WO2016150057A1 - 访问控制列表acl的发送方法及装置 - Google Patents

访问控制列表acl的发送方法及装置 Download PDF

Info

Publication number
WO2016150057A1
WO2016150057A1 PCT/CN2015/085462 CN2015085462W WO2016150057A1 WO 2016150057 A1 WO2016150057 A1 WO 2016150057A1 CN 2015085462 W CN2015085462 W CN 2015085462W WO 2016150057 A1 WO2016150057 A1 WO 2016150057A1
Authority
WO
WIPO (PCT)
Prior art keywords
acl
flow table
control
control rule
acls
Prior art date
Application number
PCT/CN2015/085462
Other languages
English (en)
French (fr)
Inventor
刘仓明
张征
王怀滨
洪先进
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016150057A1 publication Critical patent/WO2016150057A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and an apparatus for transmitting an access control list ACL.
  • SDN Software Defined Network
  • Openflow separates the forwarding device by separating the control plane of the network device from the data plane.
  • Centralized control surface all control functions can be programmed through centralized control plane without upgrading the forwarding surface, thus achieving flexible control of network traffic and providing a good platform for innovation of core networks and applications.
  • the core concept of SDN is control forwarding separation, standardization of forwarding equipment, fooling, centralized control plane, and all control functions can be programmed through a centralized control plane without upgrading the forwarding plane.
  • the Openflow switch converts the packet forwarding process, which is completely controlled by the switch/router, into an Openflow switch (Openflow Switch) and a Control Server (Controller), thereby implementing data forwarding and routing control. Separation.
  • the controller can control the flow table in the Openflow switch by pre-specified interface operations, thereby achieving the purpose of controlling data forwarding. Therefore, Openflow has opened up a path of network innovation.
  • the Openflow switch consists of a flow table (Flowtable), a secure channel, and an Openflow protocol.
  • the network device maintains a FlowTable and forwards it only according to the FlowTable.
  • the generation, maintenance, and delivery of the Flowtable are completely implemented by an external controller.
  • the network operator can decide which granularity to use.
  • a flow table consists of a large number of flow entries, and each flow entry is a forwarding rule.
  • the data packet entering the switch is obtained by querying the flow table to obtain the forwarded destination port and corresponding operations.
  • Access Control List (ACL) technology is widely used in modern network devices (routers, switches). Network devices such as routers often use ACLs to control the reception or rejection of data packets.
  • the ACL configured on the router can be applied to the interface or user to improve network performance and security by controlling the communication traffic of the router interface or the user.
  • Each port or user can apply the same or different ACLs.
  • Each ACL is composed of a series of rules.
  • Each rule is composed of a match and an action. For example, the source IP address, destination IP address, source port number, destination port number, and protocol type can be matched in the ACL rule. item.
  • the action determines the handling of matching messages, such as permit or deny.
  • the router extracts the keywords (such as the source IP address, the destination IP address, the source port number, the destination port number, and the protocol type) in each data packet, and checks them one by one according to the rules listed in the ACL.
  • the matching item if it matches a certain rule, is executed according to the action defined in the rule, and the subsequent rules are no longer checked. Therefore, it is quite important to define the matching order of the rules in the ACL. If all the rules do not match, the packet is rejected, and it can be modified to allow all unmatched packets to pass.
  • ACL implements inbound access control and outbound access control.
  • the router checks whether the ACL is configured in the inbound direction of the interface. If it is configured and rejected by the ACL, the packet is directly discarded. If the ACL is allowed, or no ACL is configured. The packet is only routed and forwarded. Inbound access control saves unnecessary routing lookup and forwarding overhead.
  • the router forwards the data packet to the egress interface according to the routing table.
  • the router checks whether there is an ACL configured in the outbound direction of the interface. If configured, the output filter control is performed on the data packet according to the ACL. If no ACL is configured, the packet is output directly.
  • the rules in the ACL are valid for a period of time, but are invalid at other times.
  • the main purpose of the embodiments of the present invention is to provide a method and an apparatus for transmitting an access control list ACL, so as to at least solve the problem that the function of implementing the ACL by using a router in the related art has a very high performance requirement on the network device.
  • a method for sending an access control list ACL including: mapping a pre-configured one or more ACL control rules into an Openflow flow table; The forwarding device sends an Openflow flow table after mapping control rules.
  • the method includes: configuring the one or more ACLs according to a human machine interface or a user-defined automated processing flow The control rules.
  • the method includes: setting is performed in the specified time period And the control rule; and/or combining the specified plurality of control rules in the control rule; and/or configuring an association relationship between the ACL and the device port; and/or configuring the ACL and The relationship between broadband access users.
  • the method further includes: The control rules of the multiple ACLs are set in the Openflow flow table.
  • mapping the control rules of the one or more ACLs configured in advance to the Openflow flow table includes: mapping the changed control rules into the Openflow flow table when the control rules change.
  • a device for sending an access control list ACL including: a mapping module, configured to map a pre-configured one or more ACL control rules into an Openflow flow table;
  • the Openflow flow table is configured to send a mapping control rule to the forwarding device through a software-defined network SDN controller.
  • the device before mapping the control rule of the one or more ACLs configured in advance to the Openflow flow table, the device further includes: a configuration module, configured to: according to a human machine interface or a user-defined automatic processing flow One or more ACLs configure the control rules.
  • the device includes: a first setting module, configured to be set to execute in a specified time period And/or, setting a combination of the specified plurality of control rules in the control rule; and/or configuring an association relationship between the ACL and the device port; and/or configuring the ACL The relationship with broadband access users.
  • the device further includes: And a setting module, configured to set a priority on the control rules of the multiple ACLs in the Openflow flow table.
  • mapping module is further configured to map the changed control rule to the Openflow flow table when the control rule changes.
  • the control rule of the one or more ACLs configured in advance is mapped into the Openflow flow table, and then the OpenFlow flow table after the mapping control rule is sent to the forwarding device by the software-defined network SDN controller is adopted. That is to say, the OpenFlow flow table after the mapping control rule is sent to the forwarding device by the SDN controller implements the actual effect of the ACL control rule in the data flow, and solves the performance requirement of the network device by using the router to implement the ACL function in the related art. Very high problems, which in turn have alleviated the effects of network equipment upgrades and maintenance.
  • FIG. 1 is a flowchart of a method for transmitting an access control list ACL according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of a transmitting apparatus of an access control list ACL according to an embodiment of the present invention
  • FIG. 3 is a block diagram 1 of an optional structure of a sending device for access control list ACL according to an embodiment of the present invention
  • FIG. 4 is a block diagram 2 of an optional structure of a sending device for access control list ACL according to an embodiment of the present invention
  • FIG. 5 is a block diagram 3 of an optional structure of a sending device for access control list ACL according to an embodiment of the present invention
  • FIG. 6 is a structural block diagram of an SDN-based access control list implementation system in accordance with an alternate embodiment of the present invention.
  • FIG. 1 is a flowchart of a method for sending an ACL according to an embodiment of the present invention. As shown in FIG. 1 , the steps of the method include:
  • Step S102 Mapping a control rule of one or more ACLs configured in advance to an Openflow flow table.
  • Step S104 The penflow flow table after the mapping control rule is sent to the forwarding device by the software-defined network SDN controller.
  • the method of mapping the control rules of one or more ACLs configured in advance to the Openflow flow table, and then sending the Openflow flow table after mapping control rules to the forwarding device through the software-defined network SDN controller is adopted. That is to say, the Openflow flow table after the mapping control rule is sent to the forwarding device through the SDN controller, the actual implementation of the ACL control rule in the data flow is implemented, and the performance of the network device is implemented by using the router to implement the ACL function in the related art. Very high problems, which in turn have alleviated the effects of network equipment upgrades and maintenance.
  • the method in this embodiment may further include: configuring one or more ACLs according to a human machine interface or a user-defined automatic processing flow. rule. It should be noted that the above two ways of defining the control rules are only optional embodiments in the present embodiment, and do not constitute a limitation of the present invention.
  • control function of the ACL can be implemented in the embodiment, and the functions include: (1) The control rule is executed in the specified time period; (2) the specified multiple control rules in the control rule are combined; (3) the association between the ACL and the device port is configured; and (4) the configuration between the ACL and the broadband access user is configured. connection relation.
  • the ACL application sends a rule to the forwarding device when the time is in the interval from 9:00 to 17:17, and the rule definition allows forwarding.
  • the source IP address is 192.168.1.12.
  • the ACL application sends another rule to the forwarding device.
  • the rule defines that the packet with the source IP address 192.168.1.12 is forbidden.
  • the function (2) can be: the ACL application can merge the rules 1 and 2 in the ACL named TEST by the private ACL rule merging algorithm, and merge into one rule to prohibit the forwarding of the source IP address belonging to the network segment 192.168.0.0 (masking After the 255.255.254.0) packet is merged, only one rule needs to be sent to the forwarding device.
  • the ACL with the configuration name TEST1 is associated with the inbound direction of the device port 1
  • the ACL with the configuration name TEST2 is associated with the inbound direction of port 2.
  • function (4) it can be: configure user USER1 and user association with IP address 192.168.2.1, configure user USER2 and user association with IP address 192.168.2.2.
  • the method of the embodiment when the same control rule exists in multiple ACL control rules, after mapping one or more ACL preset control rules to the Openflow flow table, The method of the embodiment further includes: setting a priority for the control rules of the multiple ACLs in the Openflow flow table. The problem of the matching order of the control rules in the same ACL is solved by the priority method.
  • the control rules change when the control rules change, the changed control rules are mapped into the Openflow flow table. . That is, after the ACL control rule is changed, the ACL application regenerates and notifies the SDN controller to deliver the specification flow table information, and carries the new ACL control rule.
  • a device for transmitting an access control list is also provided.
  • the device is used to implement the foregoing embodiments and optional implementations, and details are not described herein.
  • the term “module” "unit” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 2 is a structural block diagram of a transmitting apparatus of an access control list ACL according to an embodiment of the present invention, as shown in FIG.
  • the apparatus includes: a mapping module 22 configured to map a pre-configured one or more ACL control rules into an Openflow flow table; a sending module 24 coupled to the mapping module 22 and configured to define a network through software
  • the SDN controller sends a penflow flow table after mapping control rules to the forwarding device.
  • FIG. 3 is a block diagram of an optional structure of a sending apparatus for an access control list ACL according to an embodiment of the present invention.
  • the apparatus may further include: a configuration module 32 coupled to the mapping module 22, configured to configure a control rule for one or more ACLs according to a human machine interface or a user-defined automated processing flow.
  • the device may further include: a first setting module 42 coupled to the mapping module 22, configured to set the execution of the control rule in the specified time period; and/or, setting the specified plurality of control rules in the control rule And/or, the relationship between the ACL and the ACL and the device port is configured; and/or the relationship between the ACL and the broadband access user is configured.
  • FIG. 5 is a block diagram 3 of an optional structure of an apparatus for sending an access control list ACL according to an embodiment of the present invention. As shown in FIG. 5, when the same control rule exists in multiple ACL control rules, one or more ACLs are used. After the preset control rule is mapped to the Openflow flow table, the device may further include: a second setting module 52 coupled to the mapping module 22 and configured to set a priority for the control rules of the multiple ACLs in the Openflow flow table.
  • mapping module 22 is further configured to map the changed control rule to the Openflow flow table when the control rule changes.
  • This alternative embodiment provides an SDN-based access control list implementation method.
  • the ACL control rules are processed by the ACL application server to generate an Openflow flow table and sent to the forwarding device through the SDN controller.
  • the forwarding device can obtain the ACL number information from the flow table field (medatada) when the flow table is matched.
  • the ACL flow table is searched and matched in the next level, so that the ACL rule takes effect in the data flow.
  • the functions of the ACL are divided into two parts: ACL application and forwarding.
  • the ACL application is used as a control part to complete the formulation and generation of ACL control rules, and is centralized in the application server; On each forwarding device, the basic and general control data packet forwarding is completed by matching and moving the data stream.
  • ACL control rules in this alternative embodiment including identification of various data streams and corresponding actions Information, including but not limited to actions such as data stream filtering.
  • the human machine interface or the user-defined automatic processing flow may be used for generating, so that the user can implement time-based control, based on user control, based on Complex ACL control functions such as port control.
  • multiple ACLs can be configured in the ACL application. Different ACLs can be applied to different occasions.
  • the rules in different ACLs are the same, and the rules in the same ACL have matching order requirements.
  • the priority defined in the Openflow flow entry is used in this alternative embodiment to solve the problem that the rules in the same ACL have matching requirements.
  • the rules in all ACLs can be mapped to an Openflow flow table, and the metadata defined in the Openflow flow entry is used to store the ACL number.
  • the ACL After the ACL is applied, it is sent by the ACL/Openflow controller. After the ACL control rule is changed, the ACL application regenerates and notifies the SDN controller to deliver the specification flow table information and carries the new ACL control rule.
  • the ACL can be enabled to take effect on the data flow. And when the ACL control rule changes, the updated new flow table can be received from the SDN controller and validated for the data flow.
  • the definition and rules of the ACL are delivered by the unified flow table of the SDN controller.
  • the forwarding device performs the standard processing procedure according to the flow table, and can support the effective and correct ACL rules.
  • the method can significantly reduce the large workload of the network forwarding device in the configuration and change of the ACL rule, and can support the dynamic change and take effect of the ACL rule.
  • FIG. 6 is a structural block diagram of an SDN-based access control list implementation system according to an alternative embodiment of the present invention. As shown in FIG. 6, the system includes: an ACL application, an SDN/Openflow controller, and a forwarding device. The following first embodiment to fourth embodiment will be described based on Fig. 6 .
  • the first embodiment relates to an ACL rule with time period characteristics, and the complex ACL time period feature is processed in the ACL application server; the steps of the SDN-based access control list implementation method include:
  • Step S202 Configure an ACL by using a human interface provided by the ACL application.
  • the configuration name can be an ACL of TEST, and the ACL number assigned by the ACL to TEST is 1.
  • Step S204 Configure an ACL rule.
  • An ACL rule with a time period feature can be configured in the TEST.
  • the rule defines that the source IP address 192.168.1.12 is forwarded from 9:00 to 17:00, and the source IP address 192.168.1.12 is prohibited.
  • Step S206 The ACL application processes the time period characteristics of each ACL rule.
  • the ACL applies a rule to the forwarding device when the time is in the range of 9:00 to 17:00.
  • the rule defines that the packet with the source IP address of 192.168.1.12 is allowed to be forwarded.
  • the ACL application sends another rule to the forwarding device.
  • the rule defines that the packet with the source IP address 192.168.1.12 is forbidden.
  • Step S208 When an ACL rule is to be delivered to the forwarding device, the ACL rule is converted into an Openflow flow table and notified to the SDN controller, and the SDN controller sends the flow table to the forwarding device through the Openflow protocol.
  • a flow entry in the Openflow flow table indicates the ACL rule to be delivered in the interval from 9:00 to 17:
  • the matching field of the flow entry includes: metadata (source) with a value of 1 and source IP address.
  • the address is 192.168.1.12 (mask 255.255.255.255), and the entry priority value is 1.
  • the action of the entry includes: forwarding the message to the output port.
  • the flow table entry in the Openflow flow table indicates that the ACL rule to be delivered outside the interval from 9:00 to 17:00, and the matching field of the flow entry includes: metadata (source) with a value of 1 and source IP address.
  • the address is 192.168.1.12 (mask 255.255.255.255), and the priority of the entry is 1.
  • the action of the entry includes: dropping the packet.
  • Embodiment 2 The ACL rule is involved.
  • the ACL application server simplifies the implementation complexity of the forwarding device and maintains the versatility of the forwarding device by processing the complex and private ACL rule merging algorithm and saving the original ACL configuration data. .
  • the flow table entries delivered to the forwarding device are reduced, which saves the flow table storage space of the forwarding device.
  • the steps of the method include:
  • Step S302 Configure an ACL by using a human interface provided by the ACL application.
  • the ACL with the name TEST is configured, and the ACL number assigned to the TEST by the ACL is 1.
  • Step S304 Configure an ACL rule.
  • the two ACL rules are configured in the TEST.
  • the rule 1 defines that the forwarding source IP address belongs to the network segment 192.168.0.0 (mask 255.255.255.0).
  • the rule 2 defines that the forwarding source IP address belongs to the network segment 192.168.1.0.
  • the message (mask 255.255.255.0).
  • Step S306 ACL rule merge processing
  • the ACL application can merge the rules of the private ACL rule and merge the rules 1 and 2 in the TEST.
  • the ACL is merged into a packet whose source IP address is 192.168.0.0 (mask 255.255.254.0). , only need to send a rule to the forwarding device.
  • Step S308 The ACL rule is converted into an Openflow flow table and notified to the SDN controller, which is controlled by the SDN.
  • the controller sends the flow table to the forwarding device through the Openflow protocol.
  • a flow entry in the Openflow flow table indicates the merged ACL rule.
  • the matching field of the flow entry includes: metadata of 1 (source), source IP address 192.168.0.0 (mask 255.255.254.0)
  • the priority of the entry is 1.
  • the action of the entry includes: dropping the packet.
  • Embodiment 3 ACLs associated with a port; multiple ACLs can exist on each forwarding device. Different ACLs are applied in different situations. ACL rules in different ACLs are allowed to be the same. priority. According to the requirements of these basic ACL functions, you can use the Openflow technology to combine multiple ACLs in a single flow table. Each ACL rule corresponds to a flow entry. The ACL number is implemented in the metadata (metadata). For the matching order of multiple ACL rules, set different priorities for the flow entries.
  • the steps of the method include:
  • Step S402 Configure an ACL by using a human interface provided by the ACL application.
  • the ACL with the name TEST1 is configured, the ACL number assigned to the TEST1 by the ACL is 1, and the ACL with the name TEST2 is configured.
  • the ACL number assigned by the ACL to TEST2 is 2.
  • Step S404 Configure an ACL rule.
  • two rules are configured in TEST1.
  • Rule 1 defines that the forwarding destination IP address belongs to the network segment 192.168.0.0 (mask 255.255.0.0).
  • the rule 2 defines that the forwarding destination IP address belongs to the network segment 192.168.1.0.
  • For a packet with a mask of 255.255.255.0 rule 2 matches the rule 1 with a priority match.
  • Rule 1 defines that the forwarding destination IP address belongs to the network segment 192.168.0.0 (mask 255.255.0.0).
  • the rule 2 defines that the forwarding destination IP address belongs to the network segment 192.168.2.0.
  • rule 2 matches the rule 1 priority match.
  • Step S406 Configure an ACL and a device port association. For example, configure TEST1 to associate with device port 1 in the inbound direction, and configure TEST2 to associate with port 2 in the inbound direction.
  • Step S408 The ACL-related configuration is converted into an Openflow flow table and notified to the SDN controller, and the SDN controller sends the flow table to the forwarding device through the Openflow protocol.
  • the inbound direction of device port 1 is associated with TEST1.
  • Flow entry 1 can be added to Openflow flow table 0.
  • the matching field includes: input port 1, the priority of the entry is the default, and the action of the entry includes: In the metadata, write the ACL number 1. Jump to the next flow table 1 to find it; the inbound direction of the device port 2 is associated with TEST2.
  • the priority of the entry is the default.
  • the action of the entry includes: writing the ACL number in the metadata (2) and jumping to the next Openflow flow table 1 to find the ACL rule in the Openflow flow table 1 in the Openflow flow.
  • Table 1 shows the ACL rules configured by the four flow entries, which are flow entry 1 (the matching field includes: metadata with a value of 1 and destination IP address 192.168.0.0 (mask 255.255.0.0).
  • the value of the entry is 1.
  • the action of the entry includes: drop (drop), flow table. Item 2 (The matching field includes: metadata with a value of 1 and a destination IP address of 192.168.1.0 (with a mask of 255.255.255.0).
  • the priority of the entry is 2.
  • the action of the entry includes: forwarding the packet. ))
  • the flow entry 3 the matching field includes: metadata with a value of 2, a destination IP address of 192.168.0.0 (with a mask of 255.255.0.0), and an entry priority value of 1.
  • the action of the entry includes: Drop (drop) and flow entry 4 (the matching field includes: metadata of 2, destination IP address 192.168.2.0 (mask 255.255.255.0), entry priority value of 2, table
  • Step S410 The packet forwarding in the forwarding device conforms to the Openflow standard, and is forwarded according to the Openflow flow table.
  • the original packet and the input port information are sent to the Openflow flow table 0 for matching.
  • the matching hits the Openflow flow table 0.
  • the flow entry 1 is processed according to the action defined in the matching flow entry, and the value 1 is written in the metadata, and the original message and the metadata are sent together to be searched in the Openflow flow table 1.
  • the match is matched to the flow entry 1 in the Openflow flow table 1 and processed according to the action defined in the matching flow entry, and the packet is discarded.
  • Example 2 The packet with the destination IP address of 192.168.2.1 enters from port 2 of the forwarding device.
  • the original packet and the input port information are sent to the Openflow flow table 0 for matching, and the matching hits the Openflow flow table.
  • the flow entry 2 is processed according to the action defined in the matching flow entry, and the value 2 is written in the metadata, and the original message and the metadata are sent together to be searched in the Openflow flow table 1.
  • the flow entry 3 and the flow entry 4 match the hit.
  • the flow entry is preferentially hit, and the packet is processed according to the action defined in the matching flow entry, and the packet is forwarded. ) to the output port.
  • Embodiment 4 An ACL associated with a broadband access user; a plurality of ACLs may exist on each forwarding device, and different ACLs are defined for different users in different ACLs, and multiple ACLs may be combined and implemented in Openflow technology.
  • each ACL rule corresponds to a flow entry. To distinguish the same ACL rule in different ACLs, the ACL number is written in the metadata of the flow entry. The steps of the method:
  • Step S502 Configure an ACL by using a human interface provided by the ACL application.
  • the ACL with the name of USER1 is configured.
  • the ACL number assigned to the USER1 is 1 and the ACL is USER2.
  • the ACL number assigned to the USER2 is 2.
  • Step S504 Configure an ACL rule.
  • a rule is configured in USER1.
  • the rule definition prohibits the forwarding of packets whose destination IP address belongs to the network segment 192.168.1.0 (mask 255.255.255.0).
  • the rule defines that the forwarding destination IP address belongs to the network segment 192.168.1.0 (mask 255.255.255.0).
  • Step S506 Configure an ACL and a broadband access user association
  • Step S508 The ACL-related configuration is converted into an Openflow flow table and notified to the SDN controller, and the SDN controller sends the flow table to the forwarding device through the Openflow protocol.
  • the user whose IP address is 192.168.2.1 is associated with USER1.
  • Flow entry 1 can be added to Openflow flow table 0.
  • the matching field includes: source IP address 192.168.2.1 (mask 255.255.255.255), priority of the entry.
  • the action of the entry includes: writing the ACL number in the metadata (1) and jumping to the next flow table 1 to find the user; the user whose IP address is 192.168.2.2 is associated with USER2, which can be in the Openflow flow table 0.
  • Add the flow entry 2 (the matching domain includes: the source IP address 192.168.2.2 (mask 255.255.255.255), the priority of the entry is the default, and the action of the entry includes: writing the ACL number 2 in the metadata (metadata)
  • the ACL rule is written in the OpenFlow flow table 1 and the ACL rule is configured in the Openflow flow table 1 by the flow table entry. Including: the value of the metadata (metadata), the destination IP address 192.168.1.0 (mask 255.255.255.0), the entry priority value is 1, the action of the entry includes: drop the packet (drop), the flow table Item 2 (Matching fields include: metadata with a value of 2 and destination IP address 192.168.1.0 (mask 255.255.255.0). Is 1, the operation entry comprising: forwarding packets (output)).
  • Step S510 The packet forwarding in the forwarding device conforms to the Openflow standard, and is forwarded according to the Openflow flow table.
  • the source IP address is 192.168.2.1, and the packet with the destination IP address of 192.168.1.1 is entered from the port of the forwarding device.
  • the original packet and the input port information are sent to the Openflow flow table 0 for matching.
  • the flow entry 1 of the Openflow flow table 0 is processed according to the action defined in the matching flow entry, and the value 1 is written in the metadata, and the original message and the metadata are sent together to the Openflow flow table 1 for searching.
  • the match is matched to the flow entry 1 in the Openflow flow table 1 and processed according to the action defined in the matching flow entry, and the packet is discarded.
  • Example 2 The source IP address is 192.168.2.2, and the packet with the destination IP address of 192.168.1.1 is entered from the port of the forwarding device.
  • the original packet and the input port information are sent to the Openflow flow table 0 for searching.
  • the matching flow entry 2 hitting Openflow flow table 0 is processed according to the action defined in the matching flow entry, and the value 2 is written in the metadata, and the original message and the metadata are sent to the Openflow flow table 1 for searching.
  • the Openflow flow table 1 there is a flow entry entry matching match, which is processed according to the action defined in the matching flow entry, and the output is forwarded to the output port.
  • the ACL application definition and the rule-making are delivered by the unified flow table of the SDN controller, and the forwarding device performs the standard processing procedure according to the flow table, which can support the effective and corrective action of the ACL complex rule.
  • the application of data streams. The method can significantly reduce the huge workload of the network forwarding device in the configuration and change of the ACL rule, and can support the dynamic change and take effect of the ACL rule.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • the above technical solution of the present invention can be applied to the field of communication, and the OpenFlow flow table after the mapping control rule is sent to the forwarding device by the SDN controller, and the actual implementation of the ACL control rule in the data flow is realized, and the router in the related technology is solved.
  • the performance requirements of the network device are very high, and the effect of upgrading and maintaining the network device is reduced.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种访问控制列表ACL的发送方法及装置,其中,该方法包括:将预先配置的一个或多个ACL的控制规则映射到Openflow流表中;通过软件定义网络SDN控制器向转发设备发送映射控制规则后的Openflow流表。通过本发明,解决了相关技术中采用路由器来实现ACL的功能对网络设备性能要求非常高的问题,进而到达了减轻网络设备升级和维护的效果。

Description

访问控制列表ACL的发送方法及装置 技术领域
本发明涉及通信领域,具体而言,涉及一种访问控制列表ACL的发送方法及装置。
背景技术
软件定义网络(Software Defined Network,简称为SDN)是由美国斯坦福大学clean slate研究组提出的一种新型网络创新架构,其核心技术Openflow通过将网络设备控制面与数据面分离开来,转发设备标准化、控制面集中化,所有控制功能可以通过集中的控制面进行编程实现而无需升级转发面,从而实现了网络流量的灵活控制,为核心网络及应用的创新提供了良好的平台。SDN的概念核心是控制转发分离,转发设备标准化、傻瓜化,控制面集中化,所有控制功能可以通过集中的控制面进行编程实现而无需升级转发面。
作为SDN的一种实现方式,Openflow交换机将原来完全由交换机/路由器控制的报文转发过程转化为由Openflow交换机(Openflow Switch)和控制服务器(Controller)来共同完成,从而实现了数据转发和路由控制的分离。控制器可以通过事先规定好的接口操作来控制Openflow交换机中的流表,从而达到控制数据转发的目的。因此,Openflow开启了一条网络创新的道路。Openflow交换机由流表(Flowtable)、安全通道和Openflow协议三部分组成。网络设备维护一个FlowTable并且只按照FlowTable进行转发,Flowtable本身的生成、维护、下发完全由外置的Controller来实现,网络的运营商可以决定使用何种粒度的流,比如运营商只需要根据目的IP进行路由,那么流表中就可以只有目的IP字段是有效的,其它全为通配。流表由很多个流表项组成,每个流表项就是一个转发规则。进入交换机的数据包通过查询流表来获得转发的目的端口以及相应操作。
访问控制列表(Access Control List,简称为ACL)技术在现代网络设备(路由器,交换机)中被广泛采用,网络设备如路由器中经常利用ACL来控制数据报文的接收或拒绝。在路由器中配置的ACL可以应用在接口或用户上,通过对路由器接口或用户的通信流量进行控制,提高网络性能和安全性。
路由器中可以配置多个ACL,每个端口或用户可以应用相同的或不同的ACL。每个ACL是由一系列的规则组成,每条规则是由匹配项和动作组成,如源IP地址,目的IP地址,源端口号,目的端口号,协议类型等都可以是ACL规则中的匹配项。动作决定了对匹配报文的处理,如允许(permit)或拒绝(deny)。 路由器提取每一个数据包中的关键字(如源IP地址,目的IP地址,源端口号,目的端口号,协议类型等),按照ACL中所列规则逐条顺序检查,一条一条地匹配规则中定义的匹配项,如果匹配某一条规则,就按照规则中定义的动作执行,不再检查后面的规则,因此,在ACL中定义好规则的匹配顺序是相当重要的。如果所有的规则都不匹配,就拒绝数据包通过,也可修改成允许所有不匹配的数据包通过。
ACL可实现入方向访问控制和出方向访问控制。当一个数据包从路由器的接口进入时,路由器查看该接口的入方向有没有配置ACL,如果配置了,且被ACL拒绝,那么该数据包被直接丢弃,如果被ACL允许,或没有配置ACL,数据包才进行路由查找与转发处理。入方向访问控制节省了不必要的路由查找和转发的开销。路由器根据路由表把数据包转发到出口接口,数据包准备从一个接口出去时,路由器再查看在该接口的出方向有没有配置ACL,如果配置了,则根据ACL对数据包进行输出过滤控制,如果没有配置ACL,则直接输出数据包。
根据用户需求,也可以对ACL增加一些应用策略,如定义ACL中规则在一段时间内生效,而其它时间内是失效的。又如可以对配置的ACL规则进行合并处理,减少下发到ACL表中的规则数量。相关技术中,ACL功能做的越强大,对路由器等网络设备的性能就要求越高。而且为了新增应用策略,就必须对每台路由器进行ACL控制软件升级,可能还需要对硬件进行升级,存在开发周期长,维护工作量大等缺点。
针对相关技术中采用路由器来实现ACL的功能对网络设备性能要求非常高的问题,目前尚未提出有效的解决方案。
发明内容
本发明实施例的主要目的在于提供一种访问控制列表ACL的发送方法及装置,以至少解决相关技术中采用路由器来实现ACL的功能对网络设备性能要求非常高的问题。
根据本发明实施例的一个方面,提供了一种访问控制列表ACL的发送方法,包括:将预先配置的一个或多个ACL的控制规则映射到Openflow流表中;通过软件定义网络SDN控制器向转发设备发送映射控制规则后的Openflow流表。
进一步地,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,所述方法包括:依据人机接口或用户预先定义的自动化处理流程给所述一个或多个ACL配置所述控制规则。
进一步地,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,预先配置所述控制规则之后,所述方法包括:设置在指定时间段执行 所述控制规则;和/或,将所述控制规则中的指定多个控制规则进行合并;和/或,配置所述ACL与设备端口之间的关联关系;和/或,配置所述ACL与宽带接入用户之间的关联关系。
进一步地,在所述多个ACL的控制规则中存在相同的控制规则时,在将所述一个或多个ACL的预设控制规则映射到Openflow流表中之后,所述方法还包括:在所述Openflow流表中对所述多个ACL的控制规则均设置优先级。
进一步地,将预先配置的一个或多个ACL的控制规则映射到Openflow流表中,包括:在所述控制规则发生变化时,将变化后的控制规则映射到Openflow流表中。
根据本发明实施例的另一个方面,提供了一种访问控制列表ACL的发送装置,包括:映射模块,设置为将预先配置的一个或多个ACL的控制规则映射到Openflow流表中;发送模块,设置为通过软件定义网络SDN控制器向转发设备发送映射控制规则后的Openflow流表。
进一步地,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,所述装置还包括:配置模块,设置为依据人机接口或用户预先定义的自动化处理流程给所述一个或多个ACL配置所述控制规则。
进一步地,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,预先配置所述控制规则之后,所述装置包括:第一设置模块,设置为设置在指定时间段执行所述控制规则;和/或,设置对所述控制规则中的指定多个控制规则进行合并;和/或,配置所述ACL与设备端口之间的关联关系;和/或,配置所述ACL与宽带接入用户之间的关联关系。
进一步地,在所述多个ACL的控制规则中存在相同的控制规则时,在将所述一个或多个ACL的预设控制规则映射到Openflow流表中之后,所述装置还包括:第二设置模块,设置为在所述Openflow流表中对所述多个ACL的控制规则均设置优先级。
进一步地,所述映射模块,还设置为在所述控制规则发生变化时,将变化后的控制规则映射到Openflow流表中。
通过本发明实施例,采用将预先配置的一个或多个ACL的控制规则映射到Openflow流表中,然后再通过软件定义网络SDN控制器向转发设备发送映射控制规则后的Openflow流表的方式,也就是说通过SDN控制器向转发设备发送映射控制规则后的Openflow流表,实现了ACL控制规则在数据流中的实际生效,解决了相关技术中采用路由器来实现ACL的功能对网络设备性能要求非常高的问题,进而到达了减轻网络设备升级和维护的效果。
附图说明
此处所说明的附图用来提供对本发明实施例的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1是根据本发明实施例的访问控制列表ACL的发送方法流程图;
图2是根据本发明实施例的访问控制列表ACL的发送装置结构框图;
图3是根据本发明实施例的访问控制列表ACL的发送装置可选结构框图一;
图4是根据本发明实施例的访问控制列表ACL的发送装置可选结构框图二;
图5是根据本发明实施例的访问控制列表ACL的发送装置可选结构框图三;
图6是根据本发明可选实施例的基于SDN的访问控制列表实现系统的结构框图。
具体实施方式
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本发明。
本实施例提供了一种访问控制列表ACL的发送方法,图1是根据本发明实施例的访问控制列表ACL的发送方法流程图,如图1所示,该方法的步骤包括:
步骤S102:将预先配置的一个或多个ACL的控制规则映射到Openflow流表中;
步骤S104:通过软件定义网络SDN控制器向转发设备发送映射控制规则后的penflow流表。
通过本实施例上述步骤,采用将预先配置的一个或多个ACL的控制规则映射到Openflow流表中,然后再通过软件定义网络SDN控制器向转发设备发送映射控制规则后的Openflow流表的方式,也就是说通过SDN控制器向转发设备发送映射控制规则后的Openflow流表,实现ACL控制规则在数据流中的实际生效,解决了相关技术中采用路由器来实现ACL的功能对网络设备性能要求非常高的问题,进而到达了减轻网络设备升级和维护的效果。
在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,本实施例的方法还可以包括:依据人机接口或用户预先定义的自动化处理流程给一个或多个ACL配置控制规则。需要说明的是,上述两种定义控制规则的方式仅仅是本实施中的可选实施方式,并不构成对本发明的限定。
此外,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,预先配置控制规则之后,本实施例的可以实现如下ACL的控制功能,该功能包括:(1)设置在指定时间段执行控制规则;(2)将控制规则中的指定多个控制规则进行合并;(3)配置ACL与设备端口之间的关联关系;(4)配置ACL与宽带接入用户之间的关联关系。
下面将结合上述几种控制能够得具体应用场景进行举例说明,对于功能(1)可以是:当时间在9点到17点区间内时,ACL应用下发一条规则到转发设备,规则定义允许转发源IP地址192.168.1.12的报文。当时间在9点到17点区间外时,ACL应用下发另外一条规则到转发设备,规则定义禁止转发源IP地址192.168.1.12的报文。
对于功能(2)可以是:该ACL应用可通过私有ACL规则合并算法,合并名称为TEST的ACL中的规则1和2,合并为一条规则为禁止转发源IP地址属于网段192.168.0.0(掩码255.255.254.0)的报文,合并后,只需要下发一条规则到转发设备。
对于功能(3)可以是:配置名称为TEST1的ACL和设备端口1入方向关联,配置名称为TEST2的ACL和端口2入方向关联。
对于功能(4)可以是:配置用户USER1和IP地址为192.168.2.1的用户关联,配置用户USER2和IP地址为192.168.2.2的用户关联。
而在本实施例的另一个可选实施方式中,在多个ACL的控制规则中存在相同的控制规则时,在将一个或多个ACL的预设控制规则映射到Openflow流表中之后,本实施例的方法还包括:在Openflow流表中对多个ACL的控制规则均设置优先级。通过优先级的方式,解决了相同ACL中控制规则存在匹配顺序的要求的问题。
而对于将预先配置的一个或多个ACL的控制规则映射到Openflow流表中的方式,在一个可选实施方式中,在控制规则发生变化时,将变化后的控制规则映射到Openflow流表中。也就是说,ACL控制规则发生变化后,ACL应用重新生成和通知SDN控制器下发规范流表信息,并且携带新的ACL控制规则。
在本实施例中还提供了一种访问控制列表ACL的发送装置,该装置用于实现上述实施例及可选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”“单元”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。
图2是根据本发明实施例的访问控制列表ACL的发送装置结构框图,如图 2所示,该装置包括:映射模块22,设置为将预先配置的一个或多个ACL的控制规则映射到Openflow流表中;发送模块24,与映射模块22耦合连接,设置为通过软件定义网络SDN控制器向转发设备发送映射控制规则后的penflow流表。
图3是根据本发明实施例的访问控制列表ACL的发送装置可选结构框图一,如图3所示,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,装置还可以包括:配置模块32,与映射模块22耦合连接,设置为依据人机接口或用户预先定义的自动化处理流程给一个或多个ACL配置控制规则。
图4是根据本发明实施例的访问控制列表ACL的发送装置可选结构框图二,如图4所示,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,预先配置控制规则之后,装置还可以包括:第一设置模块42,与映射模块22耦合连接,设置为设置在指定时间段执行控制规则;和/或,设置对控制规则中的指定多个控制规则进行合并;和/或,配置ACL与ACL与设备端口之间的关联关系;和/或,配置ACL与宽带接入用户之间的关联关系。
图5是根据本发明实施例的访问控制列表ACL的发送装置可选结构框图三,如图5所示,在多个ACL的控制规则中存在相同的控制规则时,在将一个或多个ACL的预设控制规则映射到Openflow流表中之后,装置还可以包括:第二设置模块52,与映射模块22耦合连接,设置为在Openflow流表中对多个ACL的控制规则均设置优先级。
可选地,该映射模块22,还设置为在控制规则发生变化时,将变化后的控制规则映射到Openflow流表中。
下面结合本发明的可选实施例对本发明进行举例说明;
本可选实施例提供了一种基于SDN的访问控制列表实现方法。ACL控制规则集中在ACL应用服务器进行处理,生成Openflow流表并通过SDN控制器下发到转发设备上,转发设备在进行流表匹配时,能够从流表的字段(medatada)获取ACL号信息,代入到下一级的ACL流表查找和匹配中,从而实现ACL规则在数据流的实际生效。
下面对本可选实施例的基于SDN的访问控制列表实现方法进行说明;
在本可选实施例中ACL的功能分为ACL应用和转发两部分,其中,ACL应用为控制部分,用于完成ACL控制规则的制定和生成,而且集中于应用服务器中处理;ACL转发部分分布在各个转发设备上,通过对数据流的匹配和动作,完成基本的、通用的控制数据报文转发。
本可选实施例中的ACL控制规则,包括对各种数据流的识别和对应的动作 信息,且包括但不限于数据流过滤等动作。
对于上述涉及到得ACL控制规则的生成,在本可选实施例中可以通过人机接口,或者用户预先定义的自动化处理流程来进行生成,进而用户可以实现基于时间阶段控制、基于用户控制、基于端口控制等复杂的ACL控制功能。
此外,在本可选实施例中ACL应用中可配置多个ACL,不同的ACL能够应用在不同的场合,不同ACL中的规则允许相同,且相同ACL中的规则存在匹配顺序的要求。为了区分不同ACL中的规则,在本可选实施例中采用了Openflow流表项中定义的优先级解决了相同ACL中规则存在匹配顺序的要求的问题。
而对于涉及到得相应的Openflow流表生成,可将所有ACL中的规则映射到一张Openflow流表中,采用了在Openflow流表项中定义的元数据(metadata)存放ACL号。
对于ACL控制规则的下发,由ACL应用生成后,通过SDN/Openflow控制器的规范流表进行下发。而在ACL控制规则发生变化后,ACL应用重新生成和通知SDN控制器下发规范流表信息,并且携带新的ACL控制规则。
对于本实施例中涉及到的转发设备只要支持标准的Openflow流表处理过程,就能支持ACL的对数据流的生效。并且在ACL控制规则变化时,能从SDN控制器接收更新的新流表并对数据流生效。
本可选实施例实现SDN网络中,通过ACL应用的定义和规则,由SDN控制器的统一流表进行下发,转发设备根据流表进行标准处理流程,就能支持ACL复杂规则的生效和对数据流的应用。通过该方法能显著降低网络转发设备在ACL规则配置及变化时的巨大工作量,并且可以支持ACL规则的动态变化和生效。
下面结合附图以及具体实施例对本可选实施例进行进一步的说明;
图6是根据本发明可选实施例的基于SDN的访问控制列表实现系统的结构框图,如图6所示,该系统包括:ACL应用、SDN/Openflow控制器、转发设备。下面实施例一至实施例四都以图6为基础进行说明。
实施例一:涉及具有时间段特性的ACL规则,将复杂的ACL时间段特性放在ACL应用服务器中处理;该基于SDN的访问控制列表实现方法的步骤包括:
步骤S202:通过ACL应用提供的人机接口配置ACL;
其中,配置名称可以为TEST的ACL,ACL应用给TEST分配的ACL号为1。
步骤S204:配置ACL规则;
其中,可以在TEST中配置一条具有时间段特性的ACL规则,规则定义每天9点到17点允许转发源IP地址192.168.1.12的报文,其它时间禁止转发源IP地址192.168.1.12的报文。
步骤S206:ACL应用处理每个ACL规则的时间段特性;
其中,当时间在9点到17点区间内时,ACL应用下发一条规则到转发设备,规则定义允许转发源IP地址192.168.1.12的报文。当时间在9点到17点区间外时,ACL应用下发另外一条规则到转发设备,规则定义禁止转发源IP地址192.168.1.12的报文。
步骤S208:当有ACL规则需要下发到转发设备时,ACL规则被转换成Openflow流表并通知SDN控制器,由SDN控制器通过Openflow协议下发流表到转发设备。例如,Openflow流表中写入一条流表项表示上述时间在9点到17点区间内需要下发的ACL规则,流表项的匹配域包括:值为1的元数据(metadata)、源IP地址192.168.1.12(掩码255.255.255.255),表项优先级值为1,表项的动作包括:转发报文(output)到输出端口。或者,Openflow流表中写入一条流表项表示上述时间在9点到17点区间外需要下发的ACL规则,流表项的匹配域包括:值为1的元数据(metadata)、源IP地址192.168.1.12(掩码255.255.255.255),表项优先级值为1,表项的动作包括:丢弃报文(drop)。
实施例二:涉及合并ACL规则;ACL应用服务器通过处理复杂的,具有私有性质的ACL规则合并算法,和保存原始的ACL配置数据,简化了转发设备的实现复杂度,保持了转发设备的通用性。通过合并处理后,减少下发到转发设备的流表项,节约转发设备的流表存储空间。该方法的步骤包括:
步骤S302:通过ACL应用提供的人机接口配置ACL。
其中,配置名称为TEST的ACL,ACL应用给TEST分配的ACL号为1。
步骤S304:配置ACL规则;
其中,在TEST中配置两个ACL规则,规则1定义禁止转发源IP地址属于网段192.168.0.0(掩码255.255.255.0)的报文,规则2定义禁止转发源IP地址属于网段192.168.1.0(掩码255.255.255.0)的报文。
步骤S306:ACL规则合并处理;
其中,ACL应用可通过私有ACL规则合并算法,合并TEST中的规则1和2,合并为一条规则为禁止转发源IP地址属于网段192.168.0.0(掩码255.255.254.0)的报文,合并后,只需要下发一条规则到转发设备。
步骤S308:ACL规则转换成Openflow流表并通知SDN控制器,由SDN控 制器通过Openflow协议下发流表到转发设备。例如,Openflow流表中写入一条流表项表示上述合并后的ACL规则,流表项的匹配域包括:值为1的元数据(metadata)、源IP地址192.168.0.0(掩码255.255.254.0),表项优先级值为1,表项的动作包括:丢弃报文(drop)。
实施例三:与端口关联的ACL;每个转发设备上可以存在多个ACL,不同的ACL应用在不同的场合,不同的ACL中的ACL规则允许相同,每个ACL中的多个规则存在匹配优先级。按照这些基本ACL功能的要求,可利用Openflow技术,把多个ACL合并实现在一张流表中,每个ACL规则对应一个流表项,为了区分不同ACL中存在相同的ACL规则,通过在流表项的元数据(metadata)中写入ACL号实现。对于多个ACL规则的匹配顺序要求,通过对流表项设置不同的优先级实现。该方法的步骤包括:
步骤S402:通过ACL应用提供的人机接口配置ACL;
其中,配置名称为TEST1的ACL,ACL应用给TEST1分配的ACL号为1,配置名称为TEST2的ACL,ACL应用给TEST2分配的ACL号为2;
步骤S404:配置ACL规则。例如,在TEST1中配置两个规则,规则1定义禁止转发目的IP地址属于网段192.168.0.0(掩码255.255.0.0)的报文,规则2定义允许转发目的IP地址属于网段192.168.1.0(掩码255.255.255.0)的报文,规则2比规则1优先匹配执行。在TEST2中配置两个规则,规则1定义禁止转发目的IP地址属于网段192.168.0.0(掩码255.255.0.0)的报文,规则2定义允许转发目的IP地址属于网段192.168.2.0(掩码255.255.255.0)的报文,规则2比规则1优先匹配执行。
步骤S406:配置ACL和设备端口关联。例如,配置TEST1和设备端口1入方向关联,配置TEST2和端口2入方向关联;
步骤S408:ACL相关配置转换成Openflow流表并通知SDN控制器,由SDN控制器通过Openflow协议下发流表到转发设备;
其中,设备端口1入方向和TEST1关联,可在Openflow流表0中加入流表项1(匹配域包括:输入端口1,表项的优先级为默认,表项的动作包括:在元数据(metadata)中写入ACL号1、跳到下一张流表1查找);设备端口2入方向和TEST2关联,可在Openflow流表0中加入流表项2(匹配域包括:输入端口2,表项的优先级为默认,表项的动作包括:在元数据(metadata)中写入ACL号2、跳到下一张Openflow流表1查找);Openflow流表1中写入ACL规则,在Openflow流表1通过四条流表项表示上述配置的ACL规则,分别为流表项1(匹配域包括:值为1的元数据(metadata)、目的IP地址192.168.0.0(掩码255.255.0.0),表项优先级值为1,表项的动作包括:丢弃报文(drop))、流表 项2(匹配域包括:值为1的元数据(metadata)、目的IP地址192.168.1.0(掩码255.255.255.0),表项优先级值为2,表项的动作包括:转发报文(output))、流表项3(匹配域包括:值为2的元数据(metadata)、目的IP地址192.168.0.0(掩码255.255.0.0),表项优先级值为1,表项的动作包括:丢弃报文(drop))、流表项4(匹配域包括:值为2的元数据(metadata)、目的IP地址192.168.2.0(掩码255.255.255.0),表项优先级值为2,表项的动作包括:转发报文(output))。
步骤S410:转发设备中的报文转发符合Openflow标准规定,根据Openflow流表进行转发。
其中,目的IP地址为192.168.6.1的报文从转发设备的端口1进入,根据Openflow标准规定,原始报文和输入端口信息一起送到Openflow流表0中查找,匹配命中到Openflow流表0的流表项1,根据匹配流表项中定义的动作进行处理,在元数据中写入值1,原始报文和元数据一起送到Openflow流表1中查找。在Openflow流表1中匹配命中到流表项1,根据匹配流表项中定义的动作进行处理,丢弃报文。例2,目的IP地址为192.168.2.1的报文从转发设备的端口2进入,根据Openflow标准规定,原始报文和输入端口信息一起送到Openflow流表0中查找,匹配命中到Openflow流表0的流表项2,根据匹配流表项中定义的动作进行处理,在元数据中写入值2,原始报文和元数据一起送到Openflow流表1中查找。在Openflow流表1中存在流表项3和流表项4都匹配命中,根据表项优先级,优先命中流表项4,根据匹配流表项中定义的动作进行处理,转发报文(output)到输出端口。
实施例四:与宽带接入用户关联的ACL;每个转发设备上可以存在很多个ACL,不同的ACL中针对不同的用户定义一些ACL规则,可利用Openflow技术,把很多个ACL合并实现在一张流表中,每个ACL规则对应一个流表项,为了区分不同ACL中存在相同的ACL规则,通过在流表项的元数据(metadata)中写入ACL号实现。该方法的步骤:
步骤S502:通过ACL应用提供的人机接口配置ACL;
其中,配置名称为USER1的ACL,ACL应用给USER1分配的ACL号为1,配置名称为USER2的ACL,ACL应用给USER2分配的ACL号为2。
步骤S504:配置ACL规则;
其中,在USER1中配置一个规则,规则定义禁止转发目的IP地址属于网段192.168.1.0(掩码255.255.255.0)的报文。在USER2中配置一个规则,规则定义允许转发目的IP地址属于网段192.168.1.0(掩码255.255.255.0)的报文。
步骤S506:配置ACL和宽带接入用户关联;
其中,配置USER1和IP地址为192.168.2.1的用户关联,配置USER2和IP地址为192.168.2.2的用户关联。
步骤S508:ACL相关配置转换成Openflow流表并通知SDN控制器,由SDN控制器通过Openflow协议下发流表到转发设备。
其中,IP地址为192.168.2.1的用户和USER1关联,可在Openflow流表0中加入流表项1(匹配域包括:源IP地址192.168.2.1(掩码255.255.255.255),表项的优先级为默认,表项的动作包括:在元数据(metadata)中写入ACL号1、跳到下一张流表1查找);IP地址为192.168.2.2的用户和USER2关联,可在Openflow流表0中加入流表项2(匹配域包括:源IP地址192.168.2.2(掩码255.255.255.255),表项的优先级为默认,表项的动作包括:在元数据(metadata)中写入ACL号2、跳到下一张Openflow流表1查找);Openflow流表1中写入ACL规则,在Openflow流表1通过2条流表项表示上述配置的ACL规则,分别为流表项1(匹配域包括:值为1的元数据(metadata)、目的IP地址192.168.1.0(掩码255.255.255.0),表项优先级值为1,表项的动作包括:丢弃报文(drop))、流表项2(匹配域包括:值为2的元数据(metadata)、目的IP地址192.168.1.0(掩码255.255.255.0),表项优先级值为1,表项的动作包括:转发报文(output))。
步骤S510:转发设备中的报文转发符合Openflow标准规定,根据Openflow流表进行转发;
源IP地址为192.168.2.1,目的IP地址为192.168.1.1的报文从转发设备的端口进入,根据Openflow标准规定,原始报文和输入端口信息一起送到Openflow流表0中查找,匹配命中到Openflow流表0的流表项1,根据匹配流表项中定义的动作进行处理,在元数据中写入值1,原始报文和元数据一起送到Openflow流表1中查找。在Openflow流表1中匹配命中到流表项1,根据匹配流表项中定义的动作进行处理,丢弃报文。例2,源IP地址为192.168.2.2,目的IP地址为192.168.1.1的报文从转发设备的端口进入,根据Openflow标准规定,原始报文和输入端口信息一起送到Openflow流表0中查找,匹配命中到Openflow流表0的流表项2,根据匹配流表项中定义的动作进行处理,在元数据中写入值2,原始报文和元数据一起送到Openflow流表1中查找。在Openflow流表1中存在流表项2匹配命中,根据匹配流表项中定义的动作进行处理,转发报文(output)到输出端口。
本可选实施例的SDN网络中,通过ACL应用的定义和规则制定,由SDN控制器的统一流表进行下发,转发设备根据流表进行标准处理流程,能够支持ACL复杂规则的生效和对数据流的应用。该方法能显著降低网络转发设备在ACL规则配置及变化时的巨大工作量,并且可以支持ACL规则的动态变化和生效。
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
上述仅为本发明的可选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。
工业实用性
本发明的上述技术方案,可以应用于通信领域,通过SDN控制器向转发设备发送映射控制规则后的Openflow流表,实现了ACL控制规则在数据流中的实际生效,解决了相关技术中采用路由器来实现ACL的功能对网络设备性能要求非常高的问题,进而到达了减轻网络设备升级和维护的效果。

Claims (10)

  1. 一种访问控制列表ACL的发送方法,包括:
    将预先配置的一个或多个ACL的控制规则映射到Openflow流表中;
    通过软件定义网络SDN控制器向转发设备发送映射控制规则后的Openflow流表。
  2. 根据权利要求1所述的方法,其中,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,所述方法包括:
    依据人机接口或用户预先定义的自动化处理流程给所述一个或多个ACL配置所述控制规则。
  3. 根据权利要求2所述的方法,其中,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,预先配置所述控制规则之后,所述方法包括:
    设置在指定时间段执行所述控制规则;和/或,
    将所述控制规则中的指定多个控制规则进行合并;和/或,
    配置所述ACL与设备端口之间的关联关系;和/或,
    配置所述ACL与宽带接入用户之间的关联关系。
  4. 根据权利要求3所述的方法,其中,在所述多个ACL的控制规则中存在相同的控制规则时,在将所述一个或多个ACL的预设控制规则映射到Openflow流表中之后,所述方法还包括:
    在所述Openflow流表中对所述多个ACL的控制规则均设置优先级。
  5. 根据权利要求4所述的方法,其中,将预先配置的一个或多个ACL的控制规则映射到Openflow流表中,包括:
    在所述控制规则发生变化时,将变化后的控制规则映射到Openflow流表中。
  6. 一种访问控制列表ACL的发送装置,包括:
    映射模块,设置为将预先配置的一个或多个ACL的控制规则映射到Openflow流表中;
    发送模块,设置为通过软件定义网络SDN控制器向转发设备发送映射控制规则后的Openflow流表。
  7. 根据权利要求6所述的装置,其中,在将预先配置的一个或多个ACL的控制 规则映射到Openflow流表中之前,所述装置还包括:
    配置模块,设置为依据人机接口或用户预先定义的自动化处理流程给所述一个或多个ACL配置所述控制规则。
  8. 根据权利要求7所述的装置,其中,在将预先配置的一个或多个ACL的控制规则映射到Openflow流表中之前,预先配置所述控制规则之后,所述装置包括:
    第一设置模块,设置为设置在指定时间段执行所述控制规则;和/或,设置对所述控制规则中的指定多个控制规则进行合并;和/或,配置所述ACL与设备端口之间的关联关系;和/或,配置所述ACL与宽带接入用户之间的关联关系。
  9. 根据权利要求8所述的装置,其中,在所述多个ACL的控制规则中存在相同的控制规则时,在将所述一个或多个ACL的预设控制规则映射到Openflow流表中之后,所述装置还包括:
    第二设置模块,设置为在所述Openflow流表中对所述多个ACL的控制规则均设置优先级。
  10. 根据权利要求9所述的装置,其中,
    所述映射模块,还设置为在所述控制规则发生变化时,将变化后的控制规则映射到Openflow流表中。
PCT/CN2015/085462 2015-03-20 2015-07-29 访问控制列表acl的发送方法及装置 WO2016150057A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510128078.6 2015-03-20
CN201510128078.6A CN106034046A (zh) 2015-03-20 2015-03-20 访问控制列表acl的发送方法及装置

Publications (1)

Publication Number Publication Date
WO2016150057A1 true WO2016150057A1 (zh) 2016-09-29

Family

ID=56976891

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/085462 WO2016150057A1 (zh) 2015-03-20 2015-07-29 访问控制列表acl的发送方法及装置

Country Status (2)

Country Link
CN (1) CN106034046A (zh)
WO (1) WO2016150057A1 (zh)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108322467A (zh) * 2018-02-02 2018-07-24 云宏信息科技股份有限公司 基于ovs的虚拟防火墙配置方法、电子设备及存储介质
CN109150686A (zh) * 2018-09-07 2019-01-04 迈普通信技术股份有限公司 Acl表项下发方法、装置及网络设备
CN111510329A (zh) * 2020-04-10 2020-08-07 全球能源互联网研究院有限公司 一种电力sdn控制器中处理报文的方法及流表匹配模块
CN113114584A (zh) * 2021-03-01 2021-07-13 杭州迪普科技股份有限公司 一种网络设备的保护方法及装置

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911572A (zh) * 2017-02-24 2017-06-30 郑州云海信息技术有限公司 一种基于sdn架构实现的虚拟机的报文处理方法及装置
CN107395510A (zh) * 2017-08-29 2017-11-24 迈普通信技术股份有限公司 提高流转发性能的方法、装置及网络设备
CN108881216B (zh) * 2018-06-14 2020-12-22 浙江远望信息股份有限公司 一种以同类同配置物联网设备合规数据包并集形成数据包通信白名单的方法
CN109495472A (zh) * 2018-11-19 2019-03-19 南京邮电大学 一种针对内外网摄像头配置弱口令漏洞的防御方法
CN109768891B (zh) * 2019-02-13 2022-02-01 烽火通信科技股份有限公司 服务质量策略与访问控制列表的关联方法及系统
CN113037681B (zh) * 2019-12-09 2023-09-05 中兴通讯股份有限公司 Acl规则管理方法、装置、计算机设备及计算机可读介质
CN111917653B (zh) * 2020-07-21 2022-05-13 广东省华南技术转移中心有限公司 用于sdn网络的数据转发规则同步方法、控制器及系统
CN114449054B (zh) * 2020-10-16 2024-02-02 广州海格通信集团股份有限公司 软件定义网络与传统网络的互通方法、装置、设备和系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095701A (zh) * 2013-01-11 2013-05-08 中兴通讯股份有限公司 开放流表安全增强方法及装置
CN103607432A (zh) * 2013-10-30 2014-02-26 中兴通讯股份有限公司 一种网络创建的方法和系统及网络控制中心
CN104135379A (zh) * 2013-05-03 2014-11-05 杭州华三通信技术有限公司 基于OpenFlow协议的端口控制方法及装置
US20140369204A1 (en) * 2013-06-17 2014-12-18 Telefonaktiebolaget L M Ericsson (Publ) Methods of load balancing using primary and stand-by addresses and related load balancers and servers

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101325597B (zh) * 2008-07-30 2011-04-06 北京星网锐捷网络技术有限公司 一种数据处理的方法、装置及系统
CN102843298B (zh) * 2012-09-12 2015-08-05 盛科网络(苏州)有限公司 实现交换机芯片Openflow流表优先级的方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095701A (zh) * 2013-01-11 2013-05-08 中兴通讯股份有限公司 开放流表安全增强方法及装置
CN104135379A (zh) * 2013-05-03 2014-11-05 杭州华三通信技术有限公司 基于OpenFlow协议的端口控制方法及装置
US20140369204A1 (en) * 2013-06-17 2014-12-18 Telefonaktiebolaget L M Ericsson (Publ) Methods of load balancing using primary and stand-by addresses and related load balancers and servers
CN103607432A (zh) * 2013-10-30 2014-02-26 中兴通讯股份有限公司 一种网络创建的方法和系统及网络控制中心

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108322467A (zh) * 2018-02-02 2018-07-24 云宏信息科技股份有限公司 基于ovs的虚拟防火墙配置方法、电子设备及存储介质
CN109150686A (zh) * 2018-09-07 2019-01-04 迈普通信技术股份有限公司 Acl表项下发方法、装置及网络设备
CN109150686B (zh) * 2018-09-07 2020-12-22 迈普通信技术股份有限公司 Acl表项下发方法、装置及网络设备
CN111510329A (zh) * 2020-04-10 2020-08-07 全球能源互联网研究院有限公司 一种电力sdn控制器中处理报文的方法及流表匹配模块
CN113114584A (zh) * 2021-03-01 2021-07-13 杭州迪普科技股份有限公司 一种网络设备的保护方法及装置
CN113114584B (zh) * 2021-03-01 2023-02-28 杭州迪普科技股份有限公司 一种网络设备的保护方法及装置

Also Published As

Publication number Publication date
CN106034046A (zh) 2016-10-19

Similar Documents

Publication Publication Date Title
WO2016150057A1 (zh) 访问控制列表acl的发送方法及装置
US10791066B2 (en) Virtual network
US10374972B2 (en) Virtual flow network in a cloud environment
US9531850B2 (en) Inter-domain service function chaining
US20170111259A1 (en) Flow entry configuration method, apparatus, and system
US20160212048A1 (en) Openflow service chain data packet routing using tables
US11750614B2 (en) Methods and systems for dynamic creation of access control lists
WO2017016162A1 (zh) 一种基于sdn架构的工业通信流传输安全控制方法
US9967177B2 (en) Control apparatus, communication system, switch control method and program
CN105338003A (zh) 一种应用于软件定义网络的防火墙实现方法
US20240146609A1 (en) Software defined networking portal
US8873392B1 (en) Method and apparatus for controlling the flow of packets in a data network
KR101855742B1 (ko) 소프트웨어 정의 네트워킹에서의 목적지 기반 패킷 전송 제어 방법 및 장치
WO2018001242A1 (zh) 一种数据报文处理方法及装置
US10581738B2 (en) Efficient inter-VLAN routing in openflow networks
US20130275620A1 (en) Communication system, control apparatus, communication method, and program
US10476790B2 (en) Service chaining at a network device
US20150381775A1 (en) Communication system, communication method, control apparatus, control apparatus control method, and program
US20160352637A1 (en) Client-based port filter table
WO2016138813A1 (zh) 交换机路由冲突的处理方法及装置
US20180262473A1 (en) Encrypted data packet
JP2018064228A (ja) パケット制御装置
US10110477B2 (en) Integrated data plane for heterogeneous network services
CN108989206B (zh) 报文转发方法及装置
KR102023901B1 (ko) 소프트웨어 정의 네트워크에서 패킷의 경로를 설정하는 방법, 장치 및 컴퓨터 프로그램

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15885990

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15885990

Country of ref document: EP

Kind code of ref document: A1