1 (destination address) into a private address 192.168.0.1, and Packet B is sent to the host with port 1 of the private address 192.168.0.1.
- the NAT implementation system, method, and Openflow switch provided by the embodiments of the present invention use the Openflow protocol, and the Controller sends the flow table and the improved group table to the Openflow switch; the Openflow switch performs rule matching on the received current data packet, when there is a data packet.
- the flow table executes a Group command, and points to an improved group table with a NAT data type entry, according to the address translation rule of the improved group table record and the IANA regulations
- the NAT analysis module analyzes the address of the current data packet, and generates a conversion command to the forwarding plane of the switch.
- the switch forwarding plane receives the conversion command, and performs the conversion between the current private address of the data packet and the public IP address.
- the technical solution of the embodiment of the present invention is used. Without Controller When the flow table is sent frequently, the flow table and the improved group table are sent only when the data packet received by the Openflow switch is the first data packet of the private network, and the number of interactions between the Openflow switch and the controller is reduced, and the data packet is shortened. Forwarding delay improves network transmission efficiency.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
本发明公开了一种NAT实现系统,包括:控制器(Controller)和Openflow交换机;Controller下发流表和改进组表;Openflow交换机接收流表和改进组表,根据流表记录的地址转换匹配规则,匹配出需要进行地址转换的数据包;根据改进组表记录的地址转换规则执行私有地址与公有IP地址之间的转换,利用转换后的地址将数据包发送出去;本发明还公开了一种NAT实现方法及Openflow交换机,利用本发明,只需将流表和改进组表一次发送给Openflow交换机,无需Openflow交换机和Controller进行频繁交互,缩短数据包转发时延,提高网络传输效率。
Description
一种 NAT实现系统、 方法及 Openflow交换机 技术领域 本发明涉及网络技术领域, 具体涉及一种网络地址转换 (NAT , Network Address Translation ) 实现系统、 方法及 Openflow交换机。 背景技术
NAT技术是将私有地址转换为公有 IP地址的技术, 这项技术广泛地应 用在 Internet接入方式中。 企业的内部网络为私有网络, 可以采用私有地址 作为主机地址; 当主机连接互联网 (Internet )上的服务器时, NAT设备将 数据包的私有地址转换为公有 IP地址发送至服务器; 当 Internet上的服务 器按此公有 IP地址返回应答数据包时, NAT设备将此公有 IP地址转换为 原来的私有地址, 使应答数据包能够正确返回到相应的主机。 NAT技术可 令同一公有 IP地址对应于多个主机的私有地址, 在保证了企业内部网络安 全的前提下, 节约了公有 IP地址资源。
软件定义网络( SDN, Software Defined Network )技术是一种通信网络 实现方法; 将 NAT技术应用于基于 Openflow (网络交换模型 ) 的 SDN, 实现数据包路由控制与数据包转发的分离。
现有的 Openflow网络组成结构如图 1所示, 包括:控制器( Controller ) 和 Openflow交换机 ( Openflow Switch );
当企业内部网络的主机 B,链接到互联网的服务器 D时,所述 Openflow 交换机接收到来自主机 B,具有私有地址 B的数据包 A, 所述 Openflow 交 换机向所述 Controller上报接收到数据包 A事件;
接收到上报事件后, 所述 Controller 下发流表(Flow Table ) 到所述
Openflow 交换机, 所述流表包含动作表, 指示将数据包 A 的私有地址 B 转换为公有 IP地址 C,即建立起了数据包 A的私有地址 B与公有 IP地址 C 之间的地址映射关系; 所述 Openflow 交换机依据流表记录的内容, 将私有 地址 B转换为公有 IP地址 C, 利用公有 IP地址 C将数据包 A发送出去; 所述 Controller 将流表下发到所述 Openflow 交换机的同时将组表 ( Group Table )也下发到所述 Openflow 交换机; 所述组表包括数据类型及 对相应数据类型的处理操作, 例如, 对 Select(选择)数据类型的数据包进行 广播、 服务器负载均衡等等。
由上面所述可看出, 所述 Openflow 交换机通过流表完成私有地址 B 到公有 IP地址 C的转换; 除此之外, 当主机 B,链接到互联网的另一服务器 如服务器 E时, 所述 Openflow 交换机与所述 Controller又将依据上述技术 方案进行一次互动; 也就是说, 现有技术中, 每当主机 B,拥有一个不同的 链接 (主机 B,链接到 Internet的不同服务器)时, 所述 Openflow 交换机在 接收到主机 B,私有地址的数据包时,所述 Controller都将下发一次流表到所 述 Openflow 交换机, 当有大量私有网络的主机数据包需要 Openflow 交换 机发送到 Internet时, Controller频繁下发流表将增加 Openflow交换机和 Controller的交互次数、 延长了数据包转发的时延, 同时因 Internet除了对 主机与服务器之间的数据包进行传输之外, 还有传输其它业务, 进而严重 影响了 Internet网络传输效率。
发明内容
有鉴于此, 本发明实施例的主要目的在于提供一种 NAT实现系统、 方 法及 Openflow交换机,能够减少 Openflow 交换机和 Controller的交互次数、 缩短数据包转发时延, 提高网络传输效率。
为达到上述目的, 本发明实施例的技术方案是这样实现的:
本发明实施例提供了一种 NAT 实现系统, 所述系统包括: 控制器 Controller和 Openflow交换机 Openflow Switch; 其中,
所述控制器 Controller,配置为利用 Openflow协议,将流表和改进组表 下发到所述 Openflow 交换机;
所述 Openflow 交换机,配置为利用 Openflow协议,接收所述 Controller 下发的所述流表和所述改进组表;
接收来源于私有网络或互联网 Internet的数据包, 所述 Openflow 交换 机根据流表记录的地址转换匹配规则匹配出需要进行地址转换的数据包, 根据改进组表记录的地址转换规则, 执行数据包的私有地址与公有 IP地址 之间的转换, 将数据包或发送至 Internet或发送至私有网络。
上述方案中, 所述 Openflow 交换机包括: Switch控制面、 内部通道和 Switch转发面; 其中,
所述 Switch控制面, 配置为利用 Openflow协议, 接收所述 Controller 下发的流表和改进组表;
在接收到流表和改进组表之后, 对接收到的数据包属性进行规则匹配, 当有数据包属性能够匹配所述流表记录的地址转换匹配规则时, 所述流表 执行 Group命令, 指向所述改进组表, 根据改进组表记录的地址转换规则 产生转换命令, 通过所述内部通道下发转换命令至所述 Switch转发面; 所述 Switch转发面,配置为接收来自私有网络或 Internet的数据包并通 过所述内部通道将数据包属性发送至所述 Switch控制面;
接收所述 Switch控制面下发转换命令, 依据地址转换规则, 执行数据 包私有地址与公有 IP地址之间的转换, 将数据包或发送至私有网络或发送 至 Internet
上述方案中, 所述改进组表记录的地址转换规则包括的内容为: 需要 进行地址转换的数据包的协议类型、 供私有地址选择的公有 IP地址范围、
端口号范围及私有地址与公有 IP地址对应转换关系的有效维持时间。
上述方案中, 所述流表记录有规则和命令, 对能够匹配规则的数据包 进行命令处理; 所述规则包括地址转换匹配规则; 所述命令包括 Group命 令; 当有数据包能够匹配所述流表记录的地址转换匹配规则时, 所述流表 执行 Group命令, 指向带有 NAT数据类型的改进组表。
上述方案中, 所述 Switch控制面接收流表和改进组表, 还包括 NAT分 析模块; 其中,
所述流表, 配置为将数据包属性进行规则匹配, 当有数据包属性能够 匹配记录的地址转换匹配规则时, 所述流表执行 Group命令, 指向所述带 有 NAT数据类型的改进组表;
所述改进组表, 配置为记录有地址转换规则;
所述 NAT分析模块, 配置为依据 IANA规定及地址转换规则, 对数据 包属性进行分析, 产生转换命令, 并通过内部通道下发命令到所述 Switch 转发面。
上述方案中,所述 Switch转发面配置为完成从私有地址到公有 IP地址 转换之后, 还配置为保存数据包的 NAT转换列表。
本发明实施例还提供了一种 NAT实现方法, 该方法包括:
利用 Openflow协议, Openflow 交换机接收由 Controller下发的流表和 改进组表;
Openflow 交换机根据接收流表和改进组表, 依据流表记录的地址转换 匹配规则匹配出需要进行地址转换的数据包, 根据改进组表记录的地址转 换规则, 执行数据包私有地址与公有 IP地址之间的转换, 将数据包或发送 至 Internet或发送至私有网络。
上述方案中, 所述改进组表记录有地址转换规则, 所述地址转换规则 记录的内容包括:
需要进行地址转换的数据包的协议类型、 供私有地址选择的公有 IP地 址范围、 端口号范围及私有地址与公有 IP地址对应转换关系的有效维持时 间。
上述方案中, 所述完成数据包私有地址与公有 IP地址之间的转换为: 依据 IANA规定及地址转换规则, 判断出当前数据包的地址源地址、 目的地址为私有地址还是公有 IP地址;
当判断出当前数据包的源地址为私有地址, 且目的地址为公有 IP地址 时,将私有地址转换为公有 IP地址, 并利用转换后的公有 IP地址将当前数 据包发送至目的地址, 并保存当前数据包的 NAT转换列表;
当判断出当前数据包的源地址为公有 IP地址, 且目的地址在所述地址 转换规则记录的范围内时, 查找所有已保存的 NAT转换列表;
当查找到有关于该公有 IP地址转换关系的 NAT转换列表时,将当前数 据包的目的 IP地址和端口号转换为私有地址和端口号, 并将当前数据包发 送至链接私有地址的主机;
当查找不到有关于该公有 IP地址转换关系的 NAT转换列表时,丟弃当 前数据包。
本发明实施例提供了一种 Openflow 交换机, 所述交换机包括: Switch 控制面、 内部通道和 Switch转发面; 其中,
所述 Switch控制面, 配置为利用 Openflow协议, 接收所述 Controller 下发的流表和改进组表;
在接收到流表和改进组表之后, 对接收到的数据包属性进行规则匹配, 当有数据包属性能够匹配所述流表记录的地址转换匹配规则时, 所述流表 执行 Group命令, 指向所述改进组表, 根据改进组表记录的地址转换规则 产生转换命令, 通过所述内部通道下发转换命令至所述 Switch转发面; 所述 Switch转发面,配置为接收来自私有网络或 Internet的数据包并通
过所述内部通道将数据包属性发送至所述 Switch控制面;
接收所述 Switch控制面下发转换命令, 依据地址转换规则, 执行数据 包私有地址与公有 IP地址之间的转换, 将数据包或发送至私有网络或发送 至 Internet
上述方案中, 所述 Switch控制面接收流表和改进组表, 还包括 NAT分 析模块; 其中,
所述流表, 配置为将数据包属性进行规则匹配, 当有数据包属性能够 匹配记录的地址转换匹配规则时, 所述流表执行 Group命令, 指向所述带 有 NAT数据类型的改进组表;
所述改进组表, 配置为记录有地址转换规则;
所述 NAT分析模块, 配置为依据 IANA规定及地址转换规则, 对数据 包属性进行分析, 产生转换命令, 并通过内部通道下发命令到所述 Switch 转发面。
上述方案中, 所述改进组表记录的地址转换规则包括的内容为: 需要 进行地址转换的数据包的协议类型、 供私有地址选择的公有 IP地址范围、 端口号范围及私有地址与公有 IP地址对应转换关系的有效维持时间。
本发明实施例提供的 NAT实现系统、 方法及 Openflow交换机, 利用 Openflow 协议, Controller 下发流表和改进组表到 Openflow 交换机, Openflow 交换机接收流表和改进组表, 对接收到的数据包进行规则匹配, 当有数据包能够匹配流表记录的地址转换匹配规则时, 说明当前数据包需 要进行地址转换, 所述流表执行 Group命令, 指向改进组表, 因改进组表 记录有地址转换规则, 依据改进组表记录的地址转换规则, 所述 Openflow 交换机通过 NAT分析模块的转换命令来执行私有地址与公有 IP地址之间的 转换; 利用本发明实施例, 无需 Controller频繁下发流表与改进组表, 只需 在 Openflow 交换机接收到的数据包为私有网络的第一个数据包时才下发
流表和改进组表, 减小 Openflow 交换机和 Controller的交互次数, 缩短了 数据包转发时延, 提高了网络传输效率。
附图说明
图 1为现有技术中的 Openflow网络组成结构示意图;
图 2为本发明实施例的 NAT实现系统组成结构示意图;
图 3为本发明实施例的改进组表的表项组成示意图;
图 4为本发明实施例的 NAT转换列表保存格式示意图;
图 5为本发明实施例的 NAT实现方法流程示意图。
具体实施方式
本发明实施例提供了一种 NAT实现系统, 如图 2所示, 所述系统包括 Controller 2和 Openflow 交换机 3; 其中,
所述 Controller 2, 配置为利用 Openflow协议, 将流表和改进组表下发 到所述 Openflow交换机 3;
所述 Openflow 交换机 3, 配置为利用 Openflow 协议, 接收所述 Controller 2 下发的所述流表和所述改进组表, 接收来源于私有网络或 Internet的数据包;
所述 Openflow 交换机 3, 还配置为根据流表记录的地址转换匹配规则 匹配出需要进行地址转换的数据包, 根据改进组表记录的地址转换规则, 执行数据包的私有地址与公有 IP 地址之间的转换, 将数据包或发送至 Internet或发送至私有网络。
其中, 所述流表和改进组表是依据数据包转发路由, 预先设置好的; 所述 Controller 2可在系统启动时下发流表和改进组表到所述 Openflow 交
换机 3, 也可在私有网络主机需要链接到 Internet时即根据私有网络主机的 业务需要下发流表和改进组表到所述 Openflow交换机 3;
所述流表记录有规则和命令, 所述规则包括地址转换匹配规则、 端口 号变换匹配规则等; 相应的, 所述命令包括 Group命令、 端口号变换命令 等; 对能够匹配地址转换匹配规则的数据包执行 Group命令; 对能够匹配 端口号变换匹配规则的数据包执行端口号变换命令;
所述地址转换匹配规则记录有需要进行地址转换的数据包属性, 即地 址转换匹配规则记录的内容包括有: 需要进行地址转换的数据包的协议类 型、 源地址及端口号和目的地址及端口号;
例如, 地址转换匹配规则记录内容包括: 来源于私有网络、 具有源地 址(私有地址) 为 192.168.0.1、 端口号为 1, 目的地址(公有 IP地址) 为 200.168.10.1、 端口号为 2、 协议类型为传输控制协议( TCP, Traiisinission Control Protocol ) 的数据包需要进行地址转换。
所述 Openflow 交换机 3根据流表记录的地址转换匹配规则,匹配出需 要进行地址转换的数据包为: 所述 Openflow交换机 3对接收到的数据包属 性进行地址转换匹配规则的匹配;
其中, 数据包属性包括数据包协议类型、 地址及端口号; 所述数据包 协议类型包括: 用户数据报协议 TCP 或传输控制协议 UDP ( UDP, User Datagram Protocol ); 所述地址包括: 源地址和目的地址; 此处, 在本系统 发出数据包到链接到 Internet的服务器上时, 所述源地址指的是转换前的私 有地址, 所述目的地址指的是链接到 Internet的服务器; 在本系统接收由链 接到 Internet的服务器发送来的数据包时, 所述源地址指的是 Internet的服 务器具有的地址, 所述目的地址指的是本系统接收 Internet的服务器发送来 的数据包时使用的公有 IP地址。
所述匹配就是判断当前数据包的协议类型、 端口号、 地址等信息是否
符合地址转换匹配规则记录的内容, 当符合地址转换匹配规则记录的内容 时, 确认当前数据包为需要进行地址转换的数据包; 当不符合地址转换匹 配规则记录的内容时, 确认当前数据包为不需要进行地址转换的数据包; 根据流表记录的地址转换匹配规则, 所述 Openflow 交换机 3 匹配出 当前数据包为需要进行地址转换的数据包时, 所述流表执行 Group命令, 所述执行 Group命令即: 指向带有 NAT数据类型表项的改进组表, 依据所 述改进组表记录的地址转换规则, 进行数据包私有地址与公有 IP地址的转 换。
所述改进组表的表项格式如图 3 所示, 之所以说是改进组表, 是因为 在现有组表基础上作了改进; 本发明实施例的改进组表, 在不改变现有组 表表项结构的基础之上, 在 Group Type这个表项上增加了 NAT数据类型; 结合图 3, 对所述改进组表的每个表项进行含义说明:
Group Id (组序列号)表项表示需要进行地址转换的数据包的序列号 ( id, identity );
Group Type (组类型 )表项除了包括现有技术中的 Select等数据类型, 还包括 NAT数据类型; 当 GroupType表项为 NAT数据类型时, 表示具有 Group Id表项的数据包需要依据地址转换规则记录的内容进行地址转换; 这里, 地址转换规则记录的内容包括: 需要进行地址转换的数据包的 协议类型( TCP或 UDP )、 供私有地址选择 (或可转换 )的公有 IP地址范 围、 端口号范围及私有地址与公有 IP地址对应转换关系的有效维持时间; 其中, 当超过该有效维持时间, 仍然无数据包进行地址转换时, 则删 除此私有地址与公有 IP地址对应转换关系。
Counters表项表示对需要进行地址转换的数据包进行统计;
所述改进组表的表项还包括有两个 Action List (动作列表): 其一是 SNAT Action List, 为在私有地址转换为公有 IP地址后需要执行的动作, 即
一个来自私有网络的数据包由私有地址转换为公有 IP地址后, 执行 SNAT Action List所示的动作; 这里, 所述 SNAT Action List动作可根据业务需求 设置, 如可将所述 SNAT Action List动作设置为: 将当前数据包输出到链接 Internet的一个物理端口;
其二是 DNAT Action List, 为在公有 IP地址转换为私有地址后需要执 行的动作, 即一个来自 Internet网络的数据包由公有 IP地址转换为私有地 址后, 执行 DN AT Action List所示的动作; 这里, 所述 DN AT Action List 动作可根据业务需求设置,如可将所述 DNAT Action List动作设置为:将当 前数据包输出到链接私有网络的一个物理端口。
较佳地的, 所述 Openflow 交换机 3包括: Switch控制面 30、 内部通 道 31和 Switch转发面 32;
所述 Switch控制面 30,配置为利用 Openflow协议,接收所述 Controller 2下发的流表和改进组表、 接收所述 Switch转发面 32发送的数据包属性; 在接收到流表和改进组表之后, 对接收到的数据包属性进行规则匹配, 当有数据包属性能够匹配所述流表记录的地址转换匹配规则时, 说明该数 据包需要进行地址转换, 所述流表执行 Group命令, 指向所述改进组表, 根据改进组表记录的地址转换规则产生转换命令, 通过所述内部通道 31下 发转换命令到所述 Switch转发面 32;
所述 Switch转发面 32, 配置为接收来自私有网络或 Internet的数据包 并通过内部通道 31将数据包属性发送到所述 Switch控制面 30;
接收所述 Switch控制面 30下发的转换命令,依据地址转换规则,执行 数据包私有地址与公有 IP地址之间的转换, 将数据包或发送至私有网络或 发送至 Internet
所述 Switch控制面 30包括由所述 Controller 2下发的流表和改进组表, 还包括 NAT分析模块 300; 在所述 Switch控制面 30中,
所述流表, 配置为将数据包属性进行规则匹配, 当有数据包属性能够 匹配地址转换匹配规则时, 所述流表执行 Group命令, 指向所述带有 NAT 数据类型表项的改进组表;
所述改进组表, 配置为记录有地址转换规则;
所述 NAT分析模块 300, 配置为依据 IANA规定及地址转换规则, 对 数据包属性进行分析, 产生转换命令, 并通过内部通道 31下发转换命令到 所述 Switch转发面 32;
所述匹配就是判断当前数据包的协议类型、 端口号、 地址等信息是否 符合地址转换匹配规则记录的内容, 当符合地址转换匹配规则记录的内容 时, 确认当前数据包为需要进行地址转换的数据包。
具体的, 所述系统完成从私有地址(源地址)转换为公有 IP地址, 利 用转换后的公有 IP地址将数据发送至链接到 Internet的服务器具有的目的 地址的具体过程为:
利用 Openflow 协议, 所述 Controller 2 将流表和改进组表下发到 Openflow 交换机 3, 具体下发到所述 Switch控制面 30;
利用 Openflow协议, 所述 Openflow 交换机 3接收所述流表和所述改 进组表, 具体为所述 Switch控制面 30接收所述流表和所述改进组表;
所述 Switch转发面 32接收来源于私有网络的当前数据包,并将当前数 据包属性通过所述内部通道 31发送至所述 Switch控制面 30;
所述 Switch控制面 30接收当前数据包属性,并对当前数据包属性进行 规则匹配; 这里, 所述匹配就是判断当前数据包的协议类型、 端口号、 地 址等信息是否符合地址转换匹配规则记录的内容, 当符合地址转换匹配规 则记录的内容时, 确认当前数据包为需要进行地址转换的数据包, 所述流 表执行 Group命令,所述流表指向带有 NAT数据类型表项的所述改进组表; 根据 IANA规定, 所述 NAT分析模块 300对当前数据包的源地址和目的地
址进行分析;
依据因特网 i或名分配组织( IANA, Internet Assigned Numbers Authority ) 规定, 所述 NAT分析模块 300判断出当前数据包的源地址为私有地址, 目 的地址为公有 IP地址;所述 NAT分析模块 300产生由私有地址转换为公有 IP地址的转换命令,并将转换命令通过所述内部通道 31下发至所述 Switch 转发面 32;
所述 IANA规定为: IANA保留了以下三个 IP地址块用于私有网络: 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
依据上述 IANA规定, 所述 NAT分析模块 300可判断出当前数据包源 地址和目的地址为私有地址还是公有 IP地址;
所述 Switch转发面 32接收到所述 NAT分析模块 300下发的转换命令 后, 依据所述改进组表记录的地址转换规则, 执行当前数据包私有地址到 相应公有 IP地址的转换,并将当前数据包利用公有 IP地址发送至 Internet; 因所述改进组表记录的地址转换规则内容包括有:供私有地址选择(或 可转换) 的公有 IP地址范围、 端口号范围; 这里, 所述 Switch转发面 32 将在可转换的公有 IP地址及端口号范围中选择一个在当前数据包进行转换 时刻处于空闲状态的公有 IP地址(相应公有 IP地址 )及端口号, 供当前数 据包私有地址转换;
因改进组表动作列表 SNAT Action List包括有当前数据包私有地址转 换为相应公有 IP 地址后需要执行的动作: 将当前数据包发送至链接到 Internet的一个物理端口, 那么, 所述 Switch转发面 32利用相应公有 IP地 址将当前数据包发送至链接到 Internet的一个物理端口;
所述 Switch转发面 32执行完私有地址到相应公有 IP地址转换之后, 所述 NAT分析模块 300建立并保存当前数据包的 NAT转换列表; 所述
NAT转换列表保存格式如图 4所示, 其中,
表项 id, 用于表示当前数据包的序列号 id;
表项 Protocol type, 用于表示协议类型, 由 Openflow协议决定, 可为 UDP 、 TCP;
表项 Private IP、 Port, 用于表示当前数据包的私有地址和端口号; 表项 Public IP、 Port, 用于表示当前数据包的公有 IP地址和端口号; 表项 Time out, 为私有地址与公有 IP地址对应转换关系的有效维持时 间, 用于表示超过该有效维持时间, 仍然无数据包需要进行相应地址转换, 则删除当前 NAT转换列表。
对应于上述所述系统完成从私有地址转换为公有 IP地址, 利用转换后 的公有 IP地址将数据发送至目的地址的具体过程,所述系统利用公有 IP地 址(目的地址 )接收来源于链接到 Internet的服务器(源地址 )数据包, 并 将数据包发送至具有私有地址的主机的过程具体可以为:
所述 Switch转发面 32接收来自 Internet的数据包, 并将接收到的当前 数据包属性通过所述内部通道 31发送给所述 Switch控制面 30;
这里, 所述当前数据包的属性包括数据包协议类型、 源地址、 目的地 址及端口号:
所述 Switch控制面 30接收当前数据包属性,并对当前数据包进行规则 匹配; 这里, 所述匹配就是判断当前数据包的协议类型、 端口号、 地址等 信息是否符合地址转换匹配规则记录的内容, 当符合地址转换匹配规则记 录的内容时, 确认当前数据包为需要进行地址转换的数据包, 所述流表执 行 Group命令, 指向带有 NAT数据类型表项的所述改进组表;
依据 IANA规定及所述地址转换规则, 所述 NAT分析模块 300判断出 当前数据包的源地址为公有 IP地址、 目的地址也为公有 IP地址、 目的地址 及端口号在所述地址转换规则记录的公有 IP地址范围及端口号范围内时,
所述 NAT分析模块 300查找所有已保存的 NAT转换列表;
当所述 NAT分析模块 300能够查找到记录有当前数据包公有 IP地址 (目的地址)的地址转换关系的 NAT转换列表时, 所述 NAT分析模块 300 产生由公有 IP地址转换为私有地址的转换命令, 并将转换命令通过所述内 部通道 31下发到所述 Switch转发面 32;
所述 Switch转发面 32接收到所述 NAT分析模块 300下发的转换命令 后, 执行当前数据包公有 IP地址到私有地址的转换, 将当前数据包目的地 址和端口号转换为相应的私有地址、 及私有地址端口号; 并将当前数据包 发送至具有该私有地址及端口号的主机;
这里,当所述 NAT分析模块 300查找不到记录有关于该公有 IP地址转 换关系的 NAT转换列表时, 所述 NAT分析模块 300将丟弃当前数据包。
实际应用中, 所述 Switch控制面 30、 Switch转发面 32、 所述 NAT分 析模块 300均可由中央处理单元(CPU, Central Processing Unit ), 或数字 信号处理(DSP, Digital Signal Processor ), 或现场可编程门阵列 (FPGA, Field Programmable Gate Array )等来实现; 所述 CPU、 DSP 、 FPGA均可 位于 Openflow 交换机 3中。
基于上述 NAT实现系统, 本发明实施例还提供了一种 NAT实现方法, 口图 5所示, 该方法包括:
步骤 401 : 利用 Openflow协议, Openflow 交换机接收由 Controller下 发的流表和改进组表;
步骤 402: Openflow交换机接收流表和改进组表, 根据流表记录的地 址转换匹配规则匹配出需要进行地址转换的数据包, 根据改进组表记录的 地址转换规则, 执行数据包私有地址与公有 IP地址之间的转换, 将数据包 或发送至 Internet或发送至私有网络。
其中, 流表和改进组表是依据数据包转发路由, 预先设置好的;
所述流表记录有地址转换匹配规则、 端口号变换匹配规则等规则及
Group命令、 端口号变换命令等命令;
所述地址转换匹配规则记录有需要进行地址转换的数据包属性, 因数 据包属性包括:数据包协议类型( TCP或 UDP )、地址(源地址和目的地址 ) 及端口号, 那么, 地址转换匹配规则记录的内容包括有: 需要进行地址转 换的数据包的协议类型、 源地址和目的地址及端口号;
所述 Openflow 交换机对接收到的数据包属性进行地址转换匹配规则 的匹配; 所述匹配就是判断当前数据包的协议类型、 端口号、 地址等信息 是否符合地址转换匹配规则记录的内容, 当符合地址转换匹配规则记录的 内容时, 确认当前数据包为需要进行地址转换的数据包; 当不符合地址转 换匹配规则记录的内容时, 确认当前数据包为不需要进行地址转换的数据 包。
实际应用中, 因为私有地址往往由企业所拥有, 最常见的情况是: 企 业先发送数据包到链接 Internet的服务器, 然后再接收该服务器返回的响应 数据包; 考虑到企业自身利益, 下面所述的这一情况很少发生: 链接到 Internet的服务器先发送数据包到企业私有网络, 私有网络接收并返回响应 数据包。
具体的, 本发明实施例实现从私有地址(源地址 )转换为公有 IP地址, 利用转换后的公有 IP地址将数据发送至链接到 Internet的服务器(目的地 址) 的过程具体可以为:
步骤 501 : 利用 Openflow协议, Controller将流表和改进组表下发到 Openflow 交换机, 具体下发到 Switch控制面;
这里, 所述流表记录的地址转换匹配规则能够匹配出需要进行地址转 换的数据包;
步骤 502:利用 Openflow协议, Openflow 交换机接收流表和改进组表,
具体为 Switch控制面接收流表和改进组表;
步骤 503: Openflow 交换机接收当前数据包, 具体为 Switch转发面接 收当前数据包;
例如, 当前数据包为 A, 当前数据包 A来源于私有网络, 其属性为: 协议类型为 TCP、 源地址(私有地址)为 192.168.0.1、 主机端口号为 1、 目 的地址为 200.168.38.1 ;
步骤 504: Switch转发面通过内部通道将当前数据包属性发送到 Switch 控制面;
步骤 505: Switch控制面接收当前数据包属性, 并对当前数据包属性进 行规则匹配;
具体的, Switch控制面接收数据包 A属性, 并对当前数据包 A属性进 行规则匹配, 因数据包属性为: 协议类型为 TCP、 源地址(私有地址) 为 192.168.0.1、 主机端口号为 1、 目的地址为 200.168.38.1 ; 当所述地址转换 匹配规则记录有: 协议类型为 TCP、 私有地址为 192.168.0.1、 主机端口号 为 1、 目的地址为 200.168.38.1的数据包需要进行地址转换; 那么, 当前数 据包 A需要进行地址转换, 流表执行 Group命令, 指向带有 NAT数据类型 表项的改进组表;
步骤 506: 依据 IANA规定, NAT分析模块对当前数据包的源地址进 行分析,产生转换命令, 并将转换命令通过内部通道下发至 Switch转发面; 具体的, 根据 IANA规定, NAT分析模块对当前数据包 A的源地址、 目的地址进行分析, 分析出当前数据包 A源地址为私有地址, 目的地址为 公有 IP地址, 对于当前数据包 , NAT分析模块产生由私有地址转换为公 有 IP地址的转换命令, 并将转换命令下发至 Switch转发面;
步骤 507: Switch转发面接收到 NAT分析模块下发的转换命令后, 执 行当前数据包私有地址(源地址)到公有 IP地址的转换, 并利用公有 IP地
址将当前数据包发送至 Internet的服务器(目的地址);
本步骤具体可以为: Switch转发面接收到转换命令后,将当前数据包 A 私有地址 192.168.0.1 (源地址 )转换为公有 IP地址 200.168.10.1 ;
因地址转换规则记录的内容包括有: 可供当前数据包 A的源地址私有 地址 192.168.0.1选择的公有 IP地址范围, 端口号范围; 这里举一个例子, 如可供源地址私有地址 192.168.0.1 选择的公有 IP 地址范围 200.168.10.1~200.168.10.100, 端口号范围为: 端口号为 1-200 ;
Switch转发面选择 200.168.10.1及端口号 2作为私有地址 192.168.0.1 转换后的公有 IP地址; 之所以选择 200.168.10.1及端口号 2是因为, 公有 IP地址 200.168.10.1的 2号端口在当前数据包 A进行地址转换的时刻是空 闲的;
Switch转发面利用转换后的公有 IP地址 200.168.10.1将当前数据包 A 发送至链接到 Internet具有目的地址 200.168.38.1的服务器;
因改进组表动作列表 SNAT Action List包括有私有地址 192.168.0.1 (源 地址 )转换为公有 IP地址 200.168.10.1后需要执行的动作: 将当前数据包 A发送至链接到 Internet的一个物理端口, 所以 Switch转发面利用公有 IP 地址 200.168.10.1将当前数据包 A发送至链接到具有目的地址 200.168.38.1 的一个物理端口;
步骤 507: Switch转发面执行完当前数据包私有地址到公有 IP地址之 间的转换后, NAT分析模块建立并保存当前数据包的 NAT转换列表;
具体的, Switch转发面将当前数据包 A私有地址 192.168.0.1 (源地址) 转换为公有 IP地址 200.168.10.1之后, NAT分析模块建立并保存当前数据 包 A的 NAT转换列表,因为当前数据包 A为第一个来源于私有网络的数据 包, 所以, 当前数据包 A表项 id为 "1", 表项 Protocol type为 TCP, 表项 Private IP、 Port的私有地址为 192.168.0.1、端口号为 1,表项 Public IP、 Port
的公有 IP地址为 200.168.10.1, 端口号为 2。
由上述技术方案可看出, 所述 Openflow 交换机将私有地址(源地址) 192.168.0.1转换为公有 IP地址 200.168.10.1 , 利用转换后的公有 IP地址将 当前数据包 A发送至目的地址 200.168.38.1 ;
这里, 因为当前数据包 A是来源于私有网络的第一个数据包, 所以首 先进行步骤 501~502;
当 Switch控制面接收到的当前数据包来源于私有网络, 但不是来源于 私有网络的第一个数据包时, 无需执行步骤 501~502, 直接执行步骤 503-507; 也就是说, 本发明实施例的 NAT 实现方法只在当前数据包是私 有网络的第一个数据包时, 才进行 Openflow 交换机与 Controller的交互, 如此, 便可减少交互次数, 缩短数据包转发时延, 提高网络传输效率。
对应于上述方案, 当链接到 Internet的服务器(源地址 )发送数据包至 公有 IP地址(目的地址), 本发明实施例实现从所述公有 IP地址(目的地 址)转换为私有地址, 由具有私有地址的主机接收所述数据包的过程具体 为:
步骤 601: Openflow 交换机接收当前数据包, 具体为 Switch转发面接 收当前数据包;
这里, Openflow 交换机接收到来自 Internet的响应数据包 A的数据包 B, 具体为 Switch转发面接收数据包 B, 其属性为: 协议类型为 TCP、 目 的地址为 200.168.10.1、 端口号为 2、 源地址为 200.168.38.1 ;
步骤 601: Switch转发面通过内部通道将当前数据包属性发送到 Switch 控制面;
步骤 603: Switch控制面接收当前数据包属性, 并对当前数据包属性进 行规则匹配;
其中, 数据包属性为: 协议类型为 TCP、 目的地址为 200.168.10.1、 端
口号为 2、 源地址为 200.168.38.1 ;
当所述地址转换匹配规则记录有: 协议类型为 TCP、 目的地址为 200.168.10.1、 主机端口号为 2的数据包需要进行地址转换; 那么, 当前数 据包 B需要进行地址转换, 流表执行 Group命令, 指向带有 NAT数据类型 表项的改进组表;
步骤 604: 依据 IANA规定及地址转换规则, NAT分析模块对当前数 据包源地址、 目的地址进行分析, 产生转换命令, 并将转换命令通过内部 通道下发至 Switch转发面;
具体的, NAT分析模块对当前数据包 B的源地址、 目的地址进行分析, 因当前数据包 B 目的地址 (公有 IP 地址) 为 200.168.10.1, 源地址为 200.168.38.1 ; 依据 IANA规定, 所述 NAT分析模块分析出当前数据包 B 源地址为公有 IP地址、目的地址也为公有 IP地址;依据地址转换规则, NAT 分析模块判断出目的地址及端口号在地址转换规则记录的公有 IP地址范围 及端口号范围内; NAT分析模块查找所有已保存的 NAT转换列表;
当 NAT分析模块能够查找到记录有当前数据包目的地址即公有 IP地址 的地址转换关系的 NAT转换列表, NAT分析模块产生由公有 IP地址(目 的地址)转换为私有地址的转换命令, 并将转换命令通过所述内部通道 31 下发到所述 Switch转发面 32;
当 NAT分析模块查找不到记录有关于该公有 IP地址(目的地址 )转换 关系的 NAT转换列表时, NAT分析模块将丟弃当前数据包。
因为这里的数据包 B是在有效维持时间里返回的响应数据包, 所以记 录有公有 ip地址 200.168.10.1与私有地址 192.168.0.1之间地址转换关系的 NAT转换列表还存在, 所以, NAT分析模块能够查找到一个公有 IP地址 200.168.10.1地址转换关系的 NAT转换列表, NAT分析模块产生转换命令, 并将转换命令下发至 Switch转发面;
这里, 因为数据包 B是在有效维持时间里返回的响应数据包, 记录有 关于公有 IP地址 200.168.10.1 的地址转换关系的 NAT转换列表还存在于 NAT分析模块, NAT分析模块能够查找到该 NAT转换列表; 当数据包 B 没有在有效维持时间返回, 说明此 NAT转换列表在有效时间里没有数据包 进行相应地址转换, NAT分析模块将删除此 NAT转换列表; 那么针对在超 过有效时间返回的数据包 B, NAT分析模块就无法查找到一个记录有关于 公有 IP地址 200.168.10.1的地址转换关系的 NAT转换列表, 则 NAT分析 模块丟弃此时的数据包 B;
步骤 605: Switch转发面接收到 NAT分析模块下发的转换命令后, 完 成当前数据包从公有 IP地址到私有地址的转换, 并将当前数据包发送至具 有该私有地址的主机;
依据查找到的 NAT转换列表,将当前数据包 B公有 IP地址 200.168.10.1 (目的地址)和端口号 2转换为私有地址 192.168.0.1、 端口号为 1 ;
因改进组表动作列表 DNAT Action List动作为:将当前数据包输出到链 接私有网络的一个物理端口, Switch转发面将公有 IP地址 200.168.10.1 (目 的地址)转换为私有地址 192.168.0.1, 并将数据包 B发送至具有私有地址 192.168.0.1的 1号端口的主机。
本发明实施例提供的 NAT实现系统、 方法及 Openflow交换机, 利用 Openflow协议, Controller将下发流表和改进组表给 Openflow 交换机; Openflow交换机对接收到的当前数据包进行规则匹配, 当有数据包能够匹 配所述流表记录的地址转换匹配规则时, 所述流表执行 Group命令, 指向 带有 NAT数据类型表项的改进组表, 依据改进组表记录的地址转换规则及 IANA规定, 所述 NAT分析模块分析当前数据包的地址, 并产生转换命令 给 Switch转发面, Switch转发面接收到转换命令, 执行当前数据包私有地 址与公有 IP地址之间的转换;利用本发明实施例的技术方案,无需 Controller
频繁下发流表,只需在 Openflow 交换机接收到的数据包为私有网络的第一 个数据包时才下发流表和改进组表, 减小 Openflow 交换机和 Controller的 交互次数, 缩短了数据包转发时延, 提高了网络传输效率。
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。
Claims
1、一种 NAT实现系统,所述系统包括: 控制器 Controller和 Openflow 交换机 Openflow Switch; 其中,
所述控制器 Controller,配置为利用 Openflow协议,将流表和改进组表 下发到所述 Openflow 交换机;
所述 Openflow 交换机,配置为利用 Openflow协议,接收所述 Controller 下发的所述流表和所述改进组表;
接收来源于私有网络或互联网 Internet的数据包, 并根据流表记录的地 址转换匹配规则匹配出需要进行地址转换的数据包, 根据改进组表记录的 地址转换规则, 执行数据包的私有地址与公有 IP地址之间的转换, 将数据 包或发送至 Internet或发送至私有网络。
2、 根据权利要求 1所述的 NAT实现系统, 其中, 所述 Openflow 交换 机包括: Switch控制面、 内部通道和 Switch转发面; 其中,
所述 Switch控制面, 配置为利用 Openflow协议, 接收所述 Controller 下发的所述流表和所述改进组表;
在接收到所述流表和所述改进组表之后, 对接收到的数据包属性进行 规则匹配, 当有数据包属性能够匹配所述流表记录的地址转换匹配规则时, 所述流表执行 Group命令, 指向所述改进组表, 根据改进组表记录的地址 转换规则产生转换命令, 通过所述内部通道下发转换命令至所述 Switch转 发面;
所述 Switch转发面,配置为接收来自私有网络或 Internet的数据包并通 过所述内部通道将数据包属性发送至所述 Switch控制面;
接收所述 Switch控制面下发转换命令, 依据地址转换规则, 执行数据 包私有地址与公有 IP地址之间的转换, 将数据包或发送至私有网络或发送
至 Internet
3、 根据权利要求 1或 2所述的 NAT实现系统, 其中, 所述改进组表 记录的地址转换规则包括的内容为: 需要进行地址转换的数据包的协议类 型、 供私有地址选择的公有 IP地址范围、 端口号范围及私有地址与公有 IP 地址对应转换关系的有效维持时间。
4、 根据权利要求 1所述的 NAT实现系统, 其中, 所述流表记录有规 则和命令, 对能够匹配规则的数据包进行命令处理; 所述规则包括地址转 换匹配规则; 所述命令包括 Group命令; 当有数据包能够匹配所述流表记 录的地址转换匹配规则时, 所述流表执行 Group命令, 指向带有 NAT数据 类型的所述改进组表。
5、 根据权利要求 2所述的 NAT实现系统, 其中, 所述 Switch控制面 接收流表和改进组表, 所述 Switch控制面还包括 NAT分析模块; 其中, 所述流表, 配置为将数据包属性进行规则匹配, 当有数据包属性能够 匹配记录的地址转换匹配规则时,所述流表执行 Group命令,指向带有 NAT 数据类型的所述改进组表;
所述改进组表, 配置为记录有地址转换规则;
所述 NAT分析模块, 配置为依据 IANA规定及地址转换规则, 对数据 包属性进行分析, 产生转换命令, 并通过内部通道下发命令到所述 Switch 转发面。
6、 根据权利要求 5所述的 NAT实现系统, 其中, 所述 Switch转发面 配置为完成从私有地址到公有 IP地址转换之后,还保存数据包的 NAT转换 列表。
7、 一种 NAT实现方法, 所述方法包括:
利用 Openflow协议, Openflow 交换机接收由 Controller下发的流表和 改进组表;
Openflow 交换机根据接收流表和改进组表, 依据流表记录的地址转换 匹配规则匹配出需要进行地址转换的数据包, 根据改进组表记录的地址转 换规则, 执行数据包私有地址与公有 IP地址之间的转换, 将数据包或发送 至 Internet或发送至私有网络。
8、 根据权利要求 7所述的 NAT实现方法, 其中, 所述改进组表记录 有地址转换规则, 所述地址转换规则记录的内容包括:
需要进行地址转换的数据包的协议类型、 供私有地址选择的公有 IP地 址范围、 端口号范围及私有地址与公有 IP地址对应转换关系的有效维持时 间。
9、 根据权利要求 7所述的 NAT实现方法, 其中, 所述完成数据包私 有地址与公有 IP地址之间的转换为:
依据 IANA规定及地址转换规则, 判断出当前数据包的地址源地址、 目的地址为私有地址还是公有 IP地址;
当判断出当前数据包的源地址为私有地址, 且目的地址为公有 IP地址 时,将私有地址转换为相应的公有 IP地址, 并利用转换后的公有 IP地址将 当前数据包发送至目的地址, 并保存当前数据包的 NAT转换列表;
当判断出当前数据包的源地址为公有 IP地址, 且目的地址在所述地址 转换规则记录的范围内时, 查找所有已保存的 NAT转换列表;
当查找到有关于该公有 IP地址转换关系的 NAT转换列表时,将当前数 据包的目的 IP地址和端口号转换为相应的私有地址和端口号, 并将当前数 据包发送至具有所述私有地址的主机;
当查找不到有关于该公有 IP地址转换关系的 NAT转换列表时,丟弃当 前数据包。
10、 一种 Openflow 交换机, 所述交换机包括: Switch控制面、 内部通 道和 Switch转发面; 其中,
所述 Switch控制面, 配置为利用 Openflow协议, 接收所述 Controller 下发的流表和改进组表;
在接收到流表和改进组表之后, 对接收到的数据包属性进行规则匹配, 当有数据包属性能够匹配所述流表记录的地址转换匹配规则时, 所述流表 执行 Group命令, 指向所述改进组表, 根据改进组表记录的地址转换规则 产生转换命令, 通过所述内部通道下发转换命令至所述 Switch转发面; 所述 Switch转发面,配置为接收来自私有网络或 Internet的数据包并通 过所述内部通道将数据包属性发送至所述 Switch控制面;
接收所述 Switch控制面下发转换命令, 依据地址转换规则, 执行数据 包私有地址与公有 IP地址之间的转换, 将数据包或发送至私有网络或发送 至 Internet
11、 根据权利要求 10所述的 Openflow 交换机, 其中, 所述 Switch控 制面接收流表和改进组表,所述 Switch控制面还包括 NAT分析模块;其中, 所述流表, 配置为将数据包属性进行规则匹配, 当有数据包属性能够 匹配记录的地址转换匹配规则时,所述流表执行 Group命令,指向带有 NAT 数据类型的所述改进组表;
所述改进组表, 配置为记录有地址转换规则;
所述 NAT分析模块, 配置为依据 IANA规定及地址转换规则, 对数据 包属性进行分析, 产生转换命令, 并通过内部通道下发命令到所述 Switch 转发面。
12、 根据权利要求 10或 11所述的 Openflow 交换机, 其中, 所述改进 组表记录的地址转换规则包括的内容为: 需要进行地址转换的数据包的协 议类型、 供私有地址选择的公有 IP地址范围、 端口号范围及私有地址与公 有 IP地址对应转换关系的有效维持时间。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP13868265.3A EP2940970B1 (en) | 2012-12-26 | 2013-09-25 | Nat implementation system, method, and openflow switch |
US14/654,931 US20150350156A1 (en) | 2012-12-26 | 2013-09-25 | NAT implementation system, method, and Openflow switch |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210574680.9 | 2012-12-26 | ||
CN201210574680.9A CN103067534B (zh) | 2012-12-26 | 2012-12-26 | 一种NAT实现系统、方法及Openflow交换机 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014101501A1 true WO2014101501A1 (zh) | 2014-07-03 |
Family
ID=48109987
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2013/084236 WO2014101501A1 (zh) | 2012-12-26 | 2013-09-25 | 一种NAT实现系统、方法及Openflow交换机 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20150350156A1 (zh) |
EP (1) | EP2940970B1 (zh) |
CN (1) | CN103067534B (zh) |
WO (1) | WO2014101501A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3313025A4 (en) * | 2015-06-18 | 2018-04-25 | New H3C Technologies Co., Ltd. | Data packet forwarding |
WO2020121317A1 (en) * | 2018-12-15 | 2020-06-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Efficient network address translation (nat) in cloud networks |
Families Citing this family (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9444842B2 (en) * | 2012-05-22 | 2016-09-13 | Sri International | Security mediation for dynamically programmable network |
CN103067534B (zh) * | 2012-12-26 | 2016-09-28 | 中兴通讯股份有限公司 | 一种NAT实现系统、方法及Openflow交换机 |
CN103347013B (zh) * | 2013-06-21 | 2016-02-10 | 北京邮电大学 | 一种增强可编程能力的OpenFlow网络系统和方法 |
WO2014205700A1 (zh) | 2013-06-26 | 2014-12-31 | 华为技术有限公司 | 一种ip地址分配的系统和方法 |
CN104252504B (zh) * | 2013-06-29 | 2018-02-09 | 华为技术有限公司 | 数据查询方法、设备和系统 |
CN104378298A (zh) * | 2013-08-16 | 2015-02-25 | 中兴通讯股份有限公司 | 一种流表条目生成方法及相应设备 |
CN104601526B (zh) | 2013-10-31 | 2018-01-09 | 华为技术有限公司 | 一种冲突检测及解决的方法、装置 |
CN103618621B (zh) * | 2013-11-21 | 2017-08-11 | 华为技术有限公司 | 一种软件定义网络sdn的自动配置方法、设备及系统 |
CN104995882B (zh) * | 2013-12-11 | 2018-05-18 | 华为技术有限公司 | 报文处理方法及装置 |
EP3094066B1 (en) * | 2014-01-14 | 2020-10-07 | Huawei Technologies Co., Ltd. | Network address translation method and apparatus |
CN104796347A (zh) * | 2014-01-20 | 2015-07-22 | 中兴通讯股份有限公司 | 一种负载均衡方法、装置和系统 |
CN104811403B (zh) * | 2014-01-27 | 2019-02-26 | 中兴通讯股份有限公司 | 基于开放流的组表处理方法、装置及组表配置单元 |
CN103795805B (zh) * | 2014-02-27 | 2017-08-25 | 中国科学技术大学苏州研究院 | 基于sdn的分布式服务器负载均衡方法 |
EP2919423B1 (en) | 2014-03-12 | 2018-11-14 | Xieon Networks S.à.r.l. | A network element of a software-defined network |
CN105359472B (zh) | 2014-05-16 | 2018-11-09 | 华为技术有限公司 | 一种用于OpenFlow网络的数据处理方法和装置 |
WO2015180113A1 (zh) * | 2014-05-30 | 2015-12-03 | 华为技术有限公司 | 一种网络地址转换方法及装置 |
WO2015184584A1 (zh) * | 2014-06-03 | 2015-12-10 | 华为技术有限公司 | 开放流流表间信息传递的方法、控制器、交换机及系统 |
BR112016030177B1 (pt) | 2014-06-24 | 2023-04-11 | Huawei Technologies Co., Ltd | Método de multidifusão, extremidade de aplicação e sistema de multidifusão para uma snd e controlador sdn |
CN105393511B (zh) | 2014-06-30 | 2019-04-26 | 华为技术有限公司 | 一种交换机模式切换方法、设备及系统 |
US9497123B2 (en) * | 2014-12-18 | 2016-11-15 | Telefonaktiebolaget L M Ericsson (Publ) | Method and system for load balancing in a software-defined networking (SDN) system upon server reconfiguration |
CN105791237B (zh) * | 2014-12-24 | 2020-05-08 | 中兴通讯股份有限公司 | 协议转化方法和装置 |
CN104618244B (zh) * | 2015-01-19 | 2018-03-02 | 迈普通信技术股份有限公司 | 一种sdn网络与传统ip网络互通的方法及系统 |
CN104811473B (zh) * | 2015-03-18 | 2018-03-02 | 华为技术有限公司 | 一种创建虚拟非易失性存储介质的方法、系统及管理系统 |
CN106161289A (zh) * | 2015-03-23 | 2016-11-23 | 中兴通讯股份有限公司 | 一种基于sdn的网关中控制报文的处理方法及系统 |
CN106209634B (zh) * | 2015-04-30 | 2020-05-22 | 中兴通讯股份有限公司 | 地址映射关系的学习方法及装置 |
EP3288224B1 (en) * | 2015-05-15 | 2019-11-06 | Huawei Technologies Co., Ltd. | Data packet forwarding method and network device |
CN106330772B (zh) * | 2015-07-10 | 2019-09-13 | 华为技术有限公司 | SDN中的流表发送方法及OpenFlow控制器 |
CN107404440B (zh) * | 2016-05-19 | 2021-01-29 | 华为技术有限公司 | 一种转发表项发送方法、报文转发方法及装置 |
CN107528715A (zh) * | 2016-06-22 | 2017-12-29 | 中兴通讯股份有限公司 | 故障类型的确定方法和装置 |
US10757014B2 (en) | 2016-07-01 | 2020-08-25 | Telefonaktiebolaget Lm Ericsson (Publ) | Efficient NAT in SDN network |
US10187355B2 (en) * | 2016-09-27 | 2019-01-22 | Comscore, Inc. | Systems and methods for activating a private network |
CN106550043B (zh) * | 2016-11-25 | 2020-03-31 | 中国银联股份有限公司 | 基于sdn组网技术的云计算系统 |
CN108243123B (zh) * | 2016-12-23 | 2022-03-11 | 中兴通讯股份有限公司 | 广播报文的处理方法、装置、控制器和交换机 |
US10104000B2 (en) | 2017-01-31 | 2018-10-16 | Hewlett Packard Enterprise Development Lp | Reducing control plane overload of a network device |
CN107317887B (zh) * | 2017-08-23 | 2019-10-18 | 北京知道创宇信息技术股份有限公司 | 一种负载均衡方法、装置和系统 |
CN109561164B (zh) * | 2017-09-27 | 2021-02-09 | 华为技术有限公司 | Nat表项的管理方法、装置及nat设备 |
CN108810182B (zh) * | 2018-04-28 | 2021-05-18 | 深圳市德赛微电子技术有限公司 | 一种基于openflow系统的NAT流表动态学习及配置方法 |
CN110768930B (zh) * | 2018-07-25 | 2022-03-29 | 成都鼎桥通信技术有限公司 | 服务器的数据转发方法和装置 |
CN109936566B (zh) * | 2019-01-28 | 2022-08-02 | 北京和利时工业软件有限公司 | 一种数据传输方法系统、装置及计算机可读存储介质 |
EP3917089A1 (de) * | 2020-05-28 | 2021-12-01 | Siemens Aktiengesellschaft | Verfahren zum betrieb eines kommunikationssystems zur übermittlung zeitkritischer daten und switch |
CN113765857B (zh) * | 2020-06-04 | 2022-10-25 | 华为技术有限公司 | 报文转发方法、装置、设备及存储介质 |
CN112383481A (zh) * | 2020-11-02 | 2021-02-19 | 科大讯飞股份有限公司 | 流表生成和端口转发方法、节点、电子设备和存储介质 |
CN112040029B (zh) * | 2020-11-04 | 2021-02-02 | 武汉绿色网络信息服务有限责任公司 | Nat转换方法、装置、计算机设备及存储介质 |
CN112671946B (zh) * | 2020-12-25 | 2023-04-25 | 中盈优创资讯科技有限公司 | 一种基于sdn的地址转换实现方法 |
CN113225405A (zh) * | 2021-02-25 | 2021-08-06 | 紫光云技术有限公司 | 一种公有云平台下nat暂停和开启操作的方法、电子设备 |
US11394686B1 (en) * | 2021-02-25 | 2022-07-19 | Nvidia Corporation | Dynamic network address translation using prediction |
CN113612963B (zh) * | 2021-07-27 | 2024-08-20 | 深圳市捷视飞通科技股份有限公司 | 数据转发方法、装置、计算机设备和存储介质 |
US11496396B1 (en) * | 2022-04-25 | 2022-11-08 | Mimyr, Llc | Distributed software-defined network |
CN117336169B (zh) * | 2023-09-28 | 2024-08-16 | 南京金阵微电子技术有限公司 | 以太网流表的配置方法、装置、芯片、交换机和介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7843827B2 (en) * | 2005-12-22 | 2010-11-30 | International Business Machines Corporation | Method and device for configuring a network device |
CN102685006A (zh) * | 2012-05-03 | 2012-09-19 | 中兴通讯股份有限公司 | 一种转发数据报文的方法及装置 |
CN102739542A (zh) * | 2012-06-29 | 2012-10-17 | 杭州迪普科技有限公司 | 一种组播报文传输方法及装置 |
CN102904813A (zh) * | 2012-11-05 | 2013-01-30 | 华为技术有限公司 | 一种报文转发的方法及相应设备 |
CN103067534A (zh) * | 2012-12-26 | 2013-04-24 | 中兴通讯股份有限公司 | 一种NAT实现系统、方法及Openflow交换机 |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB9502819D0 (en) * | 1995-02-14 | 1995-04-05 | At & T Global Inf Solution | Control systems |
US7406526B2 (en) * | 2001-09-28 | 2008-07-29 | Uri Benchetrit | Extended internet protocol network address translation system |
US6996562B2 (en) * | 2002-07-29 | 2006-02-07 | Microsoft Corporation | Method and data structure for performing regular expression searches in a fixed length word language |
US8411683B2 (en) * | 2009-09-04 | 2013-04-02 | Comcast Cable Communications, Llc | Method and apparatus for providing connectivity in a network with multiple packet protocols |
WO2011144495A1 (en) * | 2010-05-19 | 2011-11-24 | Telefonaktiebolaget L M Ericsson (Publ) | Methods and apparatus for use in an openflow network |
CN103339988B (zh) * | 2011-01-31 | 2017-05-31 | 英迪股份有限公司 | 网络系统 |
US8964569B2 (en) * | 2011-07-04 | 2015-02-24 | Telefonaktiebolaget L M Ericsson (Publ) | Generic monitoring packet handling mechanism for OpenFlow 1.1 |
US8964563B2 (en) * | 2011-07-08 | 2015-02-24 | Telefonaktiebolaget L M Ericsson (Publ) | Controller driven OAM for OpenFlow |
US8606105B2 (en) * | 2011-09-15 | 2013-12-10 | Ciena Corporation | Virtual core router and switch systems and methods with a hybrid control architecture |
US8661146B2 (en) * | 2011-10-13 | 2014-02-25 | Cisco Technology, Inc. | Systems and methods for IP reachability in a communications network |
US20150023210A1 (en) * | 2012-01-09 | 2015-01-22 | Telefonaktiebolaget L M Ericsson (Publ) | Network Device Control in a Software Defined Network |
CN102594664B (zh) * | 2012-02-02 | 2015-06-17 | 杭州华三通信技术有限公司 | 流量转发方法和装置 |
US9130869B2 (en) * | 2012-02-09 | 2015-09-08 | Telefonaktiebolaget L M Ericsson (Publ) | Methods of redirecting network forwarding elements and related forwarding elements and controllers |
US8705536B2 (en) * | 2012-03-05 | 2014-04-22 | Telefonaktiebolaget L M Ericsson (Publ) | Methods of operating forwarding elements including shadow tables and related forwarding elements |
US9184995B2 (en) * | 2012-04-11 | 2015-11-10 | Gigamon Inc. | Traffic visibility in an open networking environment |
US9553801B2 (en) * | 2012-09-25 | 2017-01-24 | Google Inc. | Network device |
US20140105215A1 (en) * | 2012-10-15 | 2014-04-17 | Hewlett-Packard Development Company, L.P. | Converting addresses for nodes of a data center network into compact identifiers for determining flow keys for received data packets |
US9246847B2 (en) * | 2012-12-17 | 2016-01-26 | Telefonaktiebolaget L M Ericsson (Publ) | Extending the reach and effectiveness of header compression in access networks using SDN |
-
2012
- 2012-12-26 CN CN201210574680.9A patent/CN103067534B/zh active Active
-
2013
- 2013-09-25 EP EP13868265.3A patent/EP2940970B1/en active Active
- 2013-09-25 US US14/654,931 patent/US20150350156A1/en not_active Abandoned
- 2013-09-25 WO PCT/CN2013/084236 patent/WO2014101501A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7843827B2 (en) * | 2005-12-22 | 2010-11-30 | International Business Machines Corporation | Method and device for configuring a network device |
CN102685006A (zh) * | 2012-05-03 | 2012-09-19 | 中兴通讯股份有限公司 | 一种转发数据报文的方法及装置 |
CN102739542A (zh) * | 2012-06-29 | 2012-10-17 | 杭州迪普科技有限公司 | 一种组播报文传输方法及装置 |
CN102904813A (zh) * | 2012-11-05 | 2013-01-30 | 华为技术有限公司 | 一种报文转发的方法及相应设备 |
CN103067534A (zh) * | 2012-12-26 | 2013-04-24 | 中兴通讯股份有限公司 | 一种NAT实现系统、方法及Openflow交换机 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3313025A4 (en) * | 2015-06-18 | 2018-04-25 | New H3C Technologies Co., Ltd. | Data packet forwarding |
US10476795B2 (en) | 2015-06-18 | 2019-11-12 | New H3C Technology Co., Ltd. | Data packet forwarding |
WO2020121317A1 (en) * | 2018-12-15 | 2020-06-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Efficient network address translation (nat) in cloud networks |
US11463399B2 (en) | 2018-12-15 | 2022-10-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Efficient network address translation (NAT) in cloud networks |
Also Published As
Publication number | Publication date |
---|---|
CN103067534B (zh) | 2016-09-28 |
EP2940970B1 (en) | 2019-02-13 |
US20150350156A1 (en) | 2015-12-03 |
CN103067534A (zh) | 2013-04-24 |
EP2940970A1 (en) | 2015-11-04 |
EP2940970A4 (en) | 2016-06-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2014101501A1 (zh) | 一种NAT实现系统、方法及Openflow交换机 | |
US20180173557A1 (en) | Physical path determination for virtual network packet flows | |
WO2017000878A1 (zh) | 报文处理 | |
US20150156107A1 (en) | Method, Controller, and System for Processing Data Packet | |
CN102685006A (zh) | 一种转发数据报文的方法及装置 | |
WO2016082588A1 (zh) | 链路连通性检测方法及装置 | |
WO2019127134A1 (zh) | 一种数据传送的方法和虚拟交换机 | |
WO2013086897A1 (zh) | 生成表项的方法、接收报文的方法及相应装置和系统 | |
WO2015043327A1 (zh) | 路由方法、设备和系统 | |
CN103532672A (zh) | 一种sdn网络中分片报文乱序的处理方法及应用 | |
WO2012106869A1 (zh) | 一种报文处理方法及相关设备 | |
WO2012094898A1 (zh) | 一种虚拟机迁移方法、交换机、虚拟机系统 | |
WO2014177097A1 (zh) | 一种流表条目生成方法及相应设备 | |
WO2011150701A1 (zh) | 数据业务处理方法、网络设备和网络系统 | |
WO2015143802A1 (zh) | 业务功能链处理方法及装置 | |
WO2014187212A1 (zh) | 一种转发报文的方法及装置 | |
CN101247353A (zh) | 流老化方法及网络设备 | |
WO2014036890A1 (zh) | 客户端模式下无线网络设备网桥转发报文的方法及装置 | |
WO2012062102A1 (zh) | 一种检测组播转发树上两点间连通性的方法、系统和装置 | |
WO2015070614A1 (zh) | 检测l2vpn网络用户侧接口连通性的方法及设备 | |
WO2014198064A1 (zh) | 一种处理报文的方法和转发器 | |
WO2014067486A1 (zh) | 一种报文转发的方法及相应设备 | |
WO2014169812A1 (zh) | 报文的转发处理方法及装置 | |
CN102546587B (zh) | 防止网关系统会话资源被恶意耗尽的方法及装置 | |
WO2014205660A1 (zh) | 一种转发数据包的方法、装置和路由设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13868265 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14654931 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2013868265 Country of ref document: EP |