WO2016180181A1 - Procédé et appareil de déploiement de fonction de desserte - Google Patents

Procédé et appareil de déploiement de fonction de desserte Download PDF

Info

Publication number
WO2016180181A1
WO2016180181A1 PCT/CN2016/079667 CN2016079667W WO2016180181A1 WO 2016180181 A1 WO2016180181 A1 WO 2016180181A1 CN 2016079667 W CN2016079667 W CN 2016079667W WO 2016180181 A1 WO2016180181 A1 WO 2016180181A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual machine
information
indication information
resource
forwarding plane
Prior art date
Application number
PCT/CN2016/079667
Other languages
English (en)
Chinese (zh)
Inventor
李忠良
李炀
王小威
左奇
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016180181A1 publication Critical patent/WO2016180181A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Definitions

  • This document relates to, but is not limited to, the field of communications, and in particular, to a method and apparatus for deploying a service function SF.
  • NFV Network Function Virtualization
  • software processing that carries many functions can be carried out by using general-purpose hardware such as x86 and virtualization technology, thereby reducing the expensive equipment cost of the network.
  • general-purpose hardware such as x86 and virtualization technology
  • network device functions are no longer dependent on dedicated hardware. Resources can be fully and flexibly shared, enabling rapid development and deployment of new services, and automatic deployment, elastic scaling, and fault isolation based on actual business requirements. And self-healing.
  • SFC Service Function Chain
  • IP Internet Protocol
  • SFC proxy Service Function Forwarder
  • DPI Deep Packet Inspection
  • the SF receives a message from one or more SFFs and sends a message to one or more SFFs.
  • the SFF is responsible for sending the message or data frame received from the network to the SF according to the SFC encapsulation information.
  • the SFC control plane is responsible for the management and configuration of the SFC, including the discovery, management, and configuration of related nodes such as convection classification nodes, SF, SFF, and SFC agents.
  • SFC is an indispensable part of NFV technology. SFC users can create SF, SFF and other components required by SFC through virtual resources such as virtual machines and virtual switches created by NFV, including in the service chain.
  • SF is a representation of VNFI (Virtualized Network Function Instance).
  • SDN Software Defined Network
  • the administrator needs to create the network function to virtualize the underlying network resources of the NFV and provide them to the SFC.
  • the new SF is deployed on the basis of the existing network resources, and then the administrator selects the group to build the SFC.
  • the SFCs thus formed are relatively rigid, and it is not possible to adjust the SF according to changes in actual business needs, and it is not possible to make any changes to the underlying network resources.
  • An embodiment of the present invention provides a method and an apparatus for deploying a service function, so as to at least solve the problem that the related technologies need to manually create an underlying network resource and deploy an SF, thereby creating an underlying network resource and deploying SF rigidity, and cannot flexibly adjust the underlying network. Resources and SF issues.
  • a method for deploying a service function SF including:
  • the NFV information including resource indication information indicating an underlying network resource required for establishing a network function, and function indication information indicating an SF deployed on the underlying network resource ;
  • the creating the bottom network resource according to the resource indication information and the function indication information, and deploying the SF on the underlying network resource includes:
  • the resource indication information is delivered to the forwarding plane by using an interface between the forwarding plane and the forwarding plane, to indicate that the forwarding plane creates the underlying network on the forwarding plane according to the resource indication information.
  • Resources include:
  • the deployment of the SF includes:
  • the SF is load balancing, where the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication information includes: load balancing Protocol information, member information of the load balancing resource pool, and load balancing algorithm information;
  • the virtual machines in the include:
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
  • the SF is a firewall
  • the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function indication information includes: a firewall rule and Strategy information;
  • the virtual machines in the include:
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
  • the rules and policies of the second virtual machine are configured as rules and policies corresponding to the firewall rules and policy information.
  • the SF is a virtual private network VPN
  • the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information includes: Key exchange protocol IKE policy, IP layer security protocol IPSec policy, IPSec site information;
  • Transmitting, by the interface, the resource indication information to the forwarding plane to indicate Loading, by the forwarding plane, the parameter for creating the underlying network resource included in the resource indication information to the virtual machine in the forwarding plane includes:
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
  • Creating a VPN configuration file according to the function indication information transmitting the VPN configuration file to the third virtual machine by using the interface to communicate with the resident program, to instruct the third virtual machine to execute The following operations: configuring a protocol policy of the third virtual machine as the key exchange protocol IKE policy and the IP layer security protocol IPSec policy, and configuring a site of the third virtual machine to correspond to the IPSec site information Site.
  • the SF is a network element WEB protection
  • the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes: WEB Protection strategy and WEB application server or data center information that needs protection;
  • the virtual machines in the include:
  • the parameter configuration of the SF to the virtual machine includes:
  • the device performs the following steps: configuring the rules and policies of the fourth virtual machine as the WEB protection policy and rules, and configuring the server or data center of the fourth virtual machine as the WEB application server or data that needs to be protected.
  • the server or data center corresponding to the central information.
  • the obtaining the predetermined network function virtualization NFV information includes:
  • the obtaining the predetermined network function virtualization NFV information includes:
  • the method further includes:
  • updated NFV information includes updated resource indication information and/or updated function indication information
  • the updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information includes:
  • the deployed SF is changed, added, or deleted according to the updated function indication information.
  • the method further includes:
  • the forwarding plane reports the information of the underlying network resource to the control plane after the underlying network resource is created; and/or,
  • the forwarding plane reports the information about the SF to the control plane.
  • a deployment device for a service function SF comprising:
  • a first acquiring module configured to acquire predetermined network function virtualization NFV information, where the NFV information includes resource indication information used to indicate an underlying network resource required for establishing a network function, and is used to indicate on the underlying network resource Function indication information of the deployed SF;
  • a processing module configured to create the underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
  • the processing module includes:
  • a first transmitting unit configured to: pass the resource indication information to the forwarding plane by using an interface with a forwarding plane, to instruct the forwarding plane to create the bottom layer on the forwarding plane according to the resource indication information Internet resources;
  • a second delivery unit configured to: pass the deployment information determined according to the function indication information to the virtual machine by using the interface to communicate with a resident program in a virtual machine in the underlying network resource, to Instructing the virtual machine to deploy the SF.
  • the first delivery unit includes: a first delivery subunit, configured to: pass the resource indication information to the forwarding plane by using the interface, to indicate that the forwarding plane is to be in the resource indication information Included parameters for creating the underlying network resource are configured on a virtual machine in the forwarding plane;
  • the second delivery unit includes: a second delivery subunit configured to pass the deployment information to the virtual machine by using the interface to communicate with the resident program to indicate the virtual machine
  • the parameters for deploying the SF included in the function indication information are configured on the virtual machine.
  • the SF is load balancing, where the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication information includes: load balancing Protocol information, member information of the load balancing resource pool, and load balancing algorithm information;
  • the first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations:
  • the IP address of the first virtual machine in the forwarding plane is configured as the IP address of the first management network, and the IP address of the first virtual machine on the service subnet is configured as the first service subnet.
  • the second delivery subunit instructs the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; and using the interface to communicate with the resident program
  • the load balancing configuration file is delivered to the first virtual machine to instruct the first virtual machine to perform the following operations: configuring a protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, and the A member of a virtual machine is configured as a member corresponding to the member information of the load balancing resource pool, and an algorithm of the first virtual machine is configured as an algorithm corresponding to the load balancing algorithm information.
  • the SF is a firewall
  • the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function indication information includes: a firewall rule and Strategy information;
  • the first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operations: Configuring an IP address of the second virtual machine in the forwarding plane on the management network as the second management network IP address, and configuring an IP address of the second virtual machine on the service subnet as the second service sub Configuring the routing information of the second virtual machine as the second routing information;
  • the second delivery subunit instructs the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and using the interface to communicate with the resident program to use the firewall
  • the configuration file is delivered to the second virtual machine to instruct the second virtual machine to configure rules and policies of the second virtual machine as rules and policies corresponding to the firewall rule and policy information.
  • the SF is a virtual private network VPN
  • the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function is
  • the indication information includes: a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and an IPSec site information;
  • the first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations:
  • the IP address of the third virtual machine in the forwarding plane is configured as the IP address of the third management network, and the IP address of the third virtual machine on the service subnet is configured as the third service subnet.
  • the second delivery subunit instructs the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; and using the interface to communicate with the resident program to use the VPN
  • the configuration file is delivered to the third virtual machine to instruct the third virtual machine to perform the following operations: configuring a protocol policy of the third virtual machine as the key exchange protocol IKE policy and the IP layer security protocol
  • the IPSec policy configures the site of the third virtual machine as the site corresponding to the IPSec site information.
  • the SF is a network element WEB protection
  • the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes: WEB Protection strategy and WEB application server or data center information that needs protection;
  • the first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations:
  • the IP address of the fourth virtual machine in the forwarding plane is configured as the fourth management network IP address, and the IP address of the fourth virtual machine on the service subnet is configured as the fourth service subnet.
  • the second delivery subunit instructs the virtual machine to deploy the SF by: creating a WEB protection configuration file according to the function indication information; and using the interface to communicate with the resident program
  • the WEB protection profile is delivered to the fourth virtual machine to instruct the fourth virtual machine to perform the following operations: configuring the rules and policies of the fourth virtual machine as the WEB protection policy and rules, and the
  • the server or data center of the four virtual machines is configured as the server or data center corresponding to the WEB application server or data center information that needs to be protected.
  • the first obtaining module includes:
  • the first receiving unit is configured to receive the NFV information transmitted by the application plane.
  • the first obtaining module includes:
  • the second receiving unit is configured to receive the NFV information transmitted by the control plane, where the NFV information is transmitted to the control plane by the application plane.
  • the device further includes:
  • a second acquiring module configured to acquire the updated NFV information after the processing module creates the underlying network resource according to the resource indication information and the function indication information, and deploys the SF on the underlying network resource
  • the updated NFV information includes updated resource indication information and/or updated function indication information
  • an update module configured to update the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
  • the update module includes:
  • a first update unit configured to change, add, or delete the created underlying network resource according to the updated resource indication information
  • the second update unit is configured to change, add or delete the deployed SF according to the updated function indication information.
  • the device further includes:
  • the first reporting module is applied to the forwarding plane, and is configured to report the information of the underlying network resource to the control plane after the network resource is created;
  • the second reporting module is applied to the forwarding plane, and is configured to report the information of the deployed SF to the control plane after the SF is deployed.
  • a readable storage medium storing computer executable instructions for performing the above method.
  • the embodiments of the present invention solve the problem that the related technologies need to manually create the underlying network resources and deploy the SF, thereby creating the underlying network resources and deploying the SF rigid, and cannot be flexibly adjusted.
  • the underlying network resources and SF issues, in turn, achieve the effect of flexible adjustment of the underlying network resources and SF.
  • FIG. 1 is a flowchart of a method for deploying an SF according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of a deployment apparatus of an SF according to an embodiment of the present invention
  • FIG. 3 is a structural block diagram of a processing module 24 in a deployment apparatus of an SF according to an embodiment of the present invention
  • FIG. 4 is a structural block diagram of a first transfer unit 32 and a second transfer unit 34 in a deployment device of an SF according to an embodiment of the present invention
  • FIG. 5 is a structural block diagram 1 of a first obtaining module 22 in a deployment device of an SF according to an embodiment of the present invention
  • FIG. 6 is a second structural block diagram of the first obtaining module 22 in the SF deployment apparatus according to an embodiment of the present invention.
  • FIG. 7 is a block diagram showing a preferred structure of a deployment apparatus of an SF according to an embodiment of the present invention.
  • FIG. 8 is a structural block diagram of an update module 74 in a deployment apparatus of an SF according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of an SDN network architecture according to an embodiment of the present invention.
  • FIG. 10 is a flowchart 1 of a method for planning and deploying an SFC according to an embodiment of the present invention
  • FIG. 11 is a second flowchart of a method for planning and deploying an SFC according to an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of an SFC including a load balancing node according to an embodiment of the present invention.
  • FIG. 13 is a schematic diagram of an SFC including a firewall according to an embodiment of the present invention.
  • the terms “first”, “second” and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a particular order or order.
  • the "application plane” in the specification and claims and the accompanying drawings may be a set of logic application functions consisting of software and/or hardware, which may be implemented by an application device, as such, the "control plane” may be A set of logical control functions consisting of software and/or hardware.
  • the logic control function can be implemented by a control device.
  • the "forwarding plane” can be a set of logical forwarding functions composed of software and/or hardware.
  • the logical forwarding function can be forwarded. Equipment implementation.
  • FIG. 1 is a flowchart of a method for deploying an SF according to an embodiment of the present invention. As shown in FIG. 1 , the process includes the following steps:
  • Step S102 acquiring predetermined NFV information, where the NFV information includes resource indication information for indicating an underlying network resource required for establishing a network function, and function indication information for indicating an SF deployed on the underlying network resource;
  • Step S104 Create an underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
  • the foregoing operation may be a resource management system, which can complete the deployment of the underlying network resources and the deployment of the SF by the resource management system without manual intervention, thereby solving the need for manual intervention to create the underlying network in the related art.
  • Resources and deployment of SF resulting in the creation of the underlying network resources and deployment of SF rigid, can not flexibly adjust the underlying network resources and SF issues, thereby achieving the flexibility to adjust the underlying network resources and SF.
  • creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource includes:
  • the manner in which the interface communicates with the resident program in the virtual machine in the underlying network resource passes the deployment information determined according to the function indication information to the virtual machine to instruct the virtual machine to deploy the SF.
  • the forwarding plane can be used to implement the creation of the underlying network resources and the deployment of the SF, thereby improving the flexibility of adjusting the underlying network resources and the SF without manual intervention.
  • the underlying network resource creation and SF can be performed by configuring parameters. Deployment, the following describes the way:
  • the deployment information is delivered to the virtual machine by communicating with the resident program by using the interface to instruct the virtual machine to configure parameters for deploying the SF included in the function indication information to the virtual machine.
  • the SF may be load balancing
  • the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication
  • the information includes: load balancing protocol information, member information of a load balancing resource pool, and load balancing algorithm information;
  • Transmitting, by the interface, the resource indication information to the forwarding plane, to indicate that the forwarding plane loads the parameter for creating the underlying network resource included in the resource indication information into the virtual machine in the forwarding plane including: The interface forwards the resource indication information to the forwarding plane, to indicate that the forwarding plane performs the following operations: configuring the IP address of the first virtual machine in the forwarding plane on the management network as the IP address of the first management network, and placing the first virtual machine in The IP address of the service subnet is configured as the IP address of the first service subnet, and the routing information of the first virtual machine is configured as the first routing information.
  • the protocol of the first virtual machine is configured as a member corresponding to the member information of the load balancing resource pool, and the algorithm of the first virtual machine is configured as an algorithm corresponding to the load balancing algorithm information.
  • the SF may be a firewall
  • the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function
  • the indication information includes: firewall rules and policy information
  • the IP address is configured as the second service subnet IP address
  • the routing information of the second virtual machine is configured as the second routing information
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine including:
  • the function indication information creates a firewall configuration file; the firewall configuration file is passed to the second virtual machine by using the interface to communicate with the resident program, to instruct the second virtual machine to configure the rules and policies of the second virtual machine to Rules and policies for firewall rules and policy information.
  • the SF is a VPN (Virtual Private Network)
  • the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and a third
  • the routing information includes: an IKE (Internet Key Management) policy, an IPSec (IP Security) policy, and an IPSec Site information;
  • Configuring the virtual machine to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine includes: creating a VPN configuration file according to the function indication information; and communicating with the resident program by using the interface
  • the method forwards the VPN configuration file to the third virtual machine, to instruct the third virtual machine to perform the following operations: configuring the protocol policy of the third virtual machine as a key exchange protocol IKE policy and an IP layer security protocol IPSec policy, and the third The site of the virtual machine is configured as the site corresponding to the IPSec site information.
  • the SF is a network element WEB protection
  • the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where
  • the function indication information includes: a WEB protection policy and a WEB application server or data center information that needs to be protected;
  • the information is delivered to the forwarding plane to instruct the forwarding plane to perform the following operations: configuring the IP address of the fourth virtual machine in the forwarding plane on the management network as the fourth management network IP address, and the fourth virtual machine on the service subnet.
  • the IP address is configured as the fourth service subnet IP address
  • the routing information of the fourth virtual machine is configured as the fourth routing information;
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine including:
  • the function indication information creates a WEB protection configuration file;
  • the WEB protection configuration file is transmitted to the fourth virtual machine by using the interface to communicate with the resident program, to instruct the fourth virtual machine to perform the following operation: the fourth virtual machine is executed
  • the rules and policies are configured as the WEB protection policy and rules, and the server or data center of the fourth virtual machine is configured as a server or data center corresponding to the WEB application server or data center information that needs to be protected.
  • the manner of obtaining the NFV information may be multiple.
  • the acquiring the NFV information includes: receiving the NFV information delivered by the application plane.
  • the acquiring the NFV information comprises: receiving the NFV information transmitted in the control plane, wherein the NFV information is delivered to the control plane by an application plane.
  • the creating the underlying network resource according to the resource indication information and the function indication information, and after deploying the SF on the foregoing network resource further comprising: obtaining the updated NFV information, wherein the updating The updated NFV information includes updated resource indication information and/or updated function indication information; and the created underlying network resource and the deployed SF are updated according to the updated resource indication information and/or the updated function indication information.
  • the updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information includes:
  • the method further includes:
  • the forwarding plane reports the information of the underlying network resource to the control plane after the foregoing network resource is created; and/or the forwarding plane reports the information of the deployed SF to the control plane after the SF is deployed.
  • This embodiment can enable the control plane to discover and manage the created underlying network resources and deployed SFs.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in a form of a software product stored in a readable storage medium (such as ROM/RAM).
  • Computer-executable instructions stored in a readable storage medium for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the operations described in each embodiment of the present invention. method.
  • An apparatus for creating an SF is also provided in the embodiment of the present invention.
  • the apparatus is configured to implement the foregoing embodiments and optional implementations, and details are not described herein.
  • the term "module" can be a combination of software and/or hardware that implements a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 2 is a structural block diagram of an apparatus for deploying an SF according to an embodiment of the present invention. As shown in FIG. 2, the apparatus includes a first obtaining module 22 and a processing module 24. The apparatus will be described below.
  • the first obtaining module 22 is configured to obtain predetermined network function virtualization NFV information, where the NFV information includes resource indication information used to indicate an underlying network resource required for establishing a network function, and is used to indicate on the underlying network resource. Function indication information of the deployed SF;
  • the processing module 24 is connected to the first obtaining module 22, and is configured to create an underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
  • FIG. 3 is a structural block diagram of a processing module 24 in a deployment apparatus of an SF according to an embodiment of the present invention.
  • the processing module 24 includes a first delivery unit 32 and a second delivery unit 34, and the processing module is provided below. 24 for explanation.
  • the first delivery unit 32 is configured to: pass the resource indication information to the forwarding plane through an interface with the forwarding plane, to instruct the forwarding plane to create an underlying network resource on the forwarding plane according to the resource indication information;
  • a second transfer unit 34 coupled to the first transfer unit 32, configured to determine, according to the function indication information, by using the interface to communicate with a resident program in a virtual machine in an underlying network resource
  • the deployment information is passed to the virtual machine to instruct the virtual machine to deploy SF.
  • FIG. 4 is a structural block diagram of a first transfer unit 32 and a second transfer unit 34 in a deployment device of an SF according to an embodiment of the present invention.
  • the first transfer unit 32 includes a first transfer subunit 42.
  • the second transfer unit 34 includes a second transfer subunit 44, and the first transfer subunit 42 and the second transfer subunit 44 are described below.
  • the first delivery sub-unit 42 is configured to: pass the resource indication information to the forwarding plane through the interface, to indicate that the forwarding plane allocates parameters for creating the underlying network resource included in the resource indication information to the virtual machine in the forwarding plane. on.
  • the second delivery sub-unit 44 is configured to deliver the deployment information to the virtual machine by communicating with the resident program by using the interface, to indicate that the virtual machine configures parameters for deploying the SF included in the function indication information to On the virtual machine.
  • the SF may be load balancing
  • the information only information may include: a first management network network protocol IP address, an IP address of the first service subnet, and the first The routing information
  • the function indication information may include: load balancing protocol information, member information of a load balancing resource pool, and load balancing algorithm information;
  • the first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to indicate that the forwarding plane performs the following operation: the first in the forwarding plane
  • the IP address of the virtual machine on the management network is configured as the IP address of the first management network
  • the IP address of the first virtual machine on the service subnet is configured as the IP address of the first service subnet
  • the routing information of the first virtual machine is configured as the first a routing information
  • the second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; and transmitting the load balancing configuration file to the first manner by using the interface to communicate with the resident program.
  • the virtual machine is configured to instruct the first virtual machine to perform the following operations: configuring the protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, and configuring the member of the first virtual machine as a member corresponding to the member information of the load balancing resource pool And configuring the algorithm of the first virtual machine as an algorithm corresponding to the load balancing algorithm information.
  • the SF may be a firewall
  • the resource indication information may include: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where
  • the function indication information may include: firewall rules and policy information;
  • the first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operation: performing the second operation in the forwarding plane
  • the IP address of the virtual machine on the management network is configured as the IP address of the second management network
  • the IP address of the second virtual machine on the service subnet is configured as the IP address of the second service subnet
  • the routing information of the second virtual machine is configured as the first Two routing information
  • the second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second by using the interface to communicate with the resident program
  • the virtual machine is configured to instruct the second virtual machine to configure rules and policies of the second virtual machine as rules and policies corresponding to firewall rules and policy information.
  • the SF is a VPN
  • the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information is Including: Key Exchange Protocol IKE Policy, IP Layer Security Protocol IPSec Policy, IPSec Site Information;
  • the first delivery sub-unit 42 may be configured to instruct the forwarding plane to configure the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operation: the third virtual machine in the forwarding plane is
  • the IP address of the management network is configured as the third management network IP address
  • the IP address of the third virtual machine on the service subnet is configured as the third service subnet IP address
  • the routing information of the third virtual machine is configured as the third routing information.
  • the second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; and transmitting the VPN configuration file to the third manner by using the interface to communicate with the resident program.
  • a virtual machine to instruct the third virtual machine to perform the following operations: configuring a protocol policy of the third virtual machine as a key exchange protocol IKE policy and an IP layer security protocol IPSec policy, and configuring a site of the third virtual machine as IPSec site information Corresponding site.
  • the SF is a network element WEB protection
  • the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where
  • the function indication information includes: a WEB protection policy and a WEB application server or data center information that needs to be protected;
  • the first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operation: the fourth virtual in the forwarding plane
  • the IP address of the management network is configured as the IP address of the fourth management network
  • the IP address of the fourth virtual machine on the service subnet is configured as the IP address of the fourth service subnet
  • the routing information of the fourth virtual machine is configured as the fourth. Routing information
  • the second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a WEB protection configuration file according to the function indication information; and transmitting the WEB protection configuration file by using the interface to communicate with the resident program a fourth virtual machine, to instruct the fourth virtual machine to perform the following operations: configuring rules and policies of the fourth virtual machine as the WEB protection policy and rules, and configuring the server or data center of the fourth virtual machine to be protected The server or data center corresponding to the WEB application server or data center information.
  • FIG. 5 is a block diagram of an optional structure of the first obtaining module 22 in the deployment device of the service function section SF according to the embodiment of the present invention.
  • the first acquiring module 22 may include a first receiving unit 52, The first receiving unit 52 will be described.
  • the first receiving unit 52 is configured to receive the NFV information transmitted by the application plane.
  • FIG. 6 is a block diagram 2 of an optional structure of the first acquiring module 22 in the SF deployment apparatus according to the embodiment of the present invention.
  • the first acquiring module 22 may include a second receiving unit 62.
  • the second receiving unit 62 will be described.
  • the second receiving unit 62 is configured to receive the NFV information transmitted by the control plane, wherein the NFV information is transmitted to the control plane by the application plane.
  • FIG. 7 is a block diagram showing an optional structure of an apparatus for deploying an SF according to an embodiment of the present invention. As shown in FIG. 7, the apparatus may include a second obtaining module 72 and an updating module 74 in addition to all the modules shown in FIG. The device will be described below.
  • the second obtaining module 72 is connected to the processing module 24, and is configured to obtain updated NFV information after the underlying network resource is created according to the resource indication information and the function indication information, and the SF is deployed on the underlying network resource, where
  • the updated NFV information includes updated resource indication information and/or updated function indication information;
  • the update module 74 is connected to the second obtaining module 72, and is configured to update the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
  • FIG. 8 is a block diagram showing an optional structure of an update module 74 in an SF creation apparatus according to an embodiment of the present invention.
  • the update module 74 may include a first update unit 82 and/or a second update unit 84.
  • the update module 74 will be described.
  • the first update unit 82 is configured to change, add, or delete the created underlying network resource according to the updated resource indication information
  • the second update unit 84 is configured to change, add or delete the deployed SF according to the updated node indication information.
  • the methods and apparatus in the described embodiments can be applied to a resource management system.
  • the SF creation device may further include a first reporting module and/or a second reporting module, where the first reporting module and the second reporting module may be applied to the forwarding plane.
  • the device is described below:
  • the first reporting module is applied to the forwarding plane, and is configured to report the information of the underlying network resource to the control plane after the underlying network resource is created;
  • the second reporting module is applied to the forwarding plane, and is configured to report the information of the deployed SF to the control plane after the SF is deployed.
  • the solution in the embodiment of the present invention has advantages over the technical solutions existing in the related art.
  • planning an SFC in an SDN network requires first creating an underlying network resource, deploying an SF on an existing network resource, and then planning an SFC. .
  • the "first resource, post-planning" approach causes the SFC to fail to customize the SF and automatically create the required network resources according to the actual business requirements, making the deployment of the SFC inflexible and also causing waste of resources.
  • the SDN support includes load balancing, firewall, carrier grade network address translation (CGN), IP service identification and control system DPI, and router according to the planned SFC customization.
  • CGN carrier grade network address translation
  • the functional SF automatically creates the required network resources and deploys the SF in the underlying network, and the control plane can discover and manage the newly created SF.
  • the use of this "first definition, after resource” way allows SFC to have flexible deployment features in SDN, while improving resource utilization and reducing manual maintenance costs.
  • the resource management system is used to create required network resources and deploy SF for the planned SFC automation in the SDN network architecture, and the related information of the SF is updated to the SFC controller, so that the SFC controller can Discover and manage newly created SFs for use with flat business applications.
  • FIG. 9 is a schematic diagram of an SDN network architecture according to an embodiment of the present invention.
  • the utility model mainly includes a resource management system, a network management system, and three levels, that is, an application plane and a control plane in a software-defined network SDN framework. And forwarding planes.
  • the application plane is divided into multiple applications (applications); the control plane includes an orchestrator and a controller; and the forwarding plane includes a flow classifier, an SF, and a forwarding device such as a switch.
  • the network management system is an important module to ensure the reliable operation of the network. It is set up to detect the running status of the network resources of the forwarding plane, fault diagnosis and alarm, and interact with the state of the network and the control plane.
  • the resource management system is configured to create network resources and deploy SFs on the forwarding plane for the newly planned SFC.
  • Figure 9 mainly includes five interfaces: the A-CPI interface is used for the interaction between the application plane and the control plane, and the interaction content includes the creation, modification, and configuration of the SFC by the application layer.
  • the B-CPI is used for the interaction between the application plane and the resource management system.
  • the interactive content includes information related to NFV; C-CPI is used to control the flat The interaction with the resource management system, the interaction content is the SF information of the SFC that needs to be created; the D-CPI is used to control the interaction between the plane and the SFC-supporting SF, and is used for control plane discovery, management, and configuration of SF; E-CPI is used for The interaction between the resource management system and the forwarding plane is used by the resource management system to create network resources on the forwarding plane. The locations of the five interfaces are as shown in FIG. 9.
  • the trigger resource management system creates two types of required network resources and deploys the SF solution according to the planned SFC.
  • the application plane directly transmits the related information of the planned NFV to the resource management system through the B-CPI interface, and triggers the resource management system.
  • the SF information is updated to the control plane through the D-CPI through the E-CPI interface.
  • the SFV information is transmitted to the control plane through the A-CPI interface through the control plane.
  • the SF-related information of the SFC that needs to be created is transmitted to the resource management system through the C-API interface, and the resource management system is triggered to create the required network resources and deploy the SF at the forwarding level through the E-CPI interface, and the SF information is updated by the D-CPI. Go to the SFC controller.
  • FIG. 10 is a flowchart 1 of the method for planning and deploying an SFC according to an embodiment of the present invention. The flowchart is shown in FIG. 10, and the process includes the following steps:
  • Step 1 New business applications need to be deployed to the cloud platform.
  • the application plane plans SFC according to the requirements of the business application, such as custom virtual machine specifications (CPU, memory, image files, etc.), SF IP address, network, routing, gateway, etc. SF related parameter settings, analogous to the SFC shown in Figure 12. (corresponding to step S1002 in Fig. 10)
  • Step 2 The application plane transmits the NFV and SF related information to the resource management system through the B-CPI interface.
  • the resource management system creates the required network resources, including routing and virtual, on the forwarding plane through the E-CPI interface according to the information of the SFC.
  • Machine using a custom image file containing modules such as resident programs), network, etc. (corresponding to steps S1004-S1006 in Fig. 10)
  • Step 3 The resource management system saves the information about the defined SF to the control forwarding interface adaptation module, and then the agent in the control forwarding interface communicates with the resident program of the virtual machine, and the information is delivered to the virtual machine.
  • the resident program completes the deployment and configuration of the SF function based on the received information. (corresponding to steps S1008-S1010 in Fig. 10)
  • Step 4 The forwarding plane updates the information about the NFV and its SF to the SFC controller through the D-CPI interface, so that the SFC controller can discover and manage the SF, and the service application can use the entire SFC. (corresponding to steps S1012-S1014 in Fig. 10)
  • FIG. 11 is a flowchart 2 of the method for planning and deploying an SFC according to an embodiment of the present invention. The process is as shown in FIG. 11. The process includes the following steps:
  • Step 1 New business applications need to be deployed to the cloud platform.
  • the application plane plans SFC according to the requirements of the business application, such as custom virtual machine specifications (CPU, memory, image files, etc.), SF IP address, network, routing, gateway, etc.
  • the SF related parameter settings are analogized to the SFC shown in FIG. 12, and the NFV and SF related information is transmitted to the control plane through the A-CPI interface. (corresponding to step S1102 in Fig. 11)
  • Step 2 The control plane transmits the SF-related information that needs to be created to the SFC to the resource management system through the C-CPI interface.
  • the resource management system creates the required network resources on the forwarding plane through the E-CPI interface according to the information about the SF, including Routing, virtual machines (using custom image files containing modules such as resident programs), networks, etc. (corresponding to steps S1104-S1108 in Fig. 11)
  • Step 3 Same as step 3 in scenario 1. (corresponding to step S1110 in Fig. 11)
  • Step 4 Same as step 4 in scenario 1. (corresponding to steps S1112-S1114 in Fig. 11)
  • FIG. 12 is a schematic diagram of an SFC including a load balancing node according to an embodiment of the present invention.
  • a scenario 1 is used to automatically deploy an SF with a load balancing function according to an SFC to provide load balancing for a backend service server.
  • the load balancing service is implemented based on Nginx, but is not limited to Nginx.
  • the load balancing products with high performance are applicable to the embodiments of the present invention.
  • the resource management system automatically creates and deploys a load balancing SF according to the planned SFC:
  • Step 1 The service capability of the application-oriented service application needs to be greatly improved. This requires the load balancing service for SDN. It is required to build a load balancer to provide load balancing for three service servers. Of course, it is also possible to build other numbers.
  • Business server provides load-balanced load
  • the equalizer in this embodiment, is described by taking as an example a load balancer that provides load balancing for three service servers.
  • Step 2 The application plane plans an SFC that includes the load balancing SF according to the service application requirements, as shown in FIG.
  • the IP address of the management network public in the SFC can be 10.46.178.0/24
  • the IP address of the service subnet vxlan can be 192.168.100.0/24
  • the floating IP address of the load balancing SF management network can be 10.46.178.27
  • load balancing SF The VIP in the service subnet can be 192.168.100.27
  • load balancing can be provided for three cloud hosts with IP addresses of 192.168.100.1, 192.168.100.2, and 192.168.100.3 in the service subnet.
  • the resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information, where the function indication information may include load balancing protocol information and load balancing resources. Pool member information, load balancing algorithm information.
  • Step 3 The application plane transmits the related information of the SFC to the resource management system through the B-CPI interface, and the resource management system automatically creates the network resources required by step 2 of the embodiment according to the SFC of the application plan, including automatically creating the public, vxlan. Networks and routers, creating resource pools and active and standby virtual machines for load balancing SF automation (using custom virtual machine image files containing resident programs, Nginx, etc.) and assigning them floating IP and virtual terminal protocols (virtual terminal protocol, Referred to as VIP address, etc.
  • the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured.
  • the IP address of the virtual machine on the service subnet included in the resource indication information in the embodiment is configured, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment.
  • the load balancing SF and three cloud hosts are mounted in the vxlan, and the SF provides load balancing for the three cloud hosts. The entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
  • Step 4 The resource management system automatically creates a load balancing configuration file conf according to the function indication information in the SFC according to the function indication information in the planned SFC, and communicates with the resident program in the virtual machine by controlling the forwarding interface.
  • the conf configuration file is delivered to the virtual machine, and the load balancer (for example, Nginx) is automatically deployed according to the information contained in the function indication information of the embodiment, and the protocol (load balancing protocol), the member (resource pool member), and the Method (load) are configured. Equalization algorithm) and other load balancing strategies.
  • Step 5 The forwarding plane updates the SFC and all SF information to the SFC controller in the control plane through the D-API interface, so that related SFs such as load balancing can be discovered and managed by the SFC controller, and the SFC controller can also be made according to requirements.
  • the SFC is configured to be provisioned with a flat business application call.
  • the FW (FireWall) is dynamically created according to the SFC usage scheme 1:
  • FIG. 13 is a schematic diagram of an SFC including a firewall according to an embodiment of the present invention. As shown in FIG. 13 , the SF with firewall function is automatically deployed according to SFC to provide security protection for the back-end service network.
  • the resource management system automatically creates a firewall SF based on the planned SFC:
  • Step 1 The application plane requires the service network security of the service application, and the firewall needs to be built to provide security protection for the service network.
  • the requirements planning of the application plane service application includes the SFC of the firewall SF, as shown in FIG.
  • the IP of the management network public in the SFC can be 10.46.178.0/24
  • the IP address of the service network vxlan can be 192.168.168.0/24
  • router interface settings can be 10.46.178.0/24
  • firewall rules and policies including support protocols, IP versions, source addresses). , destination address, source port, destination port, action set, etc.
  • the resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information, where the function indication information may include firewall rules and policy information. .
  • Step 3 The application plane transmits the related information of the SFC to the resource management system through the B-CPI interface.
  • the resource management system automatically creates the network resources required by step 2 of the embodiment, including the router, and deploys the firewall according to the SFC of the application plan. Need a virtual machine (using a custom virtual machine image file containing modules such as resident programs), add a business network, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured.
  • the IP address of the virtual machine on the service subnet included in the resource indication information in the embodiment is configured, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment.
  • the entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
  • Step 4 The resource manager saves the planned firewall rules and policies to the corresponding files according to the function indication information in the SFC according to the function requirements of the firewall SF in the planned SFC, and is associated with the corresponding virtual machine.
  • the resident program communication, the policy and the rule in the file are transmitted to the virtual machine, and the information contained in the function indication information in the embodiment indicates that the resident program in the virtual machine updates the policy and the rule to the firewall, and starts the protection. .
  • Step 5 The forwarding plane updates all relevant information of the SFC containing the firewall SF to the SFC controller through the D-API interface, so that related SFs such as firewalls can be discovered and managed by the SFC controller, and the SFC controller can also modify the firewall rules according to requirements. And strategy.
  • the VPN is dynamically created according to the SFC usage scheme 2, and the VPN service is provided for the network.
  • the resource management system automatically creates a VPN deployment according to the planned SFC:
  • Step 1 The application plane needs to provide a service network for the service application, and needs to construct a VPN to provide a VPN service for the service network.
  • Step 2 The application plane plans an SFC that includes the VPN function according to the requirements of the service application.
  • the IP address of the public network in the SFC can be 10.46.178.0/24
  • the IP address of the service network vxlan can be 192.168.168.0/24
  • the router interface is set, and the SFC related information is transmitted to the control plane through the A-CPI interface.
  • the resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information
  • the function indication information may include a key exchange protocol IKE. Policy, IP layer security protocol IPSec policy, IPSec site information.
  • the control plane transmits the related information (VPN) of the SFC-enabled SF that needs to be created to the resource management system through the C-API interface, and triggers the resource management system to automatically create the required step 2 of the embodiment according to the planned SFC.
  • Network resources including routers (routers with special features, using custom virtual machine image files containing modules such as resident programs), adding service networks, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured.
  • the IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine are configured as the routing information included in the resource indication information in this embodiment.
  • the entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
  • Step 4 The resource manager saves the planned IKE Policy, IPSec PolicyIPSec Site, and the like to the configuration file corresponding to the VPN according to the function requirement of the VPN in the planned SFC, that is, according to the function indication information in this embodiment, and Corresponding to the resident program communication in the virtual machine, the configuration file is delivered to the virtual machine, so that the resident program in the virtual machine configures and starts the VPN according to the function indication information in this embodiment.
  • Step 5 The forwarding plane updates all relevant information of the SFC including the VPN to the SFC controller through the D-CPI, so that the related SF such as the VPN can be discovered and managed by the SFC controller, and the SFC controller can also modify the VPN policy according to requirements. .
  • the WEB protection SF is dynamically created to provide WEB security protection for the server, and the defense includes SQL (Structured Query Language) injection, file inclusion vulnerability, and XSS (Cross Site) Scripting, cross-site scripting attacks, XSRF (Cross-site request forgery), and directory traversal attacks.
  • SQL Structured Query Language
  • XSS Cross-site scripting attacks
  • XSRF Cross-site request forgery
  • Step 1 The service application of the application plane requires WEB security protection for the service server.
  • the WEB security protection SF needs to be built to provide security protection for the service server.
  • Step 2 The application plane plans an SFC that includes the WEB security protection SF according to the requirements of the service application. Plan the network in the SFC, where the planned network includes the management network and the service subnet, the WEB protection policy (which may include an Access Control List (ACL)), the IP blacklist, and the user data to be blocked. Disable dangerous methods (including OPTIONS, DELETE, etc.), anti-theft chain, hidden server version information, flow control, configuration for known attack signatures Etc.) A WEB application server or data center that needs to be protected, and the planned SFC related information is transmitted to the control plane through the A-CPI interface.
  • ACL Access Control List
  • Disable dangerous methods including OPTIONS, DELETE, etc.
  • a WEB application server or data center that needs to be protected, and the planned SFC related information is transmitted to the control plane through the A-CPI interface.
  • the resource indication information may include an IP address of the virtual machine in the management plane in the forwarding plane, an IP address in the service subnet, and routing information.
  • the function indication information may include the foregoing WEB protection policy and protection. WEB application server or data center information.
  • Step 3 The control plane transmits the related information (WEB security protection) of the SF to be created to the resource management system through the C-CPI interface, and triggers the resource management system to automatically create the step 2 of the embodiment according to the SFC of the application plane planning.
  • Network resources including the network, virtual machines required to deploy WEB Security SF (using a custom virtual machine image file containing resident programs, Naxsi, Nginx, SSL, etc.), adding a WEB application server, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured.
  • the IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine are configured as the routing information included in the resource indication information in this embodiment.
  • the entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
  • Step 4 The resource manager saves the planned security protection policy to the corresponding file according to the above-mentioned indication information according to the functional requirements of the WEB security protection SF in the planned SFC (the control node creates for each SF configuration information).
  • File the policy in the file is passed to the virtual machine, and the resident program in the virtual machine configures the policy and the rule to the WEB security module according to the function indication information in this embodiment. And start protection.
  • Step 5 The forwarding plane updates the information about the WEB security protection SF to the SFC controller through the D-CPI port, so that the SF can be discovered and managed by the SFC controller, and the SFC controller can also modify the security protection rules and policies according to requirements. .
  • the solution in the embodiment of the present invention automatically creates the underlying network resource through the resource management system for the SFC of the application plane planning, deploys the SF, and the related information of the SF is updated to the SFC controller, so that the SFC controller is implemented.
  • the solution of the invention realizes the purpose of dynamically creating the SF based on the SDN service chain, so that the SFC has the characteristics of flexible deployment in the SDN, and improves the resource utilization rate and the manual maintenance cost.
  • modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are respectively located in multiple processes. In the device.
  • Embodiments of the present invention also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • NFV information includes resource indication information for indicating an underlying network resource required for establishing a network function, and a function for indicating an SF deployed on the underlying network resource. Indication information;
  • the foregoing storage medium may include, but is not limited to, a USB flash drive, a ROM (Read-Only Memory), a RAM (Random Access Memory), a mobile hard disk, and a magnetic device.
  • a USB flash drive a ROM (Read-Only Memory), a RAM (Random Access Memory), a mobile hard disk, and a magnetic device.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • mobile hard disk a magnetic device.
  • the processor performs the above steps S1-S2 according to the stored program code in the storage medium.
  • the support SDN can conveniently plan the SFC according to the service requirements of the application plane, without considering the underlying network resources.
  • the resource management system automatically creates the required underlying network resources according to the requirements of the SFC, configures and deploys the SF, and the SF information is updated to the SFC controller, so that the SFC controller can discover and manage the relevant SF nodes.
  • modules or steps can be implemented by a general computing device, which can be concentrated on a single computing device or distributed over a network of multiple computing devices, optionally They may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, The steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into an integrated circuit module, or a plurality of modules or steps thereof may be implemented as a single integrated circuit module.
  • embodiments of the invention are not limited to any specific combination of hardware and software.
  • the embodiments of the present invention solve the problems in the related art that require manual intervention to create an underlying network resource and deploy SF, thereby creating an underlying network resource and deploying SF rigidity, and cannot flexibly adjust the underlying network resource and SF, thereby achieving flexible adjustment of the underlying layer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un appareil de déploiement de fonction de desserte. Le procédé comprend les étapes consistant à : acquérir des informations de virtualisation de fonction de réseau (NFV) prédéterminées, les informations NFV comprenant des informations d'indication de ressources pour indiquer une ressource de réseau de sous-couche requise pour établir une fonction de réseau et des informations d'indication de fonction pour indiquer une SF déployée sur la ressource de réseau de sous-couche ; et créer, en fonction des informations d'indication de ressources et des informations d'indication de fonction, la ressource de réseau de sous-couche et déployer la SF sur la ressource de réseau de sous-couche.
PCT/CN2016/079667 2015-08-28 2016-04-19 Procédé et appareil de déploiement de fonction de desserte WO2016180181A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510543835.6A CN106487556B (zh) 2015-08-28 2015-08-28 业务功能sf的部署方法及装置
CN201510543835.6 2015-08-28

Publications (1)

Publication Number Publication Date
WO2016180181A1 true WO2016180181A1 (fr) 2016-11-17

Family

ID=57247747

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/079667 WO2016180181A1 (fr) 2015-08-28 2016-04-19 Procédé et appareil de déploiement de fonction de desserte

Country Status (2)

Country Link
CN (1) CN106487556B (fr)
WO (1) WO2016180181A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108574582A (zh) * 2017-03-07 2018-09-25 中兴通讯股份有限公司 一种故障检测方法和装置
CN109922002A (zh) * 2017-12-13 2019-06-21 中国电信股份有限公司 基于SFC的业务数据转发方法以及Overlay系统
US10715353B2 (en) 2017-05-15 2020-07-14 Ciena Corporation Virtual local area network identifiers for service function chaining fault detection and isolation
US10740134B2 (en) 2018-08-20 2020-08-11 Interwise Ltd. Agentless personal network firewall in virtualized datacenters

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109117243B (zh) * 2017-06-23 2023-07-07 中兴通讯股份有限公司 业务部署方法、装置、客户端设备及计算机可读存储介质
CN107332913B (zh) * 2017-07-04 2020-03-27 电子科技大学 一种5g移动网络中服务功能链的优化部署方法
CN108200207A (zh) * 2018-02-11 2018-06-22 中国联合网络通信集团有限公司 云计算系统安全服务的方法和系统、安全云管理平台
CN108566308B (zh) * 2018-04-28 2020-11-06 电子科技大学 一种基于共享保护服务功能链的可靠性增强方法
CN109361675B (zh) * 2018-10-30 2021-08-13 深信服科技股份有限公司 一种信息安全保护的方法、系统及相关组件
CN109842528B (zh) * 2019-03-19 2020-10-27 西安交通大学 一种基于sdn和nfv的服务功能链的部署方法
CN112751768B (zh) * 2019-10-29 2023-11-21 华为技术有限公司 业务报文转发方法、装置及计算机存储介质
CN112887330B (zh) * 2021-02-26 2022-05-31 浪潮云信息技术股份公司 一种网络acl隔离浮动ip的实现装置及方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104050045A (zh) * 2014-06-27 2014-09-17 华为技术有限公司 基于磁盘io的虚拟资源分配方法及装置
CN104219127A (zh) * 2014-08-30 2014-12-17 华为技术有限公司 一种虚拟网络实例的创建方法以及设备
KR101495069B1 (ko) * 2012-12-14 2015-02-26 한국전자통신연구원 입출력 가상화 네트워크 인터페이스 카드 기반 가상 데스크탑 서비스 방법 및 장치

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104253866B (zh) * 2014-09-20 2018-03-27 华为技术有限公司 虚拟网络功能网元的软件部署方法、系统及相关设备

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101495069B1 (ko) * 2012-12-14 2015-02-26 한국전자통신연구원 입출력 가상화 네트워크 인터페이스 카드 기반 가상 데스크탑 서비스 방법 및 장치
CN104050045A (zh) * 2014-06-27 2014-09-17 华为技术有限公司 基于磁盘io的虚拟资源分配方法及装置
CN104219127A (zh) * 2014-08-30 2014-12-17 华为技术有限公司 一种虚拟网络实例的创建方法以及设备

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108574582A (zh) * 2017-03-07 2018-09-25 中兴通讯股份有限公司 一种故障检测方法和装置
CN108574582B (zh) * 2017-03-07 2022-05-13 中兴通讯股份有限公司 一种故障检测方法和装置
US10715353B2 (en) 2017-05-15 2020-07-14 Ciena Corporation Virtual local area network identifiers for service function chaining fault detection and isolation
CN109922002A (zh) * 2017-12-13 2019-06-21 中国电信股份有限公司 基于SFC的业务数据转发方法以及Overlay系统
US10740134B2 (en) 2018-08-20 2020-08-11 Interwise Ltd. Agentless personal network firewall in virtualized datacenters
US11526373B2 (en) 2018-08-20 2022-12-13 Interwise Ltd. Agentless personal network firewall in virtualized datacenters

Also Published As

Publication number Publication date
CN106487556A (zh) 2017-03-08
CN106487556B (zh) 2020-05-22

Similar Documents

Publication Publication Date Title
WO2016180181A1 (fr) Procédé et appareil de déploiement de fonction de desserte
CN107409089B (zh) 一种在网络引擎中实施的方法及虚拟网络功能控制器
US10320687B2 (en) Policy enforcement for upstream flood traffic
US10523514B2 (en) Secure cloud fabric to connect subnets in different network domains
US11025647B2 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
US10498765B2 (en) Virtual infrastructure perimeter regulator
CN106464534B (zh) 配设和管理用户驻地设备装置的片
US20180062917A1 (en) Extension of network control system into public cloud
US9967346B2 (en) Passing data over virtual links
US20150229641A1 (en) Migration of a security policy of a virtual machine
EP3479532B1 (fr) Unité de réacheminement de paquets de données dans des réseaux définis par logiciel
US11469998B2 (en) Data center tenant network isolation using logical router interconnects for virtual network route leaking
CN108234211B (zh) 网络控制方法、系统和存储介质
WO2017162030A1 (fr) Procédé et appareil servant à générer un réseau virtuel
US20190222511A1 (en) Randomized vnf hopping in software defined networks
US9967140B2 (en) Virtual links for network appliances
WO2017143695A1 (fr) Procédé et dispositif d'intercommunication de sous-réseaux
EP3817293B1 (fr) Découverte en vrac de dispositifs derrière un dispositif de traduction d'adresse de réseau
CN103281406B (zh) Vm云间迁移的报文转发方法及nat服务器和网络
US11228603B1 (en) Learning driven dynamic threat treatment for a software defined networking environment
US9794146B2 (en) Methods and systems for a monitoring device to execute commands on an attached switch
CN117203938A (zh) 用于分割多云架构内的中转能力的系统和方法
CN117222995A (zh) 用于通过安全域来限制虚拟专用云网络之间的通信的系统和方法
Nainwal et al. Application Aware Routing in Sdn

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16792031

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16792031

Country of ref document: EP

Kind code of ref document: A1