WO2014177097A1 - Flow table entry generation method and corresponding device - Google Patents

Flow table entry generation method and corresponding device Download PDF

Info

Publication number
WO2014177097A1
WO2014177097A1 PCT/CN2014/078406 CN2014078406W WO2014177097A1 WO 2014177097 A1 WO2014177097 A1 WO 2014177097A1 CN 2014078406 W CN2014078406 W CN 2014078406W WO 2014177097 A1 WO2014177097 A1 WO 2014177097A1
Authority
WO
WIPO (PCT)
Prior art keywords
flow table
table entry
address
template
entry
Prior art date
Application number
PCT/CN2014/078406
Other languages
French (fr)
Chinese (zh)
Inventor
梁乾灯
范亮
尤建洁
韩杰
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2014177097A1 publication Critical patent/WO2014177097A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the present invention relates to the field of flow table entry generation technology, and in particular to a flow table entry generation method and corresponding device.
  • TCP Transmission Control Protocol
  • the TCP/IP-style Internet has formed the current status of the Internet architecture due to the division of labor and organization principles of "network/network equipment for simple processing and complex processing for the host/side" at the beginning of design: Host-side
  • the application layer protocol can be easily and flexibly modified and deployed.
  • the application layer software has been developed by leaps and bounds, and the functions of the application layer have been greatly enriched.
  • the network layer and the network layer protocol Although the design is simple, the scalability is not strong and it is not easy to modify.
  • the Internet can be redesigned and comprehensively designed to solve many problems of the Internet and to coordinate the realization of many new Internet requirements.
  • the shortcomings of this scheme are: (1) Since the new network may not be compatible with the relevant Internet and need to completely replace the original network infrastructure, there is a problem of network deployment and smooth transition; (2) How to establish a new architecture There is also a significant risk of establishing a new architecture that addresses the problems faced by current and future networks;
  • Open programmable network refers to allowing network researchers, not just device vendors, to program and manage their network architecture or network protocols on network devices.
  • the open programmable thinking is one of the representative achievements of the revolutionary improvement program. It can be summarized as follows: The original multi-function network coexists, the overall, complex MAN (Metropolitan Area Network) / WAN (Wide Area) Network, WAN) Network or network equipment is divided into functions, such as data forwarding and logic control, or system core and user function. The interface between the parts is open and standard.
  • FIG 1 is a schematic diagram of the hierarchical model of SDN/OpenFlow technology, including: three levels: infrastructure layer, network control layer and application layer.
  • the infrastructure layer in the SDN/OpenFlow network consists of more than one forwarding device.
  • the forwarding device is simpler and has no complicated control plane (Control Plane) than the routers, switches and various gateways in the current network. Work is the forwarding of data streams.
  • the main device in the network control layer is the network operating system (or SDN/OpenFlow controller).
  • the network operating system controls multiple forwarding devices at the same time through a standardized interface, instead of the control plane that is independent of each forwarding device. And even the current network management system can implement network management and end-to-end data flow rules delivery (that is, sending flow rules to multiple forwarding devices on the forwarding path), and the network operating system passes the application programming interface (API, Application Programming Interface ) interacts with the application layer.
  • API Application Programming Interface
  • the application layer is composed of different applications, and the application can directly call the network management and control functions of the network control layer through the API interface.
  • the method further includes:
  • the generating module is configured to determine that the data packet match hits the boot flow table entry as follows:
  • the generating module is configured to determine that the data packet match hits the boot flow table entry as follows:
  • FIG. 1 is a schematic diagram of a topology of an SDN/OpenFlow network in the related art
  • FIG. 3 is a schematic flowchart of a method for generating a flow table entry in an embodiment of the present invention
  • Figure 5 is a flow chart of the first embodiment of the present invention.
  • Figure 8 is a schematic top view of a third embodiment of the present invention.
  • Figure 9 is a flow chart of a third embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of an Openflow forwarding device according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of an Openflow controller according to an embodiment of the present invention. Preferred embodiment of the invention
  • the corresponding flow table template is searched according to the flow table template ID preset in the action information of the boot flow table entry. And generating a flow table entry according to the flow table entry generation rule defined by the corresponding flow table template and the key segment information of the data message.
  • the generated flow table entry is sent to the Openflow controller through an extended flow entry add message.
  • the step of sending the generated flow table entry to the Openflow controller by using the flow entry adding message includes:
  • the destination address of the data packet is an IP address of the protected device.
  • the flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device
  • the flow table entry is generated.
  • the matching rule of the flow table entry includes: the source IP address is the source IP address of the data, the destination IP address is the IP address of the protected device, and the action information is Sending a data message matching the matching rule to the protected device and using the measurement table
  • the entry limits the sending rate.
  • the matching rule of the boot flow table entry includes a private network address network segment whose source address is a type of user; the data packet matching hits the boot flow table entry, specifically including:
  • the flow table entry generation rule defined by the flow table template is an address translation rule of a packet sent by the user side to the network side;
  • the flow table entry is generated.
  • the matching rule of the flow table entry includes: a private network address of the data packet, and the action includes converting the private network address into an allocated public network address, and passing the corresponding outbound interface. Send the converted message.
  • the method further includes:
  • the method further includes:
  • the matching rule of the second flow table entry includes: the allocated public network address, and the action information is to convert the public network address into a corresponding private network address, and send the converted message through the corresponding outbound interface. .
  • the private network address includes: a private network IP address
  • the public network address includes: a public network IP address, or a public network IP address and port information.
  • the method further includes: The generated second flow table entry is sent to the Openflow controller through a flow entry add message.
  • an embodiment of the present invention further provides a method for generating a flow table entry, which is applied to an OpenFlow controller, and includes:
  • the matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and/or,
  • the flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device.
  • the method further includes:
  • the Openflow controller does not reply to the flow entry adding message, and indicates that the local flow table entry generated by the Openflow forwarding device according to the flow table template is accepted; or
  • the OpenFlow controller sends a reject message to the OpenFlow forwarding device, and the Openflow forwarding device is required to delete the flow table entry generated according to the flow table template.
  • the Openflow controller sends the OpenFlow controller to the Openflow forwarding device. A higher priority flow table entry.
  • the flow table entry generation rule defined by the flow table template is an address translation rule of a message sent by the user side to the network side.
  • the private network address network segment includes: a private network IP address.
  • the method further includes:
  • the method in this embodiment can prevent the gateway fraudulent behavior caused by the maliciously transmitting RA message of the IPv6 host, if the Layer 2 network device does not support the IPv6 security RA (Random Access) feature.
  • the combination of the ASIC forwarding plane and the CPU control plane is used as an example.
  • the networking diagram is shown in Figure 4.
  • the detailed process is shown in Figure 5.
  • Step 101 The Openflow controller configures a local security policy to prevent the TCP semi-connected attack.
  • Step 102 The Openflow controller sends the boot flow table entry XI and the flow table template Y1 to each Openflow forwarding device according to the local security policy.
  • the matching rule of the boot flow table entry XI is that the destination address is an IP address of the Openflow controller, the packet type is TCP or TCP SYN (synchronous), and the action of the boot flow table entry is a query flow table.
  • the flow table entry generation rule defined by the template Y1 and the flow table template Y1 is a rate for limiting the TCP or TCP SYN packet sent by any source IP address to the Openflow controller.
  • the ASIC forwarding plane of the Openflow forwarding device hits the boot flow table entry XI
  • sending the packet and the ID of the flow table template Y1 to the CPU control plane and the CPU control plane queries the flow table according to the information.
  • the template generates a flow table entry Z1 according to the rules defined by the flow table template and sends the flow table entry Z1 to the ASIC forwarding plane.
  • the matching rule of the flow table entry Z1 includes: the source IP address is the source IP address of the foregoing TCP SYN packet, the destination IP address is the IP address of the Openflow controller, and the type of the message is TCP or TCP SYN, and the action action To send a message matching the matching rule to the Openflow controller and limit the sending rate of the message.
  • Step 105 The Openflow forwarding device sends the TCP SYN packet sent by the attack source A1 to the OpenFlow controller according to the flow table entry Z1, and limits the sending rate of the packet, and sends a flow entry adding message to the Openflow controller, and the Z1 is sent.
  • the defined flow table entry generation rule is notified to the Openflow controller.
  • the OpenFlow controller after receiving the TCP SYN packet, the OpenFlow controller sends a higher priority flow table entry to the Openflow forwarding device, and the matching rule of the flow table entry includes:
  • the source IP address is the source IP address of the TCP SYN text
  • the destination IP address is the IP address of the OpenFlow controller
  • the packet type is TCP.
  • the action is to discard the packet matching the matching rule.
  • the Openflow forwarding device receives the packet.
  • the flow table entry matches the higher priority flow table entry for subsequent received packets.
  • the Openflow controller saves the flow table entry generation rule defined by Z1, and may send it to other Openflow forwarding devices.
  • the Flow Template Identifier indicates the ID of the flow table template, and its value is unique.
  • the Flow Template Description is a flow table entry generation rule defined by the flow table template.
  • Counters is a counter. Each flow table entry is generated according to the flow table template. The current count value of this counter is incremented by one.
  • the hardware architecture of the Openflow forwarding device is exemplified by a multi-core CPU architecture (control core and forwarding core coexist). See Figure 6 for the networking diagram. The detailed process is shown in Figure 7, including:
  • Step 201 The application server sends a security requirement to the Openflow controller through an NBI (North Bound Interface) of the Openflow controller.
  • the security requirement may include, but is not limited to, the following types of information: For example, a TCP link-building packet, a packet with a TTL (Time To Live) of 0; a feature that needs to be set for such a stream, such as a base rate limit value;
  • Step 202 The Openflow controller according to the security requirements sent by the application server
  • the Openflow forwarding device sends a boot flow table entry X2 and a flow table template Y2;
  • the Openflow forwarding device After receiving the boot flow table entry X2 and the flow table template Y2, the Openflow forwarding device sends the boot flow table entry X2 to the forwarding core, and saves the flow table template Y2 in the control core. .
  • Step 203 The terminal user A2 sends a TCP packet to the application server at a certain rate.
  • the forwarding core of the Openflow forwarding device hits the boot flow table entry X2, sending a query message to the control core, and carrying the packet and the ID of the flow table template Y2, the control core
  • the flow table template Y2 is queried according to the above information, and the flow table entry ⁇ 2 is generated and sent to the forwarding core.
  • the matching rule of the flow table entry ⁇ 2 includes: the source IP address is the source IP address of the TCP packet, the destination IP address is the IP address of the application server, and the packet type is TCP or TCP SYN, and the action is Sending a packet matching the matching rule and limiting the sending rate of the packet by using the corresponding outbound interface;
  • Step 205 The Openflow forwarding device sends the TCP packet sent by the terminal user to the corresponding outbound interface according to the flow table entry Z2, and limits the sending rate of the packet, and sends a flow entry adding message to the Openflow controller, where The information carrying the flow table entry Z2 is carried.
  • the Openflow forwarding device caches or discards the packets exceeding the rate.
  • the forwarding process of the TCP text by other Openflow forwarding devices is the same as steps 201-205 or the Openflow controller predicts the attack source. Send a higher priority precision flow table entry to limit the speed.
  • Step 206 After receiving the TCP packet sent by the terminal user, the application server determines that the terminal user sends a normal TCP file or attacks "3" and/or determines the identity information of the terminal user.
  • the data packet sent by the application server to the terminal user is forwarded according to the flow table information of the Openflow pipeline, and is forwarded by the Openflow controller to the Openflow along the path.
  • the device sends the corresponding flow table entry.
  • Step 207 The application server sends the authorization information to the Openflow controller according to the TCP packet type and/or the authentication result of the terminal user. If the application server determines that the TCP packet is a normal TCP packet and/or determines that the terminal user is a legitimate user, the application is required to be The OpenFlow controller cancels or relaxes the rate limit on the TCP packet; if it is determined that the TCP packet is a TCP semi-connected attack packet, the OpenFlow controller is required to send a flow entry to the Openflow forwarding device. Discarding the TCP packet sent by the terminal user to the application server;
  • the Openflow forwarding device sends a control message, and the Openflow forwarding device is required to delete the generated flow table entry Z2 or send a higher priority flow table entry to the Openflow forwarding device.
  • Step 209 The Openflow forwarding device according to the Openflow The control message sent by the controller performs flow table entry operations and traffic forwarding.
  • the higher priority flow table entry includes, according to different authorization information of the application server, a rate limit that does not limit the sending rate of the TCP packet and the rate of sending the TCP packet on demand. parameter.
  • the hardware architecture of the Openflow forwarding device is OF
  • the matching rule of the boot flow table entry X3 includes the source address being the private network address or the network segment and the user side interface information of the user, and the action action of the boot flow table entry is the query flow table template, and the flow table template Y3-0 is defined.
  • the flow table entry generation rule includes: a user's NAT public address pool and the The user allocates a flow table (the address translation rule indicating the message sent by the user to the network side address), and the flow table entry generation rule defined by the flow table template Y3-1 includes: assigning another flow table entry to the user (representing The address translation rule for sending packets to the user by the network side address);
  • the Openflow forwarding device sends the boot flow table entry ⁇ 3 to the OF forwarding plane, where the flow is performed.
  • Table templates Y3-0 and Y3-1 are saved in the OF-Agent;
  • Step 304 After receiving the first UDP packet sent by A3, the matching flow forwarding device hits the navigation flow table entry X3, and then queries the flow table template Y3-0 according to the action action of X3, according to the flow defined by Y3-0.
  • the table entry generation rule and the message information allocate a public network IP address or a public network IP address and a port number to the private network host A3, and generate a flow table entry Z31 (corresponding to the packet sent by the user to the network side address). Address translation rules). Because Y3-0 cascades the flow table templates Y3-1 and Y3-0, the Z3 is filled with the metadata of the Y3-0 and Y3-1 convention formats. After generating Z31, the message will continue to be delivered. Processed by Y3-1. According to the flow table entry generation rule defined by Y3-1 and the information and the metadata generation Z32 (corresponding to the packet address conversion rule of the network side address sending user).
  • the OF-Agent queries the flow table template and/or the cascaded flow table template, allocates a public network IP address, or assigns a public network IP address and a port number according to the foregoing information, and generates the flow table entries Z31 and Z32 to send. Give the OF forwarding face.
  • the matching rule of the flow table entry Z32 includes: a destination IP address, a destination port number, a genre type, and an action action is to convert the destination IP address into an assigned public network IP address, and may also aim The port is translated to the assigned port number, and the converted packet is sent through the corresponding outbound interface.
  • Step 305 The Openflow forwarding device performs a NAT action on the TCP/UDP packet between the A3 and the network side device according to the flow table entries Z31 and Z32, and forwards the packet through the corresponding outbound interface, and sends the message to the Openflow control device through the flow entry adding message. Information on Z31 and Z32.
  • the description manner of the flow table template is different according to the description method. Taking the XML application scenario as an example, if the implementation is extended in the OpenFlow protocol, it needs to be converted into a corresponding data structure.
  • an embodiment of the present invention further discloses an OpenFlow forwarding device, as shown in FIG. 10, including:
  • the receiving module 1001 is configured to: receive a boot flow table entry and a flow table template sent by the OpenFlow controller; where the action information of the boot flow table entry includes the preset flow table template ID; Receiving data packets;
  • the generating module 1002 is configured to: after the receiving module receives the data packet, if the data packet matches the boot flow table entry that is received by the receiving module, according to the boot flow table entry
  • the flow table template ID that is preset in the action information is used to search the corresponding flow table template, and generates a rule and the data packet according to the flow table entry defined by the corresponding flow table template.
  • the key field information generates a flow table entry.
  • the device further includes a sending module:
  • the sending module 1003 is configured to: send the flow table entry generated by the generating module to the Openflow controller by using an extended flow entry adding message.
  • the sending module 1003 is configured to process and forward the data packet according to the flow table entry generated by the generated module.
  • the matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and the data packet matching hits the boot flow table entry, specifically:
  • the destination address of the data packet is an IP address of the protected device.
  • the flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device
  • the generating module 1002 is configured to: generate the flow table entry; where the matching rule of the flow table entry includes: the source IP address is the source IP address of the data, and the destination IP address is the protected The IP address of the device, the Action information is to send a data message matching the matching rule to the protected device and use a measurement table entry to limit the sending rate.
  • the matching rule of the boot flow table entry includes a private network address network segment whose source address is a type of user; the data packet matching hits the boot flow table entry, specifically including:
  • the source address of the data is one of the private network address segments.
  • the receiving module 1001 is further configured to: receive a second flow table template sent by the Openflow controller;
  • the second flow table template is cascaded with the flow table template, and the second flow table template is defined, optionally
  • the generating module 1002 is further configured to: generate the second flow table entry according to the generated flow table entry, in combination with the second flow table template;
  • the sending module 1003 is further configured to: send the generated second flow table entry to the Openflow controller by using a flow entry add message.
  • controller further includes:
  • the flow table entry generation rule defined by the flow table template is an address translation rule of a message sent by the user side to the network side.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A flow table entry generation method and corresponding device, the method being used for an openflow forwarding device and comprising: receiving a guide flow table entry and a flow table template transmitted by an openflow controller, the action information of the guide flow table entry comprising a preset flow table template ID; after receiving a data packet, if the data packet matches the guide flow table entry, then searching for a corresponding flow table template according to the preset flow table template ID in the action information of the guide flow table entry, and generating a flow table entry according to a flow table entry generation rule defined by the corresponding flow table template and the key field information of the data packet. The technical solution enhances the security of an openflow protocol, and expands the application scenario and usability of an openflow/SDN network.

Description

一种流表条目生成方法及相应设备  Flow table entry generation method and corresponding device
技术领域 Technical field
本发明涉及流表条目生成技术领域, 具体而言, 涉及一种流表条目生成 方法及相应设备。  The present invention relates to the field of flow table entry generation technology, and in particular to a flow table entry generation method and corresponding device.
背景技术 Background technique
基于传输控制协议( TCP, Transmission Control Protocol )/IP的当今 Internet Today's Internet based on Transmission Control Protocol (TCP)
(互联网) 经过四十多年的发展已取得巨大的成功, 与人们息息相关, 已成 为工作、 学习和生活必不可少的基础设施之一。 TCP/IP式的互联网, 因其设 计之初的 "网络 /网络设备进行简单处理, 复杂的处理交给主机端 /侧" 的分工 与组织原则, 形成了当今的互联网体系结构现状: 主机侧的应用层协议可以 很方便、 灵活地进行修改和部署, 应用层软件因此得到了突飞猛进地发展, 应用层的功能因此得到了极大的丰富; 与之形成鲜明对比的是网络层, 网络 层协议的设计虽然简单, 但是可扩展性不强并且不易修改, 造成: 一方面, 互联网网络层面暴露出的许多致命的漏洞长期难以得到修补和改进, 如网络 管理难以部署、 网络安全问题日益严重、 尽力而为的转发策略不能满足用户 的服务质量要求、 组播难以部署和应用等; 另一方面, 新协议、 新应用由于 对网络层提出变革要求而难以得到实现,如从 IPv4向 IPv6过渡困难、接入设 备日益呈现泛在移动性与异质性对网络可靠性和区分服务能力提出挑战、 大 规模网络情况下路由面临可扩展性问题、 云计算和内容分发等应用对网络转 发效率提出新需求、 TCP/IP之父 Vinton G. Cerf也指出互联网应该在网络安全 和网络可靠性方面做得更好( "安全性与可靠性是迈向未来互联网最基本的 两个门槛, 否则这个架构将无法存活" )等。 因此互联网目前形成了一种 "应 用层灵活多变、 百花齐放, 网络层僵硬难变、 漏洞百出" 的尴尬局面。 互联 网要解决当前所面临的问题和尴尬局面, 需要从网络体系结构、 控制等层面 深层次的进行探讨、 研究和改革, 才能全面迎接二十一世纪新的机遇和巨大 的挑战。 (Internet) After more than 40 years of development, it has achieved great success and is closely related to people. It has become one of the essential infrastructures for work, study and life. The TCP/IP-style Internet has formed the current status of the Internet architecture due to the division of labor and organization principles of "network/network equipment for simple processing and complex processing for the host/side" at the beginning of design: Host-side The application layer protocol can be easily and flexibly modified and deployed. The application layer software has been developed by leaps and bounds, and the functions of the application layer have been greatly enriched. In sharp contrast, the network layer and the network layer protocol Although the design is simple, the scalability is not strong and it is not easy to modify. On the one hand, many fatal flaws exposed at the Internet network level are difficult to be repaired and improved in the long run, such as network management is difficult to deploy, network security problems are becoming more and more serious, and efforts are being made. The forwarding policy cannot meet the user's service quality requirements, and the multicast is difficult to deploy and apply. On the other hand, the new protocols and new applications are difficult to implement due to the requirements for changes to the network layer. For example, the transition from IPv4 to IPv6 is difficult. Into the device is increasingly showing ubiquitous mobility and heterogeneity Network reliability and differentiated service capabilities present challenges, routing scalability issues in large-scale networks, cloud computing and content distribution applications have new demands for network forwarding efficiency. The father of TCP/IP, Vinton G. Cerf, also pointed out that the Internet should Do a better job in network security and network reliability ("Security and reliability are the two most basic thresholds for the future of the Internet, otherwise this architecture will not survive"). Therefore, the Internet has now formed an embarrassing situation in which the application layer is flexible and changeable, the network layer is rigid and difficult to change, and the loopholes are numerous. To solve the current problems and embarrassing situations, the Internet needs to be deeply explored, researched and reformed from the perspectives of network architecture and control, so as to fully meet the new opportunities and enormous challenges of the 21st century.
对于如何解决当前互联网所面临的问题与挑战, 国内外研究机构从互联 网体系结构层面进行了大量积极的探索和研究。主要经历了两个阶段的发展, 对互联网的改进可分为两类方式: 演进式改进和革命性改进。 How to solve the problems and challenges facing the Internet today, domestic and foreign research institutions from the Internet A lot of active exploration and research has been carried out at the level of the network architecture. Mainly through two stages of development, improvements to the Internet can be divided into two types: evolutionary improvements and revolutionary improvements.
多年来, 针对传统 IP网络在服务质量保证、 移动支持、 高效可靠和安全 保证等方面暴露出的许多问题, 研究领域普遍釆用设计针对性的修补方式来 分别解决这些问题, 一旦发现运行的网络的弱点或错误就立即改进, 例如在 传统互联网体系结构中添加新的协议和功能组件等。 这种 "修补 ->发现问题 ->再修改" 的改进方式是以相关互联网 TCP/IP体系结构为基础, 对相关网络 进行逐步演进和发展以添加新的功能和特性来解决目前面临的问题的方式, 是一种 Evolution (演进式) 的改进方式。 这种改进方式的优势在于易于部署 和实施,有利于保护相关互联网建设中的已有投入。但是它的缺陷在于: ( 1 ) 某次修补只是在小范围内解决局部的问题; ( 2 )相关的改进可能引入短期收 益, 而从长期看则具有破坏性如 NAT ( Network Address Translation, 网络地 址转换), 或者局部收益对整体有破坏性; ( 3 )某次修补可能不容易 "兼容" 未来的继续修改; (4 )经过多次修补, 互联网变得越来越 "厚重" 、 复杂、 不灵活, 超出了当初设计 Internet的简单的体系结构的承受能力; ( 5 )传统 互联网体系结构中的一些固有问题难以得到根本性的解决。 从 2005年开始, 研究领域逐渐形成了另一种观点, 只有重新设计网络体系结构才能从根本上 解决 IP网络所面临的问题, 而目前正是互联网体系结构 "Clean-Slate" (从 零开始)进行全面彻底变革的好时机, 完全舍弃相关的互联网体系结构, 设 计一种全新的、 融合多种设计目标的新一代互联网体系结构。 这种方案旨在 从根本上解决相关互联网体系结构存在的各种问题,是一种 Revolution (革命 性 ) 的改进方案。 这种方案的优势在于: ( 1 )可以摆脱 TPC/IP体系结构的 束缚, 跳出其约束与框架, 以解决互联网多年来因体系结构造成的遗留难题; Over the years, in view of the many problems exposed by traditional IP networks in terms of service quality assurance, mobile support, high efficiency and reliability, and security assurance, the research field generally uses design-specific patching methods to solve these problems separately. Once the running network is discovered. The weaknesses or errors are immediately improved, such as adding new protocols and functional components to the traditional Internet architecture. This "repair->discovery->re-modification" approach is based on the relevant Internet TCP/IP architecture, which gradually evolves and develops related networks to add new functions and features to solve the current problems. The way, is an improvement of Evolution. The advantage of this improvement is that it is easy to deploy and implement, and it helps to protect the existing investment in the construction of related Internet. However, its shortcomings are: (1) a patching only solves local problems in a small scope; (2) related improvements may introduce short-term gains, while in the long run it is destructive such as NAT (Network Address Translation) Conversion), or local gains are destructive to the whole; (3) A patch may not be easily "compatible" with future modifications; (4) After many fixes, the Internet becomes more "thick", complex, not Flexibility, beyond the ability to withstand the simple architecture of the original Internet; (5) Some inherent problems in the traditional Internet architecture are difficult to fundamentally solve. Since 2005, the research field has gradually formed another point of view. Only by redesigning the network architecture can we fundamentally solve the problems faced by IP networks. Currently, the Internet architecture "Clean-Slate" (from scratch) A good time to make a complete and radical change, completely abandon the relevant Internet architecture, and design a new generation of Internet architecture that integrates multiple design goals. This kind of program aims to fundamentally solve various problems related to the Internet architecture, and is a revolutionary improvement. The advantages of this scheme are: (1) It can get rid of the constraints of the TPC/IP architecture and jump out of its constraints and framework to solve the legacy problems caused by the architecture of the Internet for many years;
( 2 )可以对互联网进行重新、 全面的设计, 统筹解决互联网的诸多问题, 统 筹安排互联网的诸多新需求的实现。 但是这种方案的缺陷在于: (1 )由于全 新网络可能不能兼容相关互联网, 需要完全替换原有网络的基础设施, 因此 存在着网络部署和平滑过渡的问题; (2 )如何建立新的体系结构以及建立了 新的体系结构是否能解决当前和未来网络所面临的问题也存在很大风险;(2) The Internet can be redesigned and comprehensively designed to solve many problems of the Internet and to coordinate the realization of many new Internet requirements. However, the shortcomings of this scheme are: (1) Since the new network may not be compatible with the relevant Internet and need to completely replace the original network infrastructure, there is a problem of network deployment and smooth transition; (2) How to establish a new architecture There is also a significant risk of establishing a new architecture that addresses the problems faced by current and future networks;
( 3 )需要重新构建适合全新体系结构的试验网络, 演进代价高。 为了解决目前互联网存在的问题, 实现对新网络协议快速、 灵活的部署, 开放可编程网络被提出。 开放可编程网络是指允许网络研究者而不只是设备 厂商, 在网络设备上进行编程和管理其网络体系结构或网络协议。 开放可编 程式思路是革命性改进方案的代表性成果之一, 基本可以概括为: 将原来多 张功能网络并存、整体的、复杂的 MAN ( Metropolitan Area Network,城域网) /WAN ( Wide Area Network, 广域网) 网络或网络设备按功能进行划分, 例 如划分成数据转发部分和逻辑控制部分、 或者系统核心部分和用户功能部分 等。 各部分之间的接口是开放的和标准的。 基于这个开放和标准化的接口, 每个部分都可以自我演进和改进而不需通知或影响其他部分, 这样整个网络 或网络设备也将实现独立、 平滑演进和改进。 开放可编程式思路面临的挑战 在于: (1 ) 网络分层需要具备一定的合理性、 科学性和可扩展性; (2 )定 义科学、 可扩展的分层间的接口; (3 )控制层面如果釆取集中管控方式, 则 需要考虑域间连接、 可扩展性(如扩展到全球)等。 (3) The need to rebuild a trial network suitable for a new architecture is costly to evolve. In order to solve the problems existing in the current Internet and realize the rapid and flexible deployment of new network protocols, open programmable networks have been proposed. Open programmable network refers to allowing network researchers, not just device vendors, to program and manage their network architecture or network protocols on network devices. The open programmable thinking is one of the representative achievements of the revolutionary improvement program. It can be summarized as follows: The original multi-function network coexists, the overall, complex MAN (Metropolitan Area Network) / WAN (Wide Area) Network, WAN) Network or network equipment is divided into functions, such as data forwarding and logic control, or system core and user function. The interface between the parts is open and standard. Based on this open and standardized interface, each part can evolve and improve without notice or influence other parts, so that the entire network or network equipment will also achieve independent, smooth evolution and improvement. The challenges of the open programmable approach are: (1) Network tiering needs to be reasonable, scientific, and scalable; (2) Define a scientific, scalable inter-layered interface; (3) Control plane If you take centralized management, you need to consider inter-domain connectivity, scalability (such as expanding to the global).
在开放可编程网络的研究方面, Berkeley (伯克利 )大学的 Scott Shenker 等人提出的软件定义网络( SDN , Software Defined Networking )技术、 Stanford (斯坦福) 大学的开放流协议(OpenFlow )等技术是网络开放性研究的代表 性成果。 图 1是 SDN/OpenFlow技术的层次模型示意图, 包含: 基础设施层、 网络控制层和应用层三个层次。 SDN/OpenFlow网络中的基础设施层由 1个以 上的转发设备构成, 转发设备相对当前网络中的路由器、 交换机及各类网关 来说结构更加简单、 没有复杂的控制面( Control Plane ) , 主要的工作是进行 数据流的转发。 网络控制层中的主要设备是网络操作系统 (或称 SDN/OpenFlow控制器), 网络操作系统通过标准化的接口同时对多台转发设 备进行控制, 替代了原本独立于各台转发设备中的控制面、 甚至当前的网络 管理系统, 可以实现网络管理和端到端的数据流规则下发(即向转发路径上 的多台转发设备下发流规则) , 同时网络操作系统通过应用程序编程接口 ( API , Application Programming Interface )与应用层进行交互。 应用层由不同 应用构成, 应用通过 API接口能够直接调用网络控制层的网络管理和控制功 fj匕。  In the field of open programmable networks, technologies such as Software Defined Networking (SDN) from Scott Shenker et al. at Berkeley University and OpenFlow (Stanford) at Open University are open. Representative results of sex research. Figure 1 is a schematic diagram of the hierarchical model of SDN/OpenFlow technology, including: three levels: infrastructure layer, network control layer and application layer. The infrastructure layer in the SDN/OpenFlow network consists of more than one forwarding device. The forwarding device is simpler and has no complicated control plane (Control Plane) than the routers, switches and various gateways in the current network. Work is the forwarding of data streams. The main device in the network control layer is the network operating system (or SDN/OpenFlow controller). The network operating system controls multiple forwarding devices at the same time through a standardized interface, instead of the control plane that is independent of each forwarding device. And even the current network management system can implement network management and end-to-end data flow rules delivery (that is, sending flow rules to multiple forwarding devices on the forwarding path), and the network operating system passes the application programming interface (API, Application Programming Interface ) interacts with the application layer. The application layer is composed of different applications, and the application can directly call the network management and control functions of the network control layer through the API interface.
与其它革命性的改进技术的部署一样, 运营商网络在向 SDN/OpenFlow 架构演进的过程中势必遇到各方面的问题, 如安全性就是其中最重要的问题 之一。 此外, 对各种现网技术的适配性也是衡量一项新技术是否符合网络发 展趋势的重要指标。 如图 2所示, 在实际的 SDN/OpenFlow网络中, 网络控 制层设备(如 SDN/OpenFlow控制器)和基础设施层设备 (即转发设备)之 间通过基于 IP地址的通信协议消息进行交互 (如 OpenFlow协议 ) , 网络终 端之间、 网络终端和应用服务器之间、 应用服务器和应用服务器之间的数据 流量在转发设备间通过流表进行转发, 每条流的流表均由 SDN/OpenFlow控 制器生成并下发给转发设备, 转发设备对没有命中本转发设备当前存储的流 表的数据报文统一上送给 SDN/OpenFlow控制器进行流表的查询和生成, 转 发设备需要等待 SDN/OpenFlow控制器下发新的流表才可以转发该数据报文。 这种数据报文的转发模式带来了以下几个问题: As with the deployment of other revolutionary improvements, the carrier network is moving to SDN/OpenFlow In the process of architecture evolution, it is bound to encounter various problems, such as security is one of the most important issues. In addition, the adaptability to various live network technologies is also an important indicator to measure whether a new technology is in line with the trend of the network. As shown in FIG. 2, in an actual SDN/OpenFlow network, a network control layer device (such as an SDN/OpenFlow controller) and an infrastructure layer device (ie, a forwarding device) communicate through an IP address-based communication protocol message ( For example, the OpenFlow protocol, the data traffic between the network terminals, between the network terminal and the application server, between the application server and the application server is forwarded by the flow table between the forwarding devices, and the flow table of each flow is controlled by SDN/OpenFlow. The device generates and delivers the data packet to the forwarding device. The forwarding device sends the data packet to the SDN/OpenFlow controller for query and generation. The forwarding device needs to wait for SDN/OpenFlow. The controller sends a new flow table to forward the data packet. This forwarding mode of data packets brings the following problems:
一、 安全性问题: 对于转发面攻击源 (如恶意终端) 发出的攻击 SDN/OpenFlow控制器或攻击应用服务器的报文,转发设备在收到流表前会将 所有攻击报文发送给 SDN/OpenFlow控制器,如果攻击报文的发送频率较大, 可能导致转发设备和 SDN/OpenFlow控制器之间的路径拥塞, 影响正常的转 发设备和控制设备间的其它控制消息 (如流表查询、 配置下发等) 的传递效 率, 且当前的流表下发机制无法实现在攻击报文抵达应用服务器前对应用服 务器进行保护, 即在应用服务器发现攻击并通过应用层与 SDN/OpenFlow控 制器之间的接口发送安全策略、 SDN/OpenFlow控制器再形成新的流表下发给 转发设备之前, 攻击源针对应用服务器的所有攻击报文都将被发送给应用服 务器;  I. Security problem: The forwarding device sends all attack packets to SDN/ before sending the flow table to the SDN/OpenFlow controller or the attacking application server. The OpenFlow controller, if the attack packet is sent frequently, may cause congestion between the forwarding device and the SDN/OpenFlow controller, affecting other control messages between the forwarding device and the control device (such as flow table query and configuration). The delivery efficiency of the delivery, etc., and the current flow table delivery mechanism cannot protect the application server before the attack packet arrives at the application server, that is, the application server finds the attack and passes between the application layer and the SDN/OpenFlow controller. Before the interface sends the security policy and the SDN/OpenFlow controller forms a new flow table and sends it to the forwarding device, all attack packets from the attack source for the application server are sent to the application server.
二、 适配性问题: 对于 NAT等业务场景, 当前的流量上送、 流表条目生 成、 流表条目下发模式的控制流程较长, 对转发时延和效率影响较大。 例如 在 NAT场景下, 转发设备收到用户私网终端发出的数据报文后, 对于没有命 中本转发设备存储的流表条目的报文, 需要首先发送给 SDN/OpenFlow控制 器, 由 SDN/OpenFlow控制器完成公网地址和端口号的指定、 地址匹配关系 及对应流表条目的生成以及流表条目的下发, 在当前每个用户同时存在大量 会话频繁生成和释放的场景(如 P2P ( Peer to Peer, 对等网络)应用)而言转 发效率较低, 在未来 IPv4/IPv6长期共存、 私网 IPv4地址长期大量存在的网 络中, 这种转发模式需要进一步优化。 Second, the compatibility problem: For the service scenarios such as NAT, the current traffic flow, flow table entry generation, and flow table entry delivery mode have a longer control process, which has a greater impact on forwarding delay and efficiency. For example, in the NAT scenario, after receiving the data packet sent by the user's private network terminal, the forwarding device needs to first send the packet to the SDN/OpenFlow controller, which is not logged to the SDN/OpenFlow controller. The controller completes the designation of the public network address and port number, the address matching relationship, the generation of the corresponding flow table entries, and the delivery of the flow table entries. Currently, each user has a large number of scenes that are frequently generated and released (such as P2P ( Peer). To Peer (peer-to-peer network) application), the forwarding efficiency is low, and in the future, IPv4/IPv6 will coexist for a long time, and the private network IPv4 address will exist for a long time. In the network, this forwarding mode needs further optimization.
发明内容 Summary of the invention
本发明实施例要解决的技术问题是提供一种流表条目生成方法及相应设 备, 以在提升 SDN/Openflow 网络安全性的前提下提升报文转发模式的时效 性和适配性。  The technical problem to be solved by the embodiment of the present invention is to provide a method for generating a flow table entry and a corresponding device, so as to improve the timeliness and adaptability of the packet forwarding mode on the premise of improving the security of the SDN/Openflow network.
为解决上述问题, 釆用如下技术方案:  In order to solve the above problems, the following technical solutions are used:
一种流表条目生成方法, 应用于开放流(Openflow )转发设备, 包括: 接收 Openflow控制器发来的引导流表条目和流表模板; 其中, 所述引导 流表条目的动作 ( Action )信息包括预设置的所述流表模板 ID;  A flow table entry generation method is applied to an OpenFlow forwarding device, including: receiving a boot flow table entry and a flow table template sent by an Openflow controller; wherein, the action information of the boot flow table entry The preset flow table template ID is included;
在接收到数据报文后, 如果所述数据报文匹配命中所述引导流表条目, 则根据所述引导流表条目的 Action信息中预设置的所述流表模板 ID查找与 所述流表模板 ID对应的流表模板,并根据所述对应的流表模板定义的流表条 目生成规则和所述数据报文的关键字段信息生成流表条目。  After receiving the data packet, if the data packet matches the boot flow table entry, searching and the flow table according to the flow table template ID preset in the action information of the boot flow table entry a flow table template corresponding to the template ID, and generating a flow table entry according to the flow table entry generation rule defined by the corresponding flow table template and the key segment information of the data packet.
可选地, 还包括:  Optionally, the method further includes:
将生成的所述流表条目通过扩展的流条目添加消息发送给所述 Openflow 控制器。  The generated flow table entry is sent to the Openflow controller through an extended flow entry add message.
可选地, 所述将生成的所述流表条目通过所述流条目添加消息发送给所 述 Openflow控制器的步骤包括:  Optionally, the step of sending the generated flow table entry to the Openflow controller by using the flow entry adding message includes:
所述 Openflow转发设备通过所述流条目添加消息实时或批量发送所述 流表条目的信息。  The Openflow forwarding device sends the information of the flow table entry in real time or in batch through the flow entry adding message.
可选地, 还包括:  Optionally, the method further includes:
按照生成的所述流表条目对所述数据报文进行处理转发。  The data packet is processed and forwarded according to the generated flow table entry.
可选地, 所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址;  Optionally, the matching rule of the bootstrap flow entry includes: the destination address is an IP address of the protected device;
所述数据报文匹配命中所述引导流表条目的步骤包括:  The step of matching the data packet to hit the boot flow table entry includes:
所述数据报文的目的地址为所述受保护设备的 IP地址。 可选地, 所述流表模板定义的流表条目生成规则为对任一源 IP地址向所 述受保护设备发送的报文进行限速; The destination address of the data packet is an IP address of the protected device. Optionally, the flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device.
所述根据所述流表模板定义的流表条目生成规则和所述数据报文的关键 字段信息生成流表条目的步骤包括:  The step of generating a flow table entry according to the flow table entry generation rule defined by the flow table template and the key field information of the data packet includes:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 源 IP地址为 所述数据^艮文的源 IP地址、 目的 IP地址为所述受保护设备的 IP地址, Action 信息为向所述受保护设备发送与本匹配规则相匹配的数据报文并利用测量表 条目限制发送速率。  The flow table entry is generated. The matching rule of the flow table entry includes: the source IP address is the source IP address of the data, the destination IP address is the IP address of the protected device, and the action information is A data message matching the matching rule is sent to the protected device and the transmission rate is restricted by the meter entry.
可选地, 所述引导流表条目的匹配规则包括源地址为一类用户的私网地 址网段;  Optionally, the matching rule of the guiding flow table entry includes a private network address segment whose source address is a type of user;
所述数据报文匹配命中所述引导流表条目的步骤包括:  The step of matching the data packet to hit the boot flow table entry includes:
所述数据 4艮文的源地址为所述私网地址网段中的一个。  The source address of the data is one of the private network address segments.
可选地, 所述流表模板定义的流表条目生成规则为由用户侧发往网络侧 的报文的地址转换规则;  Optionally, the flow table entry generation rule defined by the flow table template is an address translation rule of a packet sent by the user side to the network side;
所述根据所述流表模板定义的流表条目生成规则和所述数据报文的关键 字段信息生成流表条目的步骤包括:  The step of generating a flow table entry according to the flow table entry generation rule defined by the flow table template and the key field information of the data packet includes:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 所述数据报 文的私网地址, Actions包括将所述私网地址转换为分配的公网地址, 并通过 对应出接口发送转换后的报文。  The flow table entry is generated. The matching rule of the flow table entry includes: a private network address of the data packet, and the action includes converting the private network address into an allocated public network address, and passing the corresponding outbound interface. Send the converted message.
可选地, 还包括:  Optionally, the method further includes:
接收所述 Openflow控制器发来的第二流表模板; 其中, 所述第二流表模 板与所述流表模板级联, 所述第二流表模板定义的流表条目生成规则为由网 络侧发往所述用户侧的报文的地址转换规则。  Receiving a second flow table template sent by the OpenFlow controller; where the second flow table template is concatenated with the flow table template, and the flow table entry generation rule defined by the second flow table template is a network The address translation rule of the packet sent to the user side.
可选地, 还包括:  Optionally, the method further includes:
根据生成的所述流表条目, 结合所述第二流表模板生成所述第二流表条 η ·,  Generating the second flow table η · according to the generated flow table entry in combination with the second flow table template,
其中, 所述第二流表条目的匹配规则包括: 所述分配的公网地址, Action 信息为将所述公网地址转换为对应的私网地址, 并通过对应出接口发送转换 后的报文。 The matching rule of the second flow table entry includes: the allocated public network address, Action The information is that the public network address is translated into a corresponding private network address, and the converted message is sent through the corresponding outbound interface.
可选地, 所述私网地址包括: 私网 IP地址;  Optionally, the private network address includes: a private network IP address;
所述公网地址包括: 公网 IP地址, 或者, 公网 IP地址及端口信息。 可选地, 还包括:  The public network address includes: a public network IP address, or a public network IP address and port information. Optionally, the method further includes:
将生成的所述第二流表条目通过流条目添加消息发送给所述 Openflow 控制器。  The generated second flow table entry is sent to the Openflow controller through a flow entry add message.
一种流表条目生成方法, 应用于开放流(Openflow )控制器, 包括: 向 Openflow转发设备发送引导流表条目和流表模板; 其中, 所述引导流 表条目的动作 ( Action )信息包括预设置的所述流表模板 ID。 A method for generating a flow table entry, which is applied to an OpenFlow controller, includes: sending a boot flow table entry and a flow table template to an Openflow forwarding device; wherein the action information of the boot flow table entry includes The flow table template ID set.
可选地, 所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 和 /或,  Optionally, the matching rule of the bootstrap flow entry includes: the destination address is an IP address of the protected device; and/or,
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速。  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device.
可选地, 还包括:  Optionally, the method further includes:
在接收到所述 Openflow转发设备通过流条目添加消息发来的流表条目 后,  After receiving the flow table entry sent by the Openflow forwarding device through the flow entry adding message,
所述 Openflow 控制器不回复所述流条目添加消息, 表示接受所述 Openflow转发设备根据所述流表模板生成的所述本地流表条目; 或者,  The Openflow controller does not reply to the flow entry adding message, and indicates that the local flow table entry generated by the Openflow forwarding device according to the flow table template is accepted; or
所述 Openflow控制器向所述 Openflow转发设备发送拒绝消息, 要求所 述 Openflow转发设备删除根据所述流表模板生成的所述流表条目; 或者, 所述 Openflow控制器向所述 Openflow转发设备发送更高优先级的流表 条目。  The OpenFlow controller sends a reject message to the OpenFlow forwarding device, and the Openflow forwarding device is required to delete the flow table entry generated according to the flow table template. Alternatively, the Openflow controller sends the OpenFlow controller to the Openflow forwarding device. A higher priority flow table entry.
可选地, 所述引导流表条目的匹配规则包括源地址为用户的私网地址网 段; 和 /或,  Optionally, the matching rule of the guiding flow table entry includes: the source address is a private network address segment of the user; and/or,
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则。 The flow table entry generation rule defined by the flow table template is a packet sent by the user side to the network side. Address translation rules.
可选地, 所述私网地址网段包括: 私网 IP地址。  Optionally, the private network address network segment includes: a private network IP address.
可选地, 还包括:  Optionally, the method further includes:
向所述 Openflow转发设备发送第二流表模板; 其中, 所述第二流表模板 与所述流表模板级联, 所述第二流表模板定义的流表条目生成规则为由网络 侧发往所述用户侧的报文的地址转换规则。  Sending a second flow table template to the OpenFlow forwarding device, where the second flow table template is concatenated with the flow table template, and the flow table entry generation rule defined by the second flow table template is sent by the network side The address translation rule for the message to the user side.
一种开放流(Openflow )转发设备, 包括接收模块和生成模块, 其中: 所述接收模块设置成:接收 Openflow控制器发来的引导流表条目和流表 模板; 其中, 所述引导流表条目的动作(Action )信息包括预设置的所述流表 模板 ID; 还用于接收数据报文; An OpenFlow forwarding device, comprising: a receiving module and a generating module, wherein: the receiving module is configured to: receive a boot flow table entry and a flow table template sent by the Openflow controller; wherein, the boot flow table entry The Action information includes the preset flow table template ID; and is further configured to receive a data message;
所述生成模块设置成: 在所述接收模块接收到所述数据报文后, 如果所 述数据报文匹配命中所述接收模块接收到的所述引导流表条目, 则根据所述 引导流表条目的 Action信息中预设置的所述流表模板 ID查找与所述流表模 板 ID对应的流表模板,并根据所述对应的流表模板定义的流表条目生成规则 和所述数据报文的关键字段信息生成流表条目。  The generating module is configured to: after the receiving, by the receiving module, the data packet matches the boot flow table entry received by the receiving module, according to the boot flow table Searching, by using the flow table template ID that is preset in the action information of the entry, a flow table template corresponding to the flow table template ID, and generating a rule and the data message according to the flow table entry defined by the corresponding flow table template. The key field information generates a flow table entry.
可选地, 还包括发送模块, 其中:  Optionally, the method further includes a sending module, where:
所述发送模块设置成: 将所述生成模块生成的所述流表条目通过扩展的 流条目添加消息发送给所述 Openflow控制器。  The sending module is configured to: send the flow table entry generated by the generating module to the Openflow controller by using an extended flow entry adding message.
可选地, 所述发送模块还设置成: 按照所述生成模块生成的所述流表条 目对所述数据报文进行处理转发。  Optionally, the sending module is further configured to: process and forward the data packet according to the flow table entry generated by the generating module.
可选地, 所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址;  Optionally, the matching rule of the bootstrap flow entry includes: the destination address is an IP address of the protected device;
所述生成模块设置成按照如下方式判断所述数据报文匹配命中所述引导 流表条目:  The generating module is configured to determine that the data packet match hits the boot flow table entry as follows:
所述数据报文的目的地址为所述受保护设备的 IP地址。  The destination address of the data packet is an IP address of the protected device.
可选地, 所述流表模板定义的流表条目生成规则为对任一源 IP地址向所 述受保护设备发送的报文进行限速; Optionally, the flow table entry generation rule defined by the flow table template is to any source IP address. Determining the rate of the packets sent by the protected device;
所述生成模块设置成按照如下方式根据所述流表模板定义的流表条目生 成规则和所述数据报文的关键字段信息生成流表条目:  The generating module is configured to generate a flow table entry according to the flow table entry generation rule defined by the flow table template and the key segment information of the data packet as follows:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 源 IP地址为 所述数据^艮文的源 IP地址、 目的 IP地址为所述受保护设备的 IP地址, Action 信息为向所述受保护设备发送与本匹配规则相匹配的数据报文并利用测量表 条目限制发送速率。  The flow table entry is generated. The matching rule of the flow table entry includes: the source IP address is the source IP address of the data, the destination IP address is the IP address of the protected device, and the action information is A data message matching the matching rule is sent to the protected device and the transmission rate is restricted by the meter entry.
可选地, 所述引导流表条目的匹配规则包括源地址为一类用户的私网地 址网段;  Optionally, the matching rule of the guiding flow table entry includes a private network address segment whose source address is a type of user;
所述生成模块设置成按照如下方式判断所述数据报文匹配命中所述引导 流表条目:  The generating module is configured to determine that the data packet match hits the boot flow table entry as follows:
所述数据 4艮文的源地址为所述私网地址网段中的一个。  The source address of the data is one of the private network address segments.
可选地, 所述流表模板定义的流表条目生成规则为由用户侧发往网络侧 的报文的地址转换规则;  Optionally, the flow table entry generation rule defined by the flow table template is an address translation rule of a packet sent by the user side to the network side;
所述生成模块设置成按照如下方式根据所述流表模板定义的流表条目生 成规则和所述数据报文的关键字段信息生成流表条目:  The generating module is configured to generate a flow table entry according to the flow table entry generation rule defined by the flow table template and the key segment information of the data packet as follows:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 所述数据报 文的私网地址, Actions包括将所述私网地址转换为分配的公网地址, 并通过 对应出接口发送转换后的报文。  The flow table entry is generated. The matching rule of the flow table entry includes: a private network address of the data packet, and the action includes converting the private network address into an allocated public network address, and passing the corresponding outbound interface. Send the converted message.
可选地, 所述接收模块还设置成: 接收所述 Openflow控制器发来的第二 流表模板;  Optionally, the receiving module is further configured to: receive a second flow table template sent by the Openflow controller;
其中, 所述第二流表模板与所述流表模板级联, 所述第二流表模板定义 可选地, 所述生成模块还设置成: 根据生成的所述流表条目, 结合所述 第二流表模板生成所述第二流表条目;  The second flow table template is cascaded with the flow table template, and the second flow table template is defined. The generating module is further configured to: combine the generated according to the generated flow table entry. Generating, by the second flow table template, the second flow table entry;
其中, 所述第二流表条目的匹配规则包括: 所述分配的公网地址, Action 信息为将所述公网地址转换为对应的私网地址, 并通过对应出接口发送转换 后的报文。 可选地 , 所述私网地址包括: 私网 IP地址; The matching rule of the second flow table entry includes: the allocated public network address, and the action information is to convert the public network address into a corresponding private network address, and send the converted message through the corresponding outbound interface. . Optionally, the private network address includes: a private network IP address;
所述公网地址包括: 公网 IP地址, 或者, 公网 IP地址及端口信息。 可选地, 所述发送模块还设置成: 将生成的所述第二流表条目通过流条 目添加消息发送给所述 Openflow控制器。  The public network address includes: a public network IP address, or a public network IP address and port information. Optionally, the sending module is further configured to: send the generated second flow table entry to the Openflow controller by using a flow entry adding message.
一种开放流(Openflow )控制器, 包括存储模块和发送模块, 其中: 所述存储模块设置成: 保存预配置的引导流表条目和流表模板; 其中, 所述引导流表条目的动作(Action )信息包括预设置的所述流表模板 ID; An OpenFlow controller includes a storage module and a sending module, where: the storage module is configured to: save a pre-configured boot flow table entry and a flow table template; wherein, the action of guiding the flow table entry ( The Action information includes the preset flow table template ID;
所述发送模块设置成: 向 Openflow转发设备发送所述存储模块保存的所 述引导流表条目和流表模板。  The sending module is configured to: send the boot flow table entry and the flow table template saved by the storage module to the Openflow forwarding device.
可选地, 所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 Optionally, the matching rule of the boot flow table entry includes: the destination address is a protected device
IP地址; 和 /或, IP address; and / or,
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速。  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device.
可选地, 还包括接收模块, 其中:  Optionally, the method further includes a receiving module, where:
所述接收模块设置成:接收所述 Openflow转发设备通过流条目添加消息 发来的流表条目;  The receiving module is configured to: receive a flow table entry sent by the Openflow forwarding device by using a flow entry adding message;
所述发送模块还设置成: 在所述接收模块接收到所述流表条目后, 向所 述 Openflow转发设备发送拒绝消息, 要求所述 Openflow转发设备删除根据 所述流表模板生成的所述流表条目; 或者, 在所述接收模块接收到所述流表 条目后, 向所述 Openflow转发设备发送更高优先级的流表条目。  The sending module is further configured to: after the receiving module receives the flow table entry, send a reject message to the Openflow forwarding device, requesting the Openflow forwarding device to delete the flow generated according to the flow table template a table entry; or, after the receiving module receives the flow table entry, sending a higher priority flow table entry to the Openflow forwarding device.
可选地, 所述引导流表条目的匹配规则包括源地址为用户的私网地址网 段; 和 /或,  Optionally, the matching rule of the guiding flow table entry includes: the source address is a private network address segment of the user; and/or,
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则。  The flow table entry generation rule defined by the flow table template is an address translation rule of a message sent by the user side to the network side.
可选地, 所述私网地址网段包括: 私网 IP地址。  Optionally, the private network address network segment includes: a private network IP address.
可选地, 所述发送模块还设置成: 向所述 Openflow转发设备发送第二流 表模板; 其中, 所述第二流表模板与所述流表模板级联, 所述第二流表模板 则。' 、 ^ ' Optionally, the sending module is further configured to: send the second stream to the Openflow forwarding device a table template; wherein the second flow table template is cascaded with the flow table template, and the second flow table template is. ' , ^ '
上述技术方案实现了在 Openflow转发设备上根据流表条目模板生成流 表条目的功能, 增强了 Openflow协议的安全性, 同时扩展了 Openflow/SDN 网络的应用场景和实用性。 附图概述 The foregoing technical solution implements the function of generating a flow table entry according to the flow table entry template on the Openflow forwarding device, enhances the security of the Openflow protocol, and extends the application scenario and practicability of the Openflow/SDN network. BRIEF abstract
图 1是相关技术中 SDN/OpenFlow网络的拓朴示意图;  1 is a schematic diagram of a topology of an SDN/OpenFlow network in the related art;
图 2是相关技术中的一种网络拓朴示意图;  2 is a schematic diagram of a network topology in the related art;
图 3是本发明实施例中流表条目生成方法流程示意图;  3 is a schematic flowchart of a method for generating a flow table entry in an embodiment of the present invention;
图 4是本发明的第一实施例的拓朴示意图;  Figure 4 is a schematic top view of a first embodiment of the present invention;
图 5是本发明的第一实施例的流程图;  Figure 5 is a flow chart of the first embodiment of the present invention;
图 6是本发明的第二实施例的拓朴示意图;  Figure 6 is a schematic top view of a second embodiment of the present invention;
图 7是本发明的第二实施例的流程图;  Figure 7 is a flow chart of a second embodiment of the present invention;
图 8是本发明的第三实施例的拓朴示意图;  Figure 8 is a schematic top view of a third embodiment of the present invention;
图 9是本发明的第三实施例的流程图;  Figure 9 is a flow chart of a third embodiment of the present invention;
图 10为本发明实施例的 Openflow转发设备结构示意图;  FIG. 10 is a schematic structural diagram of an Openflow forwarding device according to an embodiment of the present invention;
图 11为本发明实施例的 Openflow控制器结构示意图。 本发明的较佳实施方式  FIG. 11 is a schematic structural diagram of an Openflow controller according to an embodiment of the present invention. Preferred embodiment of the invention
下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。  Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
在本实施例中, 一种流表条目生成方法, 应用于 Openflow转发设备, 如 图 3所示, 包括: 接收 Openflow控制器发来的引导流表条目和流表模板; 其中, 所述引导 流表条目的 Action信息包括预设置的所述流表模板 ID; In this embodiment, a flow table entry generation method is applied to an Openflow forwarding device, as shown in FIG. 3, including: Receiving the boot flow table entry and the flow table template sent by the OpenFlow controller; wherein, the Action information of the boot flow table entry includes the preset flow table template ID;
在接收到数据报文后, 如果所述数据报文匹配命中所述引导流表条目, 则根据所述引导流表条目的 Action信息中预设置的所述流表模板 ID查找对 应的流表模板, 并根据所述对应的流表模板定义的流表条目生成规则和所述 数据报文的关键字段信息生成流表条目。  After the data packet is received, if the data packet matches the boot flow table entry, the corresponding flow table template is searched according to the flow table template ID preset in the action information of the boot flow table entry. And generating a flow table entry according to the flow table entry generation rule defined by the corresponding flow table template and the key segment information of the data message.
可选地, 所述方法还包括:  Optionally, the method further includes:
将生成的所述流表条目通过扩展的流条目添加消息发送给所述 Openflow 控制器。  The generated flow table entry is sent to the Openflow controller through an extended flow entry add message.
可选地, 所述将生成的所述流表条目通过所述流条目添加消息发送给所 述 Openflow控制器的步骤包括:  Optionally, the step of sending the generated flow table entry to the Openflow controller by using the flow entry adding message includes:
所述 Openflow转发设备通过所述流条目添加消息实时或批量发送所述 流表条目的信息。  The Openflow forwarding device sends the information of the flow table entry in real time or in batch through the flow entry adding message.
可选地, 所述方法还包括:  Optionally, the method further includes:
按照生成的所述流表条目对所述数据报文进行处理转发。  The data packet is processed and forwarded according to the generated flow table entry.
可选地 ,  Optionally,
所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 所述数据报文匹配命中所述引导流表条目, 具体包括:  The matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and the data packet matching hits the boot flow table entry, specifically:
所述数据报文的目的地址为所述受保护设备的 IP地址。  The destination address of the data packet is an IP address of the protected device.
可选地,  Optionally,
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速;  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device;
所述根据所述流表模板定义的流表条目生成规则和所述数据报文的关键 字段信息生成流表条目, 具体包括:  And generating, by the flow table entry generation rule and the key field information of the data packet, the flow table entry, specifically:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 源 IP地址为 所述数据^艮文的源 IP地址、 目的 IP地址为所述受保护设备的 IP地址, Action 信息为向所述受保护设备发送与本匹配规则相匹配的数据报文并利用测量表 条目限制发送速率。 The flow table entry is generated. The matching rule of the flow table entry includes: the source IP address is the source IP address of the data, the destination IP address is the IP address of the protected device, and the action information is Sending a data message matching the matching rule to the protected device and using the measurement table The entry limits the sending rate.
可选地 ,  Optionally,
所述引导流表条目的匹配规则包括源地址为一类用户的私网地址网段; 所述数据报文匹配命中所述引导流表条目, 具体包括:  The matching rule of the boot flow table entry includes a private network address network segment whose source address is a type of user; the data packet matching hits the boot flow table entry, specifically including:
所述数据 4艮文的源地址为所述私网地址网段中的一个。  The source address of the data is one of the private network address segments.
可选地 ,  Optionally,
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则;  The flow table entry generation rule defined by the flow table template is an address translation rule of a packet sent by the user side to the network side;
所述根据所述流表模板定义的流表条目生成规则和所述数据报文的关键 字段信息生成流表条目, 具体包括:  And generating, by the flow table entry generation rule and the key field information of the data packet, the flow table entry, specifically:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 所述数据报 文的私网地址, Actions包括将所述私网地址转换为分配的公网地址, 并通过 对应出接口发送转换后的报文。  The flow table entry is generated. The matching rule of the flow table entry includes: a private network address of the data packet, and the action includes converting the private network address into an allocated public network address, and passing the corresponding outbound interface. Send the converted message.
可选地, 所述方法还包括:  Optionally, the method further includes:
接收所述 Openflow控制器发来的第二流表模板; 其中, 所述第二流表模 板与所述流表模板级联, 所述第二流表模板定义的流表条目生成规则为由网 络侧发往所述用户侧的报文的地址转换规则。  Receiving a second flow table template sent by the OpenFlow controller; where the second flow table template is concatenated with the flow table template, and the flow table entry generation rule defined by the second flow table template is a network The address translation rule of the packet sent to the user side.
可选地, 所述方法还包括:  Optionally, the method further includes:
根据生成的所述流表条目, 结合所述第二流表模板生成所述第二流表条 目;  And generating, according to the generated flow table entry, the second flow table entry in combination with the second flow table template;
其中, 所述第二流表条目的匹配规则包括: 所述分配的公网地址, Action 信息为将所述公网地址转换为对应的私网地址, 并通过对应出接口发送转换 后的报文。  The matching rule of the second flow table entry includes: the allocated public network address, and the action information is to convert the public network address into a corresponding private network address, and send the converted message through the corresponding outbound interface. .
可选地 ,  Optionally,
所述私网地址包括: 私网 IP地址;  The private network address includes: a private network IP address;
所述公网地址包括: 公网 IP地址, 或者, 公网 IP地址及端口信息。 可选地, 所述方法还包括: 将生成的所述第二流表条目通过流条目添加消息发送给所述 Openflow 控制器。 The public network address includes: a public network IP address, or a public network IP address and port information. Optionally, the method further includes: The generated second flow table entry is sent to the Openflow controller through a flow entry add message.
此外, 本发明实施例还提供了一种流表条目生成方法, 应用于开放流 ( Openflow )控制器, 包括: In addition, an embodiment of the present invention further provides a method for generating a flow table entry, which is applied to an OpenFlow controller, and includes:
向 Openflow转发设备发送引导流表条目和流表模板; 其中, 所述引导流 表条目的动作 ( Action )信息包括预设置的所述流表模板 ID。  Sending a boot flow table entry and a flow table template to the Openflow forwarding device; wherein the action information of the boot flow table entry includes the preset flow table template ID.
可选地 ,  Optionally,
所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 和 /或,  The matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and/or,
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速。  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device.
可选地, 所述方法还包括:  Optionally, the method further includes:
在接收到所述 Openflow转发设备通过流条目添加消息发来的流表条目 后,  After receiving the flow table entry sent by the Openflow forwarding device through the flow entry adding message,
所述 Openflow 控制器不回复所述流条目添加消息, 表示接受所述 Openflow转发设备根据所述流表模板生成的所述本地流表条目; 或者,  The Openflow controller does not reply to the flow entry adding message, and indicates that the local flow table entry generated by the Openflow forwarding device according to the flow table template is accepted; or
所述 Openflow控制器向所述 Openflow转发设备发送拒绝消息, 要求所 述 Openflow转发设备删除根据所述流表模板生成的所述流表条目; 或者, 所述 Openflow控制器向所述 Openflow转发设备发送更高优先级的流表 条目。  The OpenFlow controller sends a reject message to the OpenFlow forwarding device, and the Openflow forwarding device is required to delete the flow table entry generated according to the flow table template. Alternatively, the Openflow controller sends the OpenFlow controller to the Openflow forwarding device. A higher priority flow table entry.
可选地 ,  Optionally,
所述引导流表条目的匹配规则包括源地址为用户的私网地址网段; 和 / 或,  The matching rule of the boot flow table entry includes a source address being a private network address segment of the user; and/or,
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则。  The flow table entry generation rule defined by the flow table template is an address translation rule of a message sent by the user side to the network side.
可选地 , 所述私网地址网段包括: 私网 IP地址。 Optionally, The private network address network segment includes: a private network IP address.
可选地, 所述方法还包括:  Optionally, the method further includes:
向所述 Openflow转发设备发送第二流表模板; 其中, 所述第二流表模板 与所述流表模板级联, 所述第二流表模板定义的流表条目生成规则为由网络 侧发往所述用户侧的报文的地址转换规则。  Sending a second flow table template to the OpenFlow forwarding device, where the second flow table template is concatenated with the flow table template, and the flow table entry generation rule defined by the second flow table template is sent by the network side The address translation rule for the message to the user side.
本实施例所述方法在二层网络设备不支持 IPv6安全 RA( Random Access , 随机接入)特性的情况下, 可实现对 IPv6主机恶意发送 RA消息造成网关欺 骗行为的防范。 The method in this embodiment can prevent the gateway fraudulent behavior caused by the maliciously transmitting RA message of the IPv6 host, if the Layer 2 network device does not support the IPv6 security RA (Random Access) feature.
下面分别介绍本发明实施例在不同应用场景下的三个实施例。  Three embodiments of the embodiments of the present invention in different application scenarios are respectively described below.
实施例一  Embodiment 1
以 Openflow控制器的攻击防范、 Openflow转发设备的硬件架构以 ASIC 转发平面和 CPU控制平面的组合为例, 组网示意图参见图 4, 详细流程如图 5所示, 包括:  For the attack defense of the Openflow controller and the hardware architecture of the Openflow forwarding device, the combination of the ASIC forwarding plane and the CPU control plane is used as an example. The networking diagram is shown in Figure 4. The detailed process is shown in Figure 5.
步骤 101 : Openflow控制器配置本地安全策略, 防范 TCP半连接攻击; 步骤 102: Openflow控制器根据本地安全策略向各 Openflow转发设备发 送引导流表条目 XI和流表模板 Yl。  Step 101: The Openflow controller configures a local security policy to prevent the TCP semi-connected attack. Step 102: The Openflow controller sends the boot flow table entry XI and the flow table template Y1 to each Openflow forwarding device according to the local security policy.
可选地, 引导流表条目 XI的匹配规则为目的地址为 Openflow控制器的 IP地址、 报文类型为 TCP或 TCP SYN ( synchronize, 同步), 引导流表条目 的 Action (动作)为查询流表模板 Y1 , 流表模板 Y1定义的流表条目生成规 则为限制任一源 IP地址向 Openflow控制器发送的 TCP或 TCP SYN报文的速 率。  Optionally, the matching rule of the boot flow table entry XI is that the destination address is an IP address of the Openflow controller, the packet type is TCP or TCP SYN (synchronous), and the action of the boot flow table entry is a query flow table. The flow table entry generation rule defined by the template Y1 and the flow table template Y1 is a rate for limiting the TCP or TCP SYN packet sent by any source IP address to the Openflow controller.
可选地, 所述 Openflow转发设备收到所述引导流表条目 XI和流表模板 Y1后, 将引导流表条目 XI下发到 ASIC转发平面, 将流表模板 Y1保存在 CPU控制平面。  Optionally, after receiving the boot flow table entry XI and the flow table template Y1, the Openflow forwarding device sends the boot flow table entry XI to the ASIC forwarding plane, and saves the flow table template Y1 on the CPU control plane.
步骤 103:攻击源 A1以一定速率向 Openflow控制器发送 TCP SYN报文, 形成 TCP半连接类型的网络攻击; 步骤 104: Openflow转发设备接收到攻击源 A1发送的第一个 TCP SYN 报文后, 匹配流表命中引导流表条目 XI后,根据 XI的 Action动作查询流表 模板 Y1 ,根据 Y1定义的流表条目生成规则和所述攻击报文的源 IP地址生成 流表条目 Z1 ; Step 103: The attack source A1 sends a TCP SYN packet to the Openflow controller at a certain rate to form a TCP semi-connection type network attack. Step 104: After receiving the first TCP SYN packet sent by the attack source A1, the Openflow forwarding device matches the flow table to the navigation table entry XI, and then queries the flow table template Y1 according to the action action of the XI, and defines the flow table according to Y1. The entry generation rule and the source IP address of the attack packet generate a flow table entry Z1;
可选地, 所述 Openflow转发设备的 ASIC转发平面命中所述引导流表条 目 XI后, 向 CPU控制平面上送该报文和该流表模板 Y1的 ID, CPU控制平 面根据上述信息查询流表模板、 根据流表模板定义的规则生成流表条目 Z1 并下发给 ASIC转发平面。  Optionally, after the ASIC forwarding plane of the Openflow forwarding device hits the boot flow table entry XI, sending the packet and the ID of the flow table template Y1 to the CPU control plane, and the CPU control plane queries the flow table according to the information. The template generates a flow table entry Z1 according to the rules defined by the flow table template and sends the flow table entry Z1 to the ASIC forwarding plane.
可选地, 流表条目 Z1的匹配规则包括: 源 IP地址为上述 TCP SYN报文 的源 IP地址、 目的 IP地址为 Openflow控制器的 IP地址、 ^艮文类型为 TCP 或 TCP SYN, Action动作为向 Openflow控制器发送匹配该匹配规则的 4艮文并 限制报文的发送速率。  Optionally, the matching rule of the flow table entry Z1 includes: the source IP address is the source IP address of the foregoing TCP SYN packet, the destination IP address is the IP address of the Openflow controller, and the type of the message is TCP or TCP SYN, and the action action To send a message matching the matching rule to the Openflow controller and limit the sending rate of the message.
步骤 105: Openflow转发设备根据流表条目 Z1将所述攻击源 A1发出的 TCP SYN 报文发送给 Openflow控制器并限制该报文的发送速率, 并向 Openflow控制器发送流条目添加消息, 将 Z1定义的流表条目生成规则通知 给 Openflow控制器。  Step 105: The Openflow forwarding device sends the TCP SYN packet sent by the attack source A1 to the OpenFlow controller according to the flow table entry Z1, and limits the sending rate of the packet, and sends a flow entry adding message to the Openflow controller, and the Z1 is sent. The defined flow table entry generation rule is notified to the Openflow controller.
可选地, 若攻击源的发送速率高于流表条目 Z1 的限制速率, Openflow 转发设备对超出速率的报文进行緩存或丟弃;  Optionally, if the sending rate of the attack source is higher than the rate limit of the flow table entry Z1, the Openflow forwarding device caches or discards the packets exceeding the rate.
可选地, Openflow控制器在收到所述 TCP SYN报文后, 若判断其为攻 击报文, 则向 Openflow转发设备发送更高优先级的流表条目, 该流表条目的 匹配规则包括: 源 IP地址为上述 TCP SYN 文的源 IP地址、 目的 IP地址为 Openflow控制器的 IP地址、报文类型为 TCP, Action动作为丟弃匹配该匹配 规则的报文; Openflow转发设备在收到该流表条目, 对后续收到的报文会优 先釆用该更高优先级的流表条目进行匹配。  Optionally, after receiving the TCP SYN packet, the OpenFlow controller sends a higher priority flow table entry to the Openflow forwarding device, and the matching rule of the flow table entry includes: The source IP address is the source IP address of the TCP SYN text, the destination IP address is the IP address of the OpenFlow controller, and the packet type is TCP. The action is to discard the packet matching the matching rule. The Openflow forwarding device receives the packet. The flow table entry matches the higher priority flow table entry for subsequent received packets.
此外, Openflow控制器在收到上述流条目添加消息后, 将其中携带的 Z1 定义的流表条目生成规则进行保存, 并可能下发给其他 Openflow转发设备。  In addition, after receiving the above-mentioned flow entry addition message, the Openflow controller saves the flow table entry generation rule defined by Z1, and may send it to other Openflow forwarding devices.
可选地, 流表模板的格式根据 Openflow协议的版本不同略有区别, 参考 的实例格式如表 1所示。 表 1 流表模板基本格式
Figure imgf000019_0001
Optionally, the format of the flow table template is slightly different according to the version of the Openflow protocol. The reference instance format is as shown in Table 1. Table 1 Basic format of the flow table template
Figure imgf000019_0001
其中, Flow Template Identifier表示流表模板的 ID , 其取值唯一; Flow Template Description是流表模板定义的流表条目生成规则; Counters为计数 器, 每根据该流表模板生成一个流表条目, 可将该计数器的当前计数值加 1。  The Flow Template Identifier indicates the ID of the flow table template, and its value is unique. The Flow Template Description is a flow table entry generation rule defined by the flow table template. Counters is a counter. Each flow table entry is generated according to the flow table template. The current count value of this counter is incremented by one.
实施例二 Embodiment 2
应用服务器的攻击防范, Openflow转发设备的硬件架构以多核 CPU架构 (控制核和转发核并存)为例。 组网示意图参见图 6 , 详细流程如图 7所示, 包括:  Attack defense of the application server. The hardware architecture of the Openflow forwarding device is exemplified by a multi-core CPU architecture (control core and forwarding core coexist). See Figure 6 for the networking diagram. The detailed process is shown in Figure 7, including:
步骤 201:应用服务器通过 Openflow控制器的 NBI( North Bound Interface , 北向接口 )向 Openflow控制器发送安全需求; 其中, 该安全需求中可以但不 限于包括以下几类信息: 一类行为特征的流标识, 例如 TCP建链报文, TTL ( Time To Live , 生存时间)为 0的报文; 针对这类流需要设置的特性, 例如 基础限速值等;  Step 201: The application server sends a security requirement to the Openflow controller through an NBI (North Bound Interface) of the Openflow controller. The security requirement may include, but is not limited to, the following types of information: For example, a TCP link-building packet, a packet with a TTL (Time To Live) of 0; a feature that needs to be set for such a stream, such as a base rate limit value;
步骤 202 : Openflow 控制器根据应用服务器发来的安全需求向各 Step 202: The Openflow controller according to the security requirements sent by the application server
Openflow转发设备发送引导流表条目 X2和流表模板 Y2; The Openflow forwarding device sends a boot flow table entry X2 and a flow table template Y2;
可选地, 引导流表条目 X2 的匹配规则为目的地址为应用服务器地址、 报文类型为 TCP或 TCP SYN, 引导流表条目的 Action动作为查询流表模板, 流表模板 Y2定义的流表条目生成规则为限制任一源 IP地址向应用服务器发 送的 TCP或 TCP SYN 4艮文的速率。  Optionally, the matching rule of the boot flow table entry X2 is that the destination address is the application server address, the packet type is TCP or TCP SYN, the action action of the boot flow table entry is the query flow table template, and the flow table template Y2 defines the flow table. The entry generation rule is a rate that limits the TCP or TCP SYN 4 message sent by any source IP address to the application server.
可选地, 所述 Openflow转发设备收到所述引导流表条目 X2和流表模板 Y2后, 将所述引导流表条目 X2下发到转发核, 将所述流表模板 Y2保存在 控制核。  Optionally, after receiving the boot flow table entry X2 and the flow table template Y2, the Openflow forwarding device sends the boot flow table entry X2 to the forwarding core, and saves the flow table template Y2 in the control core. .
步骤 203 : 终端用户 A2以一定速率向应用服务器发送 TCP报文; 步骤 204: Openflow转发设备在接收到 A2发送的第一个 TCP报文后, 匹配流表命中引导流表条目 X2后,根据 X2的 Action动作查询流表模板 Y2 , 根据 Y2定义的流表条目生成规则和所述 TCP报文的源 IP地址生成流表条目 Z2; Step 203: The terminal user A2 sends a TCP packet to the application server at a certain rate. Step 204: After receiving the first TCP packet sent by A2, the Openflow forwarding device matches the flow table to hit the boot flow table entry X2, according to X2. Action action query flow table template Y2, Generating a flow table entry Z2 according to the flow table entry generation rule defined by Y2 and the source IP address of the TCP packet;
可选地,所述 Openflow转发设备的转发核命中所述引导流表条目 X2后, 向所述控制核发送查询消息并携带所述报文和所述流表模板 Y2的 ID, 所述 控制核根据上述信息查询所述流表模板 Y2、 据此生成所述流表条目 Ζ2并下 发给所述转发核。  Optionally, after the forwarding core of the Openflow forwarding device hits the boot flow table entry X2, sending a query message to the control core, and carrying the packet and the ID of the flow table template Y2, the control core The flow table template Y2 is queried according to the above information, and the flow table entry Ζ2 is generated and sent to the forwarding core.
可选地, 所述流表条目 Ζ2的匹配规则包括: 源 IP地址为上述 TCP报文 的源 IP地址、 目的 IP地址为应用服务器的 IP地址、报文类型为 TCP或 TCP SYN, Action动作为通过对应出接口发送匹配所述匹配规则的报文并限制报 文的发送速率;  Optionally, the matching rule of the flow table entry Ζ2 includes: the source IP address is the source IP address of the TCP packet, the destination IP address is the IP address of the application server, and the packet type is TCP or TCP SYN, and the action is Sending a packet matching the matching rule and limiting the sending rate of the packet by using the corresponding outbound interface;
步骤 205: Openflow转发设备根据流表条目 Z2将所述终端用户发出的 TCP 报文通过对应的出接口发出并限制该报文的发送速率, 并向所述 Openflow控制器发送流条目添加消息, 其中携带所述流表条目 Z2的信息。  Step 205: The Openflow forwarding device sends the TCP packet sent by the terminal user to the corresponding outbound interface according to the flow table entry Z2, and limits the sending rate of the packet, and sends a flow entry adding message to the Openflow controller, where The information carrying the flow table entry Z2 is carried.
可选地, 若攻击源的发送速率高于流表条目 Z2 的限制发送速率, Openflow转发设备对超出速率的报文进行緩存 /或丟弃。  Optionally, if the sending rate of the attack source is higher than the limit sending rate of the flow table entry Z2, the Openflow forwarding device caches or discards the packets exceeding the rate.
可选地, 所述终端用户与所述应用服务器间有多台 Openflow转发设备, 则其他 Openflow转发设备对所述 TCP 文的转发过程与步骤 201~205相同 或 Openflow控制器在预知攻击源的情况下发送优先级更高的精确流表条目来 限速。  Optionally, if there are multiple Openflow forwarding devices between the terminal user and the application server, the forwarding process of the TCP text by other Openflow forwarding devices is the same as steps 201-205 or the Openflow controller predicts the attack source. Send a higher priority precision flow table entry to limit the speed.
步骤 206, 应用服务器接收到所述终端用户发出的所述 TCP报文后, 判 断该终端用户发送的是普通 TCP 文或攻击"¾文和 /或判断所述终端用户的 身份信息。  Step 206: After receiving the TCP packet sent by the terminal user, the application server determines that the terminal user sends a normal TCP file or attacks "3" and/or determines the identity information of the terminal user.
可选地, 在应用服务器和终端用户间进行鉴权的报文交互过程中, 应用 服务器发向终端用户发送的数据报文根据 Openflow管道的流表信息转发, 由 Openflow控制器向沿途的 Openflow转发设备发送对应的流表条目。  Optionally, in the process of performing packet authentication between the application server and the terminal user, the data packet sent by the application server to the terminal user is forwarded according to the flow table information of the Openflow pipeline, and is forwarded by the Openflow controller to the Openflow along the path. The device sends the corresponding flow table entry.
步骤 207, 应用服务器根据所述 TCP报文类型和 /或对所述终端用户的鉴 权结果向所述 Openflow控制器发送授权信息。若应用服务器判断出所述 TCP 报文是普通 TCP报文和 /或判断出所述终端用户为合法用户, 则要求所述 Openflow控制器取消或放宽对所述 TCP报文的速率限制;若判断出所述 TCP 报文为 TCP半连接攻击报文, 则要求所述 Openflow控制器下发流表条目要 求 Openflow转发设备惩罚性丟弃所述终端用户向所述应用服务器发送的 TCP 报文; Step 207: The application server sends the authorization information to the Openflow controller according to the TCP packet type and/or the authentication result of the terminal user. If the application server determines that the TCP packet is a normal TCP packet and/or determines that the terminal user is a legitimate user, the application is required to be The OpenFlow controller cancels or relaxes the rate limit on the TCP packet; if it is determined that the TCP packet is a TCP semi-connected attack packet, the OpenFlow controller is required to send a flow entry to the Openflow forwarding device. Discarding the TCP packet sent by the terminal user to the application server;
步骤 208, 所述 Openflow控制器根据所述应用服务器的授权信息向所述 Step 208: The Openflow controller sends the information according to the authorization information of the application server.
Openflow转发设备发送控制消息,要求所述 Openflow转发设备删除上述生成 的流表条目 Z2或向所述 Openflow转发设备发送更高优先级的流表条目; 步骤 209 ,所述 Openflow转发设备根据所述 Openflow控制器发送的控制 消息进行流表条目操作和流量转发。 The Openflow forwarding device sends a control message, and the Openflow forwarding device is required to delete the generated flow table entry Z2 or send a higher priority flow table entry to the Openflow forwarding device. Step 209: The Openflow forwarding device according to the Openflow The control message sent by the controller performs flow table entry operations and traffic forwarding.
可选地, 根据应用服务器的授权信息的不同, 所述更高优先级的流表条 目包括不限制所述 TCP报文的发送速率和按需修改对所述 TCP报文的发送速 率的限速参数。  Optionally, the higher priority flow table entry includes, according to different authorization information of the application server, a rate limit that does not limit the sending rate of the TCP packet and the rate of sending the TCP packet on demand. parameter.
实施例三 Embodiment 3
网络地址转换会话表的快速生成, Openflow转发设备的硬件架构以 OF Rapid generation of the network address translation session table, the hardware architecture of the Openflow forwarding device is OF
( Openflow的简称 )转发面和 OF-Agent (代理 )的组合为例。 组网示意图参 见图 8, 详细流程如图 9所示, 包括: (Short for Openflow) The combination of the forwarding plane and the OF-Agent (agent) is an example. The networking diagram is shown in Figure 8. The detailed process is shown in Figure 9, including:
步骤 301: Openflow控制器根据本地配置规则或应用需求配置用户的 NAT公网地址池、 端口号段和匹配规则;  Step 301: The OpenFlow controller configures the user's NAT public address pool, port number segment, and matching rule according to local configuration rules or application requirements.
可选地, 所述应用需求包括: 用户私网主机的公网地址转换需求和 /或匹 配规则需求, 用户可通过特定的 NAT应用向 Openflow控制器的北向接口发 送所述需求;  Optionally, the application requirements include: a public network address translation requirement and/or a matching rule requirement of the user private network host, where the user can send the requirement to the northbound interface of the Openflow controller through a specific NAT application;
步骤 302 : Openflow 控制器根据应用服务器的安全需求向对应的 Openflow转发设备发送引导流表条目 X3和流表模板 Y3-0及 Y3-1 (其中, Y3-0和 Y3-1级联 ) ;  Step 302: The Openflow controller sends the boot flow table entry X3 and the flow table templates Y3-0 and Y3-1 (where Y3-0 and Y3-1 are cascaded) to the corresponding Openflow forwarding device according to the security requirement of the application server;
可选地, 引导流表条目 X3 的匹配规则包括源地址为用户的私网地址或 网段和用户侧接口信息, 引导流表条目的 Action动作为查询流表模板, 流表 模板 Y3-0定义的流表条目生成规则包括: 用户的 NAT公网地址池及为所述 用户的分配一个流表(表示用户发往网络侧地址的报文的地址转换规则) , 流表模板 Y3-1定义的流表条目生成规则包括:为所述用户分配另一个流表条 目 (表示由网络侧地址向用户发送报文的地址转换规则) ; Optionally, the matching rule of the boot flow table entry X3 includes the source address being the private network address or the network segment and the user side interface information of the user, and the action action of the boot flow table entry is the query flow table template, and the flow table template Y3-0 is defined. The flow table entry generation rule includes: a user's NAT public address pool and the The user allocates a flow table (the address translation rule indicating the message sent by the user to the network side address), and the flow table entry generation rule defined by the flow table template Y3-1 includes: assigning another flow table entry to the user (representing The address translation rule for sending packets to the user by the network side address);
可选地, 所述 Openflow转发设备收到所述引导流表条目 X3和流表模板 Y3-0、 Y3-1后, 将所述引导流表条目 Χ3下发到 OF转发面, 将所述流表模 板 Y3-0、 Y3-1保存在 OF-Agent;  Optionally, after receiving the boot flow table entry X3 and the flow table template Y3-0, Y3-1, the Openflow forwarding device sends the boot flow table entry Χ3 to the OF forwarding plane, where the flow is performed. Table templates Y3-0 and Y3-1 are saved in the OF-Agent;
步骤 303 : 私网主机 A3 以一定速率向网络侧设备发送 UDP ( User Datagram Protocol, 用户数据报协议 )报文;  Step 303: The private network host A3 sends a UDP (User Datagram Protocol) packet to the network side device at a certain rate;
步骤 304: Openflow转发设备接收到 A3发送的第一个 UDP报文后, 匹 配流表命中引导流表条目 X3后,根据 X3的 Action动作查询流表模板 Y3-0, 根据 Y3-0定义的流表条目生成规则和所述报文信息为该私网主机 A3分配一 个公网 IP地址、 或一个公网 IP地址及端口号, 并生成流表条目 Z31 (对应用 户发往网络侧地址的报文地址转换规则)。 因为 Y3-0级联了流表模板 Y3-1 , Y3-0,在生成 Z31的同时填充了 Y3-0、 Y3-1约定格式的 metadata (元数据 ) , 生成 Z31后, 将报文继续交由 Y3-1进行处理。 根据 Y3-1定义的流表条目生 成规则和所述 4艮文信息以及所述元数据生成 Z32 (对应网络侧地址发送用户 的报文地址转换规则) 。  Step 304: After receiving the first UDP packet sent by A3, the matching flow forwarding device hits the navigation flow table entry X3, and then queries the flow table template Y3-0 according to the action action of X3, according to the flow defined by Y3-0. The table entry generation rule and the message information allocate a public network IP address or a public network IP address and a port number to the private network host A3, and generate a flow table entry Z31 (corresponding to the packet sent by the user to the network side address). Address translation rules). Because Y3-0 cascades the flow table templates Y3-1 and Y3-0, the Z3 is filled with the metadata of the Y3-0 and Y3-1 convention formats. After generating Z31, the message will continue to be delivered. Processed by Y3-1. According to the flow table entry generation rule defined by Y3-1 and the information and the metadata generation Z32 (corresponding to the packet address conversion rule of the network side address sending user).
可选地,所述 Openflow转发设备的 OF转发面命中所述引导流表条目 X3 后, 向所述 OF-Agent发送查询消息并携带所述报文和所述流表模板 Y3-0的 ID, 所述 OF-Agent根据上述信息查询所述流表模板和 /或级联的流表模板、 分配公网 IP地址或分配公网 IP地址及端口号, 并生成所述流表条目 Z31和 Z32发送给所述 OF转发面。  Optionally, after the OF forwarding plane of the Openflow forwarding device hits the boot flow table entry X3, sending an inquiry message to the OF-Agent and carrying the packet and the ID of the flow table template Y3-0, The OF-Agent queries the flow table template and/or the cascaded flow table template, allocates a public network IP address, or assigns a public network IP address and a port number according to the foregoing information, and generates the flow table entries Z31 and Z32 to send. Give the OF forwarding face.
可选地, 所述流表条目 Z31的匹配规则包括: 源 IP地址、 源端口号、 报 文类型, Action动作为将源 IP地址转换为分配的公网 IP地址,还有可能将源 端口转换为分配的端口号, 并通过对应出接口发送转换后的报文。  Optionally, the matching rule of the flow table entry Z31 includes: a source IP address, a source port number, and a packet type, and the action action is to convert the source IP address into an allocated public network IP address, and may also convert the source port. It is the assigned port number and sends the converted packet through the corresponding outbound interface.
可选地,所述流表条目 Z32的匹配规则包括: 目的 IP地址、 目的端口号、 才艮文类型, Action动作为将目的 IP地址转换为分配的公网 IP地址,还有可能 就将目的端口转换为分配的端口号, 并通过对应出接口发送转换后的报文。 步骤 305: Openflow转发设备根据流表条目 Z31和 Z32将 A3和网络侧 设备间的 TCP/UDP报文执行 NAT动作并通过对应的出接口转发, 并通过流 条目添加消息向所述 Openflow控制设备发送 Z31和 Z32的信息。 Optionally, the matching rule of the flow table entry Z32 includes: a destination IP address, a destination port number, a genre type, and an action action is to convert the destination IP address into an assigned public network IP address, and may also aim The port is translated to the assigned port number, and the converted packet is sent through the corresponding outbound interface. Step 305: The Openflow forwarding device performs a NAT action on the TCP/UDP packet between the A3 and the network side device according to the flow table entries Z31 and Z32, and forwards the packet through the corresponding outbound interface, and sends the message to the Openflow control device through the flow entry adding message. Information on Z31 and Z32.
可选地, 所述流表条目 Z31和 Z32老化后, Openflow转发设备回收对应 的公网地址和 /或端口号。  Optionally, after the flow table entries Z31 and Z32 are aged, the Openflow forwarding device reclaims the corresponding public network address and/or port number.
可选地, 对于同时生成 2个以上流表条目的情况, 可选釆用流表模板级 联的方式实现, 生成流表条目的同时生成级联流表模板间的 meta数据, 主要 用于流表模板级联时的处理。  Optionally, in the case that two or more flow table entries are generated at the same time, the flow table template is cascaded, and the flow table entries are generated, and the meta data between the cascaded flow table templates is generated, and is mainly used for the flow. Processing when table templates are cascaded.
可选地, 流表模板的描述方式根据描述手段的不同有区别, 以 XML为 例, 在本实施例的 NAT应用场景为例, 如果在 OpenFlow协议中扩展实现, 需要转换成对应的数据结构。  Optionally, the description manner of the flow table template is different according to the description method. Taking the XML application scenario as an example, if the implementation is extended in the OpenFlow protocol, it needs to be converted into a corresponding data structure.
<flow-template-entry>  <flow-template-entry>
<id>K/id>  <id>K/id>
<table-id>5</table-id>  <table-id>5</table-id>
<cascade-template-id>2</ cascade-template-id>  <cascade-template-id>2</ cascade-template-id>
<out-meta>  <out-meta>
<field>  <field>
<id>K/id>  <id>K/id>
<size>4</size>  <size>4</size>
<desc>public-ip</desc>  <desc>public-ip</desc>
</field>  </field>
<field>  <field>
<id>2</id>  <id>2</id>
<size>4</size>  <size>4</size>
<desc>"private-ip</desc>  <desc>"private-ip</desc>
</field> o pyowteateet flmlnFv-- /act〇sin <v</field> o pyowteateet flmlnFv-- /act〇sin <v
/setwscnr <v-- toetaedd/toetaeddmfili 1mfili <> <>------ ,vaue · · · . · · . · ·/vauel 10011 T 100211100213l Av<v /setwscnr <v-- toetaedd/toetaeddmfili 1mfili <> <>------ ,vaue · · · · · · · · · vauel 10011 T 100211100213l Av<v
ypypteaocated/tell <v<> Yypypteacated/tell <v<>
setwscnr <v-- act〇sin <v Setwscnr <v-- act〇sin <v
/stuct〇sInrin <v /stuct〇sInrin <v
/GotoabeTl <>- vaue/vauel3l <v<v /GotoabeTl <>- vaue/vauel3l <v<v
ypypteed/tefix <v<> Yypypeded/tefix <v<>
GOtoabeTl Av- Wtectos/riAin <>- stuct〇sInrin <v GOtoabeTl Av- Wtectos/riAin <>- stuct〇sInrin <v
/atcmh <> /atcmh <>
/wscnr <v- toetaedd/toetaeddmfili2mfili <v<>------ vauewsc/vauelnrl <v<v- yppypteacet/tek <v<v /wscnr <v- toetaedd/toetaeddmfili2mfili <v<>------ vauewsc/vauelnrl <v<v- yppypteacet/tek <v<v
wscnr <v- atcmh <> outetam <v- /H0SSD/:l£ /-60// O./-ΪΗ0ΖAV J/寸J <V <V3SZ3SZ
Figure imgf000025_0001
Wscnr <v- atcmh <> outetam <v- /H0SSD/:l£ /-60// O./-ΪΗ0ΖAV J/inch J <V <V3SZ3SZ
Figure imgf000025_0001
ρ J 〈>ι <value>3</value> ρ J 〈>ι <value>3</value>
</Goto-Table>  </Goto-Table>
</Instructions>  </Instructions>
<actions>  <actions>
<set-nw-dst>  <set-nw-dst>
<type>metadata</type>  <type>metadata</type>
<from-meta-field-id>2</from-meta-field-id>  <from-meta-field-id>2</from-meta-field-id>
</set-nw-dst>  </set-nw-dst>
</actions>  </actions>
</ flow-template-entry>  </ flow-template-entry>
在上述示例中, flow-template-entry的 id是流表模板的 ID标识; table-id 表示该流表模板为该表 ID标识的流表生成条目; cascade-template-id表示该 流表模板级联一个指定 ID的流表模板; Out-meta/In-mate表示级联的两个流 表模板传递的中间数据的格式定义  In the above example, the id of the flow-template-entry is the ID of the flow table template; the table-id indicates that the flow table template generates an entry for the flow table identified by the table ID; the cascade-template-id indicates the flow table template level. A flow table template with a specified ID; Out-meta/In-mate indicates the format definition of the intermediate data passed by the cascaded two flow table templates
本发明实施例的 Openflow转发设备的硬件架构和各实施例的应用场景 可以根据实际环境的需要自由组合, 所述硬件架构保全但不限于上述实施例 中的几种类型。  The hardware architecture of the Openflow forwarding device and the application scenarios of the embodiments of the present invention can be freely combined according to the needs of the actual environment. The hardware architecture is preserved, but not limited to several types in the foregoing embodiments.
相应地, 本发明实施例还公开了一种开放流(Openflow )转发设备, 如 图 10所示, 包括: Correspondingly, an embodiment of the present invention further discloses an OpenFlow forwarding device, as shown in FIG. 10, including:
接收模块 1001设置成: 接收 Openflow控制器发来的引导流表条目和流 表模板; 其中, 所述引导流表条目的动作(Action )信息包括预设置的所述流 表模板 ID; 还用于接收数据报文;  The receiving module 1001 is configured to: receive a boot flow table entry and a flow table template sent by the OpenFlow controller; where the action information of the boot flow table entry includes the preset flow table template ID; Receiving data packets;
生成模块 1002设置成: 在所述接收模块接收到所述数据报文后, 如果所 述数据报文匹配命中所述接收模块接收到的所述引导流表条目, 则根据所述 引导流表条目的 Action信息中预设置的所述流表模板 ID查找对应的流表模 板, 并根据所述对应的流表模板定义的流表条目生成规则和所述数据报文的 关键字段信息生成流表条目。 The generating module 1002 is configured to: after the receiving module receives the data packet, if the data packet matches the boot flow table entry that is received by the receiving module, according to the boot flow table entry The flow table template ID that is preset in the action information is used to search the corresponding flow table template, and generates a rule and the data packet according to the flow table entry defined by the corresponding flow table template. The key field information generates a flow table entry.
可选地, 所述设备还包括发送模块:  Optionally, the device further includes a sending module:
发送模块 1003设置成:将所述生成模块生成的所述流表条目通过扩展的 流条目添加消息发送给所述 Openflow控制器。  The sending module 1003 is configured to: send the flow table entry generated by the generating module to the Openflow controller by using an extended flow entry adding message.
可选地, 所述设备还包括:  Optionally, the device further includes:
发送模块 1003设置成:按照所生成模块生成的所述流表条目对所述数据 报文进行处理转发。  The sending module 1003 is configured to process and forward the data packet according to the flow table entry generated by the generated module.
可选地 ,  Optionally,
所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 所述数据报文匹配命中所述引导流表条目, 具体包括:  The matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and the data packet matching hits the boot flow table entry, specifically:
所述数据报文的目的地址为所述受保护设备的 IP地址。  The destination address of the data packet is an IP address of the protected device.
可选地 ,  Optionally,
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速;  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device;
所述生成模块 1002设置成:根据所述流表模板定义的流表条目生成规则 和所述数据报文的关键字段信息生成流表条目, 具体包括:  The generating module 1002 is configured to generate a flow table entry according to the flow table entry generation rule defined by the flow table template and the key segment information of the data packet, which specifically includes:
所述生成模块 1002设置成: 生成所述流表条目; 其中, 所述流表条目的 匹配规则包括: 源 IP地址为所述数据 ^艮文的源 IP地址、 目的 IP地址为所述 受保护设备的 IP地址, Action信息为向所述受保护设备发送与本匹配规则相 匹配的数据报文并利用测量表条目限制发送速率。  The generating module 1002 is configured to: generate the flow table entry; where the matching rule of the flow table entry includes: the source IP address is the source IP address of the data, and the destination IP address is the protected The IP address of the device, the Action information is to send a data message matching the matching rule to the protected device and use a measurement table entry to limit the sending rate.
可选地 ,  Optionally,
所述引导流表条目的匹配规则包括源地址为一类用户的私网地址网段; 所述数据报文匹配命中所述引导流表条目, 具体包括:  The matching rule of the boot flow table entry includes a private network address network segment whose source address is a type of user; the data packet matching hits the boot flow table entry, specifically including:
所述数据 4艮文的源地址为所述私网地址网段中的一个。  The source address of the data is one of the private network address segments.
可选地,  Optionally,
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则; The flow table entry generation rule defined by the flow table template is a packet sent by the user side to the network side. Address translation rules;
所述生成模块 1002设置成:根据所述流表模板定义的流表条目生成规则 和所述数据报文的关键字段信息生成流表条目, 具体包括:  The generating module 1002 is configured to generate a flow table entry according to the flow table entry generation rule defined by the flow table template and the key segment information of the data packet, which specifically includes:
所述生成模块 1002设置成: 生成所述流表条目; 其中, 所述流表条目的 匹配规则包括: 所述数据报文的私网地址, Actions包括将所述私网地址转换 为分配的公网地址, 并通过对应出接口发送转换后的报文。  The generating module 1002 is configured to: generate the flow table entry; where the matching rule of the flow table entry includes: a private network address of the data packet, and the Actions include converting the private network address into an allocated public address. The network address is sent and the translated packet is sent through the corresponding outbound interface.
可选地 ,  Optionally,
所述接收模块 1001还设置成: 接收所述 Openflow控制器发来的第二流 表模板;  The receiving module 1001 is further configured to: receive a second flow table template sent by the Openflow controller;
其中, 所述第二流表模板与所述流表模板级联, 所述第二流表模板定义 可选地 ,  The second flow table template is cascaded with the flow table template, and the second flow table template is defined, optionally
所述生成模块 1002还设置成: 根据生成的所述流表条目, 结合所述第二 流表模板生成所述第二流表条目;  The generating module 1002 is further configured to: generate the second flow table entry according to the generated flow table entry, in combination with the second flow table template;
其中, 所述第二流表条目的匹配规则包括: 所述分配的公网地址, Action 信息为将所述公网地址转换为对应的私网地址, 并通过对应出接口发送转换 后的报文。  The matching rule of the second flow table entry includes: the allocated public network address, and the action information is to convert the public network address into a corresponding private network address, and send the converted message through the corresponding outbound interface. .
可选地 ,  Optionally,
所述私网地址包括: 私网 IP地址;  The private network address includes: a private network IP address;
所述公网地址包括: 公网 IP地址, 或者, 公网 IP地址及端口信息。 可选地 ,  The public network address includes: a public network IP address, or a public network IP address and port information. Optionally,
所述发送模块 1003还设置成:将生成的所述第二流表条目通过流条目添 加消息发送给所述 Openflow控制器。  The sending module 1003 is further configured to: send the generated second flow table entry to the Openflow controller by using a flow entry add message.
相应地, 一种开放流(Openflow )控制器, 如图 11所示, 包括: 存储模块 1101设置成: 保存预配置的引导流表条目和流表模板; 其中, 所述引导流表条目的动作(Action )信息包括预设置的所述流表模板 ID; 发送模块 1102设置成: 向 Openflow转发设备发送所述存储模块保存的 所述引导流表条目和流表模板。 Correspondingly, an OpenFlow controller, as shown in FIG. 11, includes: a storage module 1101 configured to: save a pre-configured boot flow table entry and a flow table template; wherein, the action of the boot flow table entry The (Action) information includes the preset flow table template ID; The sending module 1102 is configured to: send the boot flow table entry and the flow table template saved by the storage module to the Openflow forwarding device.
可选地 ,  Optionally,
所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 和 /或,  The matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and/or,
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速。  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device.
可选地, 所述控制器还包括:  Optionally, the controller further includes:
接收模块 1103设置成: 接收所述 Openflow转发设备通过流条目添加消 息发来的流表条目;  The receiving module 1103 is configured to: receive a flow table entry sent by the Openflow forwarding device by using a flow entry to add a message;
所述发送模块 1102还设置成: 在接收模块接收到所述流表条目后, 向所 述 Openflow转发设备发送拒绝消息, 要求所述 Openflow转发设备删除根据 所述流表模板生成的所述流表条目; 或者, 还用于在接收模块接收到所述流 表条目后, 向所述 Openflow转发设备发送更高优先级的流表条目。  The sending module 1102 is further configured to: after receiving the flow table entry, the receiving module sends a reject message to the Openflow forwarding device, requesting the Openflow forwarding device to delete the flow table generated according to the flow table template. Or an entry; or, after the receiving module receives the flow table entry, sending a higher priority flow table entry to the Openflow forwarding device.
可选地,  Optionally,
所述引导流表条目的匹配规则包括源地址为用户的私网地址网段; 和 / 或,  The matching rule of the boot flow table entry includes a source address being a private network address segment of the user; and/or,
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则。  The flow table entry generation rule defined by the flow table template is an address translation rule of a message sent by the user side to the network side.
可选地,  Optionally,
所述私网地址网段包括: 私网 IP地址。  The private network address network segment includes: a private network IP address.
可选地 ,  Optionally,
所述发送模块 1102还设置成: 向所述 Openflow转发设备发送第二流表 模板; 其中, 所述第二流表模板与所述流表模板级联, 所述第二流表模板定  The sending module 1102 is further configured to: send a second flow table template to the Openflow forwarding device, where the second flow table template is cascaded with the flow table template, and the second flow table template is configured
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 One of ordinary skill in the art will appreciate that all or part of the steps in the above methods may be passed through the program. The instructions are related to hardware completion, and the program can be stored in a computer readable storage medium such as a read only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may be implemented in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
以上所述仅为本发明的优选实施例而已, 并非用于限定本发明的保护范 围。 根据本发明的发明内容, 还可有其他多种实施例, 在不背离本发明精神 改变和变形, 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The above description is only a preferred embodiment of the present invention and is not intended to limit the scope of protection of the present invention. In view of the present invention, various other modifications, equivalents, improvements, etc., should be made without departing from the spirit and scope of the invention. It is included in the scope of protection of the present invention.
工业实用性 Industrial applicability
上述技术方案实现了在 Openflow转发设备上根据流表条目模板生成流 表条目的功能, 增强了 Openflow协议的安全性, 同时扩展了 Openflow/SDN 网络的应用场景和实用性。 因此本发明具有很强的工业实用性。  The foregoing technical solution implements the function of generating a flow table entry according to the flow table entry template on the Openflow forwarding device, enhances the security of the Openflow protocol, and extends the application scenario and practicability of the Openflow/SDN network. Therefore, the present invention has strong industrial applicability.

Claims

权 利 要 求 书 Claim
1、 一种流表条目生成方法, 应用于开放流( Openflow )转发设备, 包括: 接收 Openflow控制器发来的引导流表条目和流表模板; 其中, 所述引导 流表条目的动作(Action )信息包括预设置的所述流表模板 ID;  A method for generating a flow table entry, which is applied to an OpenFlow forwarding device, comprising: receiving a boot flow table entry and a flow table template sent by an Openflow controller; wherein, the action of the flow table entry is The information includes the preset flow table template ID;
在接收到数据报文后, 如果所述数据报文匹配命中所述引导流表条目, 则根据所述引导流表条目的 Action信息中预设置的所述流表模板 ID查找与 所述流表模板 ID对应的流表模板,并根据所述对应的流表模板定义的流表条 目生成规则和所述数据报文的关键字段信息生成流表条目。  After receiving the data packet, if the data packet matches the boot flow table entry, searching and the flow table according to the flow table template ID preset in the action information of the boot flow table entry a flow table template corresponding to the template ID, and generating a flow table entry according to the flow table entry generation rule defined by the corresponding flow table template and the key segment information of the data packet.
2、 如权利要求 1所述的流表条目生成方法, 还包括:  2. The method for generating a flow table entry according to claim 1, further comprising:
将生成的所述流表条目通过扩展的流条目添加消息发送给所述 Openflow 控制器。  The generated flow table entry is sent to the Openflow controller through an extended flow entry add message.
3、 如权利要求 2所述的流表条目生成方法, 其中, 所述将生成的所述流 表条目通过所述流条目添加消息发送给所述 Openflow控制器的步骤包括: 所述 Openflow转发设备通过所述流条目添加消息实时或批量发送所述 流表条目的信息。  The flow table entry generating method according to claim 2, wherein the step of transmitting the generated flow table entry to the Openflow controller by using the flow entry adding message comprises: the Openflow forwarding device The information of the flow table entry is sent in real time or in batch by the flow entry adding message.
4、 如权利要求 1~3中任意一项所述的流表条目生成方法, 还包括: 按照生成的所述流表条目对所述数据报文进行处理转发。  The method for generating a flow table entry according to any one of claims 1 to 3, further comprising: processing and forwarding the data packet according to the generated flow table entry.
5、 如权利要求 1~3中任意一项所述的流表条目生成方法, 其中: 所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 所述数据报文匹配命中所述引导流表条目的步骤包括:  The method for generating a flow table entry according to any one of claims 1 to 3, wherein: the matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and the data packet matches The steps to hit the boot flow table entry include:
所述数据报文的目的地址为所述受保护设备的 IP地址。  The destination address of the data packet is an IP address of the protected device.
6、 如权利要求 5所述的流表条目生成方法, 其中:  6. The flow table entry generating method according to claim 5, wherein:
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速;  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device;
所述根据所述流表模板定义的流表条目生成规则和所述数据报文的关键 字段信息生成流表条目的步骤包括: 生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 源 IP地址为 所述数据^艮文的源 IP地址、 目的 IP地址为所述受保护设备的 IP地址, Action 信息为向所述受保护设备发送与本匹配规则相匹配的数据报文并利用测量表 条目限制发送速率。 The step of generating a flow table entry according to the flow table entry generation rule defined by the flow table template and the key segment information of the data packet includes: The flow table entry is generated. The matching rule of the flow table entry includes: the source IP address is the source IP address of the data, the destination IP address is the IP address of the protected device, and the action information is A data message matching the matching rule is sent to the protected device and the transmission rate is restricted by the meter entry.
7、 如权利要求 1~3中任意一项所述的流表条目生成方法, 其中: 所述引导流表条目的匹配规则包括源地址为一类用户的私网地址网段; 所述数据报文匹配命中所述引导流表条目的步骤包括:  The method for generating a flow table entry according to any one of claims 1 to 3, wherein: the matching rule of the boot flow table entry includes a private network address network segment whose source address is a type of user; The steps of the text match hitting the boot flow table entry include:
所述数据 4艮文的源地址为所述私网地址网段中的一个。  The source address of the data is one of the private network address segments.
8、 如权利要求 7所述的流表条目生成方法, 其中:  8. The flow table entry generating method according to claim 7, wherein:
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则;  The flow table entry generation rule defined by the flow table template is an address translation rule of a packet sent by the user side to the network side;
所述根据所述流表模板定义的流表条目生成规则和所述数据报文的关键 字段信息生成流表条目的步骤包括:  The step of generating a flow table entry according to the flow table entry generation rule defined by the flow table template and the key field information of the data packet includes:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 所述数据报 文的私网地址, Actions包括将所述私网地址转换为分配的公网地址, 并通过 对应出接口发送转换后的报文。  The flow table entry is generated. The matching rule of the flow table entry includes: a private network address of the data packet, and the action includes converting the private network address into an allocated public network address, and passing the corresponding outbound interface. Send the converted message.
9、 如权利要求 8所述的流表条目生成方法, 还包括:  9. The method for generating a flow table entry according to claim 8, further comprising:
接收所述 Openflow控制器发来的第二流表模板; 其中, 所述第二流表模 板与所述流表模板级联, 所述第二流表模板定义的流表条目生成规则为由网 络侧发往所述用户侧的 ^艮文的地址转换规则。  Receiving a second flow table template sent by the OpenFlow controller; where the second flow table template is concatenated with the flow table template, and the flow table entry generation rule defined by the second flow table template is a network The address translation rule sent to the user side by the side.
10、 如权利要求 9所述的流表条目生成方法, 还包括:  The method for generating a flow table entry according to claim 9, further comprising:
根据生成的所述流表条目, 结合所述第二流表模板生成所述第二流表条 其中, 所述第二流表条目的匹配规则包括: 所述分配的公网地址, Action 信息为将所述公网地址转换为对应的私网地址, 并通过对应出接口发送转换 后的报文。  Generating, according to the generated flow table entry, the second flow table template, the matching rule of the second flow table entry includes: the allocated public network address, and the action information is The public network address is translated into a corresponding private network address, and the converted message is sent through the corresponding outbound interface.
11、 如权利要求 7、 8或 10所述的流表条目生成方法, 其中: 所述私网地址包括: 私网 IP地址; 11. The method for generating a flow table entry according to claim 7, 8 or 10, wherein: The private network address includes: a private network IP address;
所述公网地址包括: 公网 IP地址, 或者, 公网 IP地址及端口信息。 The public network address includes: a public network IP address, or a public network IP address and port information.
12、 如权利要求 10所述的流表条目生成方法, 还包括: The method for generating a flow table entry according to claim 10, further comprising:
将生成的所述第二流表条目通过流条目添加消息发送给所述 Openflow 控制器。  The generated second flow table entry is sent to the Openflow controller through a flow entry add message.
13、 一种流表条目生成方法, 应用于开放流(Openflow )控制器, 包括: 向 Openflow转发设备发送引导流表条目和流表模板; 其中, 所述引导流 表条目的动作 ( Action )信息包括预设置的所述流表模板 ID。  13. A flow table entry generation method, applied to an OpenFlow controller, comprising: sending a boot flow table entry and a flow table template to an Openflow forwarding device; wherein, the action information of the boot flow table entry The preset flow table template ID is included.
14、 如权利要求 13所述的流表条目生成方法, 其中:  14. The flow table entry generating method according to claim 13, wherein:
所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 和 /或,  The matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and/or,
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速。  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device.
15、 如权利要求 13所述的流表条目生成方法, 还包括:  The method for generating a flow table entry according to claim 13, further comprising:
在接收到所述 Openflow转发设备通过流条目添加消息发来的流表条目 后,  After receiving the flow table entry sent by the Openflow forwarding device through the flow entry adding message,
所述 Openflow 控制器不回复所述流条目添加消息, 表示接受所述 Openflow转发设备根据所述流表模板生成的所述本地流表条目; 或者,  The Openflow controller does not reply to the flow entry adding message, and indicates that the local flow table entry generated by the Openflow forwarding device according to the flow table template is accepted; or
所述 Openflow控制器向所述 Openflow转发设备发送拒绝消息, 要求所 述 Openflow转发设备删除根据所述流表模板生成的所述流表条目; 或者, 所述 Openflow控制器向所述 Openflow转发设备发送更高优先级的流表 条目。  The OpenFlow controller sends a reject message to the OpenFlow forwarding device, and the Openflow forwarding device is required to delete the flow table entry generated according to the flow table template. Alternatively, the Openflow controller sends the OpenFlow controller to the Openflow forwarding device. A higher priority flow table entry.
16、 如权利要求 13所述的流表条目生成方法, 其中:  16. The flow table entry generating method according to claim 13, wherein:
所述引导流表条目的匹配规则包括源地址为用户的私网地址网段; 和 / 或,  The matching rule of the boot flow table entry includes a source address being a private network address segment of the user; and/or,
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则。 The flow table entry generation rule defined by the flow table template is an address translation rule of a message sent by the user side to the network side.
17、 如权利要求 16所述的流表条目生成方法, 其中: 17. The method of generating a flow table entry according to claim 16, wherein:
所述私网地址网段包括: 私网 IP地址。  The private network address network segment includes: a private network IP address.
18、 如权利要求 16所述的流表条目生成方法, 还包括:  The method for generating a flow table entry according to claim 16, further comprising:
向所述 Openflow转发设备发送第二流表模板; 其中, 所述第二流表模板 与所述流表模板级联, 所述第二流表模板定义的流表条目生成规则为由网络 侧发往所述用户侧的报文的地址转换规则。  Sending a second flow table template to the OpenFlow forwarding device, where the second flow table template is concatenated with the flow table template, and the flow table entry generation rule defined by the second flow table template is sent by the network side The address translation rule for the message to the user side.
19、 一种开放流(Openflow )转发设备, 包括接收模块和生成模块, 其 中:  19. An OpenFlow forwarding device, comprising a receiving module and a generating module, wherein:
所述接收模块设置成:接收 Openflow控制器发来的引导流表条目和流表 模板; 其中, 所述引导流表条目的动作(Action )信息包括预设置的所述流表 模板 ID; 还用于接收数据报文;  The receiving module is configured to receive a boot flow table entry and a flow table template sent by the OpenFlow controller, where the action information of the boot flow table entry includes the preset flow table template ID; Receiving a data message;
所述生成模块设置成: 在所述接收模块接收到所述数据报文后, 如果所 述数据报文匹配命中所述接收模块接收到的所述引导流表条目, 则根据所述 引导流表条目的 Action信息中预设置的所述流表模板 ID查找与所述流表模 板 ID对应的流表模板,并根据所述对应的流表模板定义的流表条目生成规则 和所述数据报文的关键字段信息生成流表条目。  The generating module is configured to: after the receiving, by the receiving module, the data packet matches the boot flow table entry received by the receiving module, according to the boot flow table Searching, by using the flow table template ID that is preset in the action information of the entry, a flow table template corresponding to the flow table template ID, and generating a rule and the data message according to the flow table entry defined by the corresponding flow table template. The key field information generates a flow table entry.
20、 如权利要求 19所述的转发设备, 还包括发送模块, 其中: 所述发送模块设置成: 将所述生成模块生成的所述流表条目通过扩展的 流条目添加消息发送给所述 Openflow控制器。  The forwarding device of claim 19, further comprising a sending module, wherein: the sending module is configured to: send the flow table entry generated by the generating module to the Openflow by using an extended flow entry adding message Controller.
21、 如权利要求 20所述的转发设备, 其中:  21. The forwarding device of claim 20, wherein:
所述发送模块还设置成: 按照所述生成模块生成的所述流表条目对所述 数据报文进行处理转发。  The sending module is further configured to: process and forward the data packet according to the flow table entry generated by the generating module.
22、 如权利要求 19或 20所述的转发设备, 其中:  22. The forwarding device of claim 19 or 20, wherein:
所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 所述生成模块设置成按照如下方式判断所述数据报文匹配命中所述引导 流表条目:  The matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and the generating module is configured to determine that the data packet match hits the boot flow table entry as follows:
所述数据报文的目的地址为所述受保护设备的 IP地址。 The destination address of the data packet is an IP address of the protected device.
23、 如权利要求 22所述的转发设备, 其中: 23. The forwarding device of claim 22, wherein:
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速;  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device;
所述生成模块设置成按照如下方式根据所述流表模板定义的流表条目生 成规则和所述数据报文的关键字段信息生成流表条目:  The generating module is configured to generate a flow table entry according to the flow table entry generation rule defined by the flow table template and the key segment information of the data packet as follows:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 源 IP地址为 所述数据^艮文的源 IP地址、 目的 IP地址为所述受保护设备的 IP地址, Action 信息为向所述受保护设备发送与本匹配规则相匹配的数据报文并利用测量表 条目限制发送速率。  The flow table entry is generated. The matching rule of the flow table entry includes: the source IP address is the source IP address of the data, the destination IP address is the IP address of the protected device, and the action information is A data message matching the matching rule is sent to the protected device and the transmission rate is restricted by the meter entry.
24、 如权利要求 19或 20所述的转发设备, 其中:  24. The forwarding device of claim 19 or 20, wherein:
所述引导流表条目的匹配规则包括源地址为一类用户的私网地址网段; 所述生成模块设置成按照如下方式判断所述数据报文匹配命中所述引导 流表条目:  The matching rule of the boot flow table entry includes a private network address network segment whose source address is a type of user; the generating module is configured to determine that the data packet match hits the boot flow table entry as follows:
所述数据 4艮文的源地址为所述私网地址网段中的一个。  The source address of the data is one of the private network address segments.
25、 如权利要求 24所述的转发设备, 其中:  25. The forwarding device of claim 24, wherein:
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则;  The flow table entry generation rule defined by the flow table template is an address translation rule of a packet sent by the user side to the network side;
所述生成模块设置成按照如下方式根据所述流表模板定义的流表条目生 成规则和所述数据报文的关键字段信息生成流表条目:  The generating module is configured to generate a flow table entry according to the flow table entry generation rule defined by the flow table template and the key segment information of the data packet as follows:
生成所述流表条目; 其中, 所述流表条目的匹配规则包括: 所述数据报 文的私网地址, Actions包括将所述私网地址转换为分配的公网地址, 并通过 对应出接口发送转换后的报文。  The flow table entry is generated. The matching rule of the flow table entry includes: a private network address of the data packet, and the action includes converting the private network address into an allocated public network address, and passing the corresponding outbound interface. Send the converted message.
26、 如权利要求 25所述的转发设备, 其中:  26. The forwarding device of claim 25, wherein:
所述接收模块还设置成: 接收所述 Openflow控制器发来的第二流表模 板;  The receiving module is further configured to: receive a second flow table template sent by the Openflow controller;
其中, 所述第二流表模板与所述流表模板级联, 所述第二流表模板定义 The second flow table template is cascaded with the flow table template, and the second flow table template is defined.
27、 如权利要求 26所述的转发设备, 其中: 27. The forwarding device of claim 26, wherein:
所述生成模块还设置成: 根据生成的所述流表条目, 结合所述第二流表 模板生成所述第二流表条目;  The generating module is further configured to: generate the second flow table entry according to the generated flow table entry, in combination with the second flow table template;
其中, 所述第二流表条目的匹配规则包括: 所述分配的公网地址, Action 信息为将所述公网地址转换为对应的私网地址, 并通过对应出接口发送转换 后的报文。  The matching rule of the second flow table entry includes: the allocated public network address, and the action information is to convert the public network address into a corresponding private network address, and send the converted message through the corresponding outbound interface. .
28、 如权利要求 24、 25或 27所述的转发设备, 其中:  28. The forwarding device of claim 24, 25 or 27, wherein:
所述私网地址包括: 私网 IP地址;  The private network address includes: a private network IP address;
所述公网地址包括: 公网 IP地址, 或者, 公网 IP地址及端口信息。  The public network address includes: a public network IP address, or a public network IP address and port information.
29、 如权利要求 28所述的转发设备, 其中: 29. The forwarding device of claim 28, wherein:
所述发送模块还设置成: 将生成的所述第二流表条目通过流条目添加消 息发送给所述 Openflow控制器。  The sending module is further configured to: send the generated second flow table entry to the Openflow controller by using a flow entry add message.
30、 一种开放流(Openflow )控制器, 包括存储模块和发送模块, 其中: 所述存储模块设置成: 保存预配置的引导流表条目和流表模板; 其中, 所述引导流表条目的动作 (Action )信息包括预设置的所述流表模板 ID; 所述发送模块设置成: 向 Openflow转发设备发送所述存储模块保存的所 述引导流表条目和流表模板。  30. An OpenFlow controller, comprising: a storage module and a sending module, wherein: the storage module is configured to: save a pre-configured boot flow table entry and a flow table template; wherein, the boot flow table entry The action information includes the preset flow table template ID. The sending module is configured to: send the boot flow table entry and the flow table template saved by the storage module to the Openflow forwarding device.
31、 如权利要求 30所述的控制器, 其中:  31. The controller of claim 30, wherein:
所述引导流表条目的匹配规则包括: 目的地址为受保护设备的 IP地址; 和 /或,  The matching rule of the boot flow table entry includes: the destination address is an IP address of the protected device; and/or,
所述流表模板定义的流表条目生成规则为对任一源 IP地址向所述受保护 设备发送的报文进行限速。  The flow table entry generation rule defined by the flow table template is to limit the rate of the packets sent by the source IP address to the protected device.
32、 如权利要求 30所述的控制器, 其中, 还包括接收模块, 其中: 所述接收模块设置成:接收所述 Openflow转发设备通过流条目添加消息 发来的流表条目;  The controller of claim 30, further comprising a receiving module, wherein: the receiving module is configured to: receive a flow table entry sent by the Openflow forwarding device by using a flow entry adding message;
所述发送模块还设置成: 在所述接收模块接收到所述流表条目后, 向所 述 Openflow转发设备发送拒绝消息, 要求所述 Openflow转发设备删除根据 所述流表模板生成的所述流表条目; 或者, 在所述接收模块接收到所述流表 条目后, 向所述 Openflow转发设备发送更高优先级的流表条目。 The sending module is further configured to: after the receiving module receives the flow table entry, send a reject message to the Openflow forwarding device, requesting the Openflow forwarding device to delete the The flow table entry generated by the flow table template; or, after the receiving module receives the flow table entry, sending a flow table entry with a higher priority to the Openflow forwarding device.
33、 如权利要求 30所述的控制器, 其中:  33. The controller of claim 30, wherein:
所述引导流表条目的匹配规则包括源地址为用户的私网地址网段; 和 / 或,  The matching rule of the boot flow table entry includes a source address being a private network address segment of the user; and/or,
所述流表模板定义的流表条目生成规则为由用户侧发往网络侧的报文的 地址转换规则。  The flow table entry generation rule defined by the flow table template is an address translation rule of a message sent by the user side to the network side.
34、 如权利要求 33所述的控制器, 其中:  34. The controller of claim 33, wherein:
所述私网地址网段包括: 私网 IP地址。  The private network address network segment includes: a private network IP address.
35、 如权利要求 33所述的控制器, 其中:  35. The controller of claim 33, wherein:
所述发送模块还设置成: 向所述 Openflow转发设备发送第二流表模板; 其中, 所述第二流表模板与所述流表模板级联, 所述第二流表模板定义的流  The sending module is further configured to: send a second flow table template to the OpenFlow forwarding device, where the second flow table template is cascaded with the flow table template, and the flow defined by the second flow table template
PCT/CN2014/078406 2013-08-16 2014-05-26 Flow table entry generation method and corresponding device WO2014177097A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310359664.2 2013-08-16
CN201310359664.2A CN104378298A (en) 2013-08-16 2013-08-16 Flow table entry generating method and corresponding device

Publications (1)

Publication Number Publication Date
WO2014177097A1 true WO2014177097A1 (en) 2014-11-06

Family

ID=51843172

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/078406 WO2014177097A1 (en) 2013-08-16 2014-05-26 Flow table entry generation method and corresponding device

Country Status (2)

Country Link
CN (1) CN104378298A (en)
WO (1) WO2014177097A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591805A (en) * 2015-09-28 2016-05-18 杭州华三通信技术有限公司 Method and device for modification of service chain configuration
WO2017058188A1 (en) * 2015-09-30 2017-04-06 Hewlett Packard Enterprise Development Lp Identification of an sdn action path based on a measured flow rate
US20170295097A1 (en) * 2016-04-07 2017-10-12 Freescale Semiconductor, Inc. System and method for creating session entry
WO2018001127A1 (en) * 2016-07-01 2018-01-04 中兴通讯股份有限公司 Transmission method, device and system, and computer readable storage medium
CN109600318A (en) * 2018-11-29 2019-04-09 新华三技术有限公司合肥分公司 A kind of method and SDN controller monitoring application program in SDN
CN111510329A (en) * 2020-04-10 2020-08-07 全球能源互联网研究院有限公司 Method for processing message in electric SDN controller and flow table matching module
US11252195B2 (en) * 2016-06-09 2022-02-15 Caci, Inc.-Federal Methods and systems for establishment of VPN security policy by SDN application
CN114827044A (en) * 2022-04-27 2022-07-29 新华三信息安全技术有限公司 Message processing method, device and network equipment
US11606394B2 (en) 2016-06-09 2023-03-14 CACI, Inc.—Federal Methods and systems for controlling traffic to VPN servers

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330649B (en) * 2015-06-18 2019-08-02 新华三技术有限公司 A kind of data message forwarding method and device across software defined network
CN106817299B (en) * 2015-11-27 2019-11-29 新华三技术有限公司 The list item generation method and device and message forwarding method of software defined network
CN106878178B (en) * 2015-12-11 2019-11-01 中国电信股份有限公司 Flow table issuance method, system and controller
CN106936716B (en) * 2015-12-31 2020-01-31 华为技术有限公司 TTP (time to live) analysis and conversion method, forwarding table entry sending method and device
CN105827629B (en) * 2016-05-04 2018-08-03 王燕清 Software definition safe flow guide device and its implementation under cloud computing environment
CN107453884B (en) * 2016-05-30 2020-01-10 华为技术有限公司 Method and device for detecting service quality of network equipment
CN106911595B (en) * 2017-03-22 2020-04-03 新华三技术有限公司 Openflow message execution method and device
CN107172120B (en) * 2017-03-27 2022-06-28 联想(北京)有限公司 Information processing method, processing node and network node
CN108810182B (en) * 2018-04-28 2021-05-18 深圳市德赛微电子技术有限公司 NAT flow table dynamic learning and configuration method based on openflow system
CN109379163B (en) * 2018-09-05 2021-11-23 新华三技术有限公司 Message forwarding rate control method and device
CN109450798B (en) * 2018-12-13 2022-07-12 郑州云海信息技术有限公司 Method for managing routing table information and computer-readable storage medium
CN111832273A (en) * 2019-04-10 2020-10-27 中兴通讯股份有限公司 Method and device for determining destination message, storage medium and electronic device
CN110166360B (en) * 2019-05-27 2021-04-20 盛科网络(苏州)有限公司 OpenFlow switch-based MPLS-TP APS implementation method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102349268A (en) * 2009-03-09 2012-02-08 日本电气株式会社 Openflow communication system and openflow communication method
CN103166866A (en) * 2011-12-12 2013-06-19 华为技术有限公司 Method of generating table items, method of receiving messages and relative devices and systems
CN103428094A (en) * 2013-08-12 2013-12-04 杭州华三通信技术有限公司 Method and device for packet transmitting in Open Flow system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255909B (en) * 2011-07-11 2014-07-02 北京星网锐捷网络技术有限公司 Session stream monitoring method and device
CN107071087B (en) * 2011-08-17 2021-01-26 Nicira股份有限公司 Logical L3 routing
CN102769576B (en) * 2012-08-17 2015-06-10 北京傲天动联技术股份有限公司 Flow table self learning method, message transferring method and switch board
CN103067534B (en) * 2012-12-26 2016-09-28 中兴通讯股份有限公司 A kind of NAT realizes system, method and Openflow switch
CN103023826B (en) * 2012-12-26 2015-06-10 华中科技大学 Routing control method for OpenFlow controller

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102349268A (en) * 2009-03-09 2012-02-08 日本电气株式会社 Openflow communication system and openflow communication method
CN103166866A (en) * 2011-12-12 2013-06-19 华为技术有限公司 Method of generating table items, method of receiving messages and relative devices and systems
CN103428094A (en) * 2013-08-12 2013-12-04 杭州华三通信技术有限公司 Method and device for packet transmitting in Open Flow system

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591805B (en) * 2015-09-28 2018-10-26 新华三技术有限公司 A kind of method and apparatus of modification service chaining configuration
CN105591805A (en) * 2015-09-28 2016-05-18 杭州华三通信技术有限公司 Method and device for modification of service chain configuration
WO2017058188A1 (en) * 2015-09-30 2017-04-06 Hewlett Packard Enterprise Development Lp Identification of an sdn action path based on a measured flow rate
US20170295097A1 (en) * 2016-04-07 2017-10-12 Freescale Semiconductor, Inc. System and method for creating session entry
US9893997B2 (en) * 2016-04-07 2018-02-13 Nxp Usa,Inc. System and method for creating session entry
US11252195B2 (en) * 2016-06-09 2022-02-15 Caci, Inc.-Federal Methods and systems for establishment of VPN security policy by SDN application
US11606394B2 (en) 2016-06-09 2023-03-14 CACI, Inc.—Federal Methods and systems for controlling traffic to VPN servers
US11683346B2 (en) 2016-06-09 2023-06-20 CACI, Inc.—Federal Methods and systems for establishment of VPN security policy by SDN application
US11700281B2 (en) 2016-06-09 2023-07-11 CACI, Inc.—Federal Methods and systems for enhancing cyber security in networks
WO2018001127A1 (en) * 2016-07-01 2018-01-04 中兴通讯股份有限公司 Transmission method, device and system, and computer readable storage medium
CN109600318A (en) * 2018-11-29 2019-04-09 新华三技术有限公司合肥分公司 A kind of method and SDN controller monitoring application program in SDN
CN109600318B (en) * 2018-11-29 2022-07-12 新华三技术有限公司合肥分公司 Method for monitoring application program in SDN and SDN controller
CN111510329A (en) * 2020-04-10 2020-08-07 全球能源互联网研究院有限公司 Method for processing message in electric SDN controller and flow table matching module
CN111510329B (en) * 2020-04-10 2023-07-07 全球能源互联网研究院有限公司 Method for processing message in electric SDN controller and flow table matching module
CN114827044A (en) * 2022-04-27 2022-07-29 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN114827044B (en) * 2022-04-27 2023-12-26 新华三信息安全技术有限公司 Message processing method, device and network equipment

Also Published As

Publication number Publication date
CN104378298A (en) 2015-02-25

Similar Documents

Publication Publication Date Title
WO2014177097A1 (en) Flow table entry generation method and corresponding device
KR101969194B1 (en) Offloading packet processing for networking device virtualization
US20180241664A1 (en) Flow routing system
WO2017000878A1 (en) Message processing
WO2016206511A1 (en) Method and device for implementing nat
EP2677704B1 (en) Unicast data frame transmission method and apparatus
WO2015043327A1 (en) Routing method, device and system
WO2015085740A1 (en) Network path calculation method and apparatus
JP2020113924A (en) Monitoring program, programmable device, and monitoring method
CN102685006A (en) Method and device for forwarding data messages
WO2014206364A1 (en) Searching method and device for multilevel flow table
WO2014139481A1 (en) Method and device for packet handling
CN107800626B (en) Data message processing method, device and equipment
JP7216120B2 (en) BGP message sending method, BGP message receiving method, and device
WO2016029345A1 (en) Network flow information statistics method and apparatus
WO2017133647A1 (en) Packet processing method, traffic classifier, and service function instance
WO2013123847A1 (en) Packet transmission method and network device
WO2015014196A1 (en) Method, device and system for determining content acquisition path and processing request
WO2014166073A1 (en) Packet forwarding method and network device
WO2011131088A1 (en) Data message processing method, ingress tunnel router and system
WO2007019809A1 (en) A method and ststem for establishing a direct p2p channel
WO2014067486A1 (en) Packet forwarding method and relevant device
WO2011103820A2 (en) Method and apparatus for network address translation
WO2014201600A1 (en) Session management method, address management method and relevant device
Ohtani et al. VCCN: Virtual content-centric networking for realizing group-based communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14791493

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14791493

Country of ref document: EP

Kind code of ref document: A1