113 results about "Openflow flow" patented technology

The invention discloses a business requirement transformation and deployment method for a SDN (Software Defined Network). The method mainly comprises the following steps: 1) a service function chain is built according to network business requirements raised by a user; 2) a local controller reports resource conditions of a bottom network node to a root controller; 3) the root controller designs a service function instance chain; 4) each service function instance is analyzed to be a multistate network strategy selection mechanism; 5) according to the current network state, the root controller selects a proper network strategy to be issued to a corresponding local controller; 6) the local controller combines instances from different service function instance chains on the same network node; 7) the local controller transforms a complicated condition strategy in the same network strategy into a plurality of simple condition strategies; 8) the local controller compiles the combined strategy into an OpenFlow flow table; and 9) the local controller issues the flow table to the bottom network nodes, and the strategy is deployed.

The invention discloses an Openflow flow table storage and optimization method based on resource reuse, and relates to an Openflow flow table in a software definition network. The method comprises the steps that S1, a mask identification field and a range identification field are added to entries of the Openflow flow table, and only indexes capable of ensuring that counters and operation or instructions can be searched out are stored in the entries of the flow table from mask identification indexes to a mask table and from range identification indexes to a range table; S2, after the instructions of adding entries are received by forwarding equipment, the entries existing in the current flow table are traversed, the relevance of entries to be added and each existing entry is analyzed, the existing entries and an entry with the largest relational degree are merged and are written to the flow table, and the existing entries are deleted; if the relational degree is zero, as a new entry, the entry to be added is built in the flow table. The Openflow flow table storage and optimization method based on resource reuse optimizes information storage in the entries of the flow table, and can efficiently use existing hardware resources and achieve the purpose of storing more flow table entries on the premise that hardware conditions are the same.

The invention provides a software defined network control optimization method facing large-scale application. The software defined network control optimization method comprises the following steps: 1, an OpenFlow controller analyzes an OpenFlow flow table and divides a decision control region into N decision regions; 2, the OpenFlow controller updates a data packet forwarding rule of the decision regions into OpenFlow decision switching equipment; 3, OpenFlow entrance switching equipment analyzes a data packet and sends the data packet to OpenFlow exit switching equipment or forwards a forward path request flow table of the data packet to the OpenFlow decision switching equipment; 4, the OpenFlow decision switching equipment analyzes the forward path request flow table and forwards the data packet to the OpenFlow exit switching equipment corresponding to a forwarding rule; 5, the OpenFlow controller updates the forwarding rule of the data packet to the OpenFlow entrance switching equipment. Compared with the prior art, the software defined network control optimization method facing the large-scale application provided by the invention can effectively reduce the round-trip-delay of a network and the dependency of the data packet on the controller, improves the network throughput, and is applicable to large-scale network application.

The invention provides a large-scale OpenFlow flow table hierarchical storage architecture and an accelerated searching method. The hierarchical storage architecture is a HAFT (Hierarchical Accelerated Flow Tables) architecture and comprises a TCAM (Ternary Content Addressable Memory) active flow table layer, a SRAM (Static Random Access Memory) silent flow table layer and a DRAM (Dynamic Random Access Memory) flow table storage layer. The invention further discloses the accelerated searching method based on the above-mentioned hierarchical storage architecture. According to the HAFT architecture disclosed by the invention, firstly, a TCAM and SRAM combined flow table hierarchical storage system is established according to the characteristic of batch arrival of data packets in a network, so that rapid flow table searching of most of data packets is implemented; then on the basis of unevenness of correspondence from network data packet flow to flow table items and correspondence from the flow table items to masks, a mask sequence is adaptively regulated by applying an MA1 heuristic method so as to improve a mask successful detection speed of the subsequent data packets; and then thecharacteristic of frequent failure in detection of the data packets on the masks is utilized, and by the means of a BF (Bloom Filter), a mask failure detection result is predicted, so that the corresponding flow table searching and traversing process can be avoided, and searching efficiency is improved.

The invention belongs to the technical field of network security, and particularly relates to the technical field of software defined network (SDN) security defense. According to the technical scheme, an SDN-oriented DDoS attack defense system comprises a data acquisition module, a training module, an identification module, and a flow table issuing module. A defense method comprises the following steps: collecting OpenFlow flow table data on switches in an SDN, training and classifying different types of flow, identifying and marking DDoS attack flow, and intercepting the flow by means of OpenFlow blocking flow table issuing. The system and the method can be well deployed in an SDN environment, and can be used to effectively intercept DDoS attack flow and attacks like source IP address forging.

The invention provides a PE apparatus management method and a PE apparatus management device, wherein the PE apparatus management method comprises the following steps: establishing a connection with a PE apparatus in a VCF system through a VCF port of a CB apparatus; acquiring forward capability information of the PE apparatus; setting a forward mode for the PE apparatus based on the forward capability information of the PE apparatus, or based on the forward capability information of the PE apparatus and forward capability information of the CB apparatus, wherein the forward mode comprises a distributed forward mode; if the forward mode set for the PE apparatus is the distributed forward mode, issuing OpenFlow flow table entries that are generated in advance to the PE apparatus, thereby enabling the PE apparatus to forward received messages based on the OpenFlow flow table entries. By establishing an OpenFlow connection between the CB apparatus and the PE apparatus, couplings between both the CB apparatus and the PE apparatus are reduced; accordingly, the VCF system is easier to be managed.

The invention provides a flow detection and control mechanism capable of realizing application perception under the SDN and a method. The mechanism comprises an application perception module used for analyzing content of a data packet, expanding the data packet information to an application layer, sharing the valuable data packet characteristic information and carrying out consistency maintenance, and a flow control module used for detecting and classifying flows in combination with a network state and the deep data packet characteristics, providing different service for different application programs through dynamically configuring an OpenFlow flow table and processing abnormal flow perception and attacks. According to the mechanism, on the basis of comprehensively evaluating the network state and the flow behavior characteristics, flow application perception is realized, so different flow scheduling strategies are employed to alleviate possible congestion of the network, network load capability is improved, and actual demands of the different application programs are satisfied.

The invention discloses an alarm method and an alarm device of an openflow flow table. A switch detects a received message and couples the message with a flow table. If a coupled flow table has an alarm behavior, the message is transmitted according to behaviors in the flow table, and then alarm information is sent to a controller according to the alarm behavior. If the coupled flow table does not contain an alarm behavior, the message is directly transmitted according to coupled behaviors. A message active alarm mechanism is provided, the detection sensitivity of the controller is improved, and the safety of equipment is also improved. The controller can be timely informed during the data processing, so that the controller and a manager can timely find and record messages and record alarm logs, and the capability of responding to hostile attacks is enhanced.

The invention provides an SDN controller and a multicast control method. The SDN controller is applied to a PON network comprising an OLT and an ONU connected with the OLT, and the ONU accesses client terminals. The application program of an access permission is preset corresponding to each client terminal. The invention provides a multicast permission control table which comprises a multicast key field and an access permission field corresponding to the access permission. According to the multicast permission control table, a matching field corresponding to the multicast key field and an action type of flow table corresponding to the access permission field are generated and sent to the OLT to inform each client terminal of the access permission on each application and the corresponding action. The original controllable multicast function of the OLT is migrated to the side of the SDN controller, the Openflow flow table is expanded, the controllable multicast configuration of the whole PON system is relatively unified and simple, and the performance is greatly improved.

The invention discloses an openflow flow table look-up method comprising the following steps: on a control plane, dividing openflow flow tables at various levels into an exact matching flow table and at least one classification matching flow table according to the key field, and issuing flow table configuration information as a table entry to the exact matching flow table or the at least one classification matching flow table according to the key field of the flow table configuration information; on a forwarding plane, looking up in the exact matching flow table by use of all the keywords of a message, and when a matching table entry is found, processing the message according to the function of the table entry; when no matching table entry is found, extracting the keywords of different key fields of the message to look up in the at least one classification matching flow table in parallel, dynamically establishing a table entry of the exact matching flow table according to the result of table look-up, and processing the message according to the function of the table entry. The invention further discloses an openflow flow table look-up device.

The invention relates to the technical field of network security, in particular to an SDN (Software Defined Network) DDoS (Distributed Denial of Service) detection method and detection system based ona neural network, and the system comprises an information extraction module, an abnormality early warning module, a flow table information collection module, an information processing module and a detection module, the information extraction module is used for extracting source IP address and destination IP address information in the packet _ in; the abnormity early warning module is used for obtaining a threshold value of an abnormity alarm by utilizing a naive Bayes probability model according to a three-way decision principle, and sending out an abnormity early warning if the probability of the type of the data packet is calculated to be lower than the threshold value; the flow table information collection module is used for collecting flow table data; the information processing moduleis used for carrying out standardized, normalized and dimensionality-reduced data operation on the collected OpenFlow flow table data. According to the invention, the abnormal information in the network can be quickly judged and early warned in the software-defined network, and the network cannot be overloaded.

The invention discloses an implementation method for one-to-multiple virtualization of an OPENFlOW switch. The method comprises the following steps: utilizing BOOTROM to realize virtualization, conducting software version isolation, hardware virtualization and flow table virtualization to realize one-to-multiple virtualization of the OpenFlow switch. The implementation starts from a control surface, a management surface and a forwarding surface to implement virtualization function of the OpenFlow switch under an SDN (Software Defending Network) architecture and enable an SDN controller to monitor different OpenFlow switch nodes, and each independent device can be provided with different software versions, different OpenFlow secure channel connection, different OpenFlow flow tables, different configuration and different hardware resources, so that the network deployment and management are more flexible, and equipment control is safer.

The invention provides an OpenFlow flow table energy-saving storage architecture supporting QoS (Quality of Service) and application of the OpenFlow flow table energy-saving storage architecture. Thearchitecture comprises three layers, namely a priority flow / elephant flow layer, a mouse flow layer and an active connection cache layer, wherein the priority flow / elephant flow layer adopts a TCAM and a DRAM as storage media, the mouse flow layer adopts an SRAM and a DRAM as storage media, the active connection cache layer adopts an SRAM as a storage medium, and a Cuckoo hash structure is adoptedto cache a mapping relationship between active connection and flow table entries in the TCAM. According to the architecture, the TCAM is adopted to preferentially store the identification fields of the priority flow table entries, and quick flow table lookup of priority data packets is realized, so that the network service quality is guaranteed. Meanwhile, a Cuckoo cache is designed to dynamically store the current active connection and the corresponding TCAM flow entry index value in the elephant flow; the cache is hit by most of the data packets, and the corresponding flow table item is found according to the address of the hit cache item, so that a TCAM flow table lookup process is bypassed, and the flow table lookup energy consumption overhead is greatly reduced.

The embodiment of the invention discloses a method for realizing load balancing of a virtual network. The method comprises the following steps: creating a load balancer of the virtual network, generating a load balancing flow table by the load balancer, and when detecting that a virtual machine is started, issuing a generated openflow flow table to a server that the virtual machine belongs to; and when detecting that the virtual machine is offline, deleting the previously generated flow table. With the migration of the virtual machine, the corresponding openflow flow table is added or deleted, which accurately reflects the flow characteristics of the virtual machine and realizes the load balancing of the virtual network. The method of the invention not only reduces the complexity of routing configuration, effectively guides packet forwarding, and enhances the data forwarding rate, but also increases the flexibility and scalability of the virtual network, and is beneficial to improving the overall working rate and data security of the virtual network. In addition, the embodiment of the invention further provides a corresponding implementation device, which further makes the method more practical and the device has the corresponding advantages.

The present invention discloses a flow statistics capability negotiation method and apparatus. The method comprises: an OF controller sends a flow entry modification message for a flow table to an OF switch; in the case that the OF switch meets the modification condition in the flow entry modification message, the OF controller indicates the OF switch to add or modify the corresponding flow entry according to a modification condition, and indicates the OF switch to perform a flow statistics function for the flow entry or not by using the mark in the flow entry modification message; and with regard to the flow entry for which the flow statistics function is performed, the OF controller sends a flow statistics request message to the OF switch to query flow statistics information of the flow entry. Through the adoption of the method and apparatus, the forwarding flexibility of hardware or chips adaptable OpenFlow flow table pipe can be improved.

The invention proposes a two-stage large-flow measurement method for software defined network. The method combines the sFlow sampling technology with the OpenFlow flow table measuring technology to construct a two-stage large-flow measuring model. The fundamental ideas for the method are as follows: in the first stage, based on the coarse grains of sFlow sampling mechanism, screening suspected large flows; in the second stage, generating corresponding measurement rules by the SDN controller according to the suspected large flow set; and loading to the OpenFlow switchgear the measuring flow table items; initiating the task for large flow measurement; and then accessing the measuring flow table items to obtain the accurate flow information of these suspected large flows so as to find out the real large flows. The method can remove the influence of the sampling rate on the measurement precision, reduce the consumption of measurement to TCAM resources and achieve the measurement load balance between switchgears.

The invention provides an openflow-based flow depth correlation analysis method. The method includes the steps: an openflow flow collector records a received data packet according to flows, compresses flow information, and sends the compressed flow information to a flow analysis controller; the flow analysis controller performs integration of the received flow information on the basis of a connecting state; the flow analysis controller analyzes the integrated information from multiple dimensions to obtain an analysis result; the analysis result and a preset threshold are compared, a warning is sent out if the analysis result exceeds the preset threshold, and a form is generated. The invention also provides an openflow-based flow depth correlation analysis system. The system includes a flow analysis controller and at least one openflow flow collector. Through adoption of the method and the system, flows can be collected, classified and combined, and the requirements of applications of log analysis and security analysis are satisfied.

The invention provides a virtual data center visual management method based on a Cairngorm framework, and belongs to the technical field of computer application. The virtual data center visual management method based on a Cairngorm framework uses the Cairngorm framework, uses the flex technique as the foreground development language, takes ActionScript as the logic processing language, is applied to the experimental scene of resource management or software definition network of a virtual data center, can provide a visual Web front end, is integrated with various SDN mainstream controllers and displays the global network topology of the virtual data center. Through the Web front end, the virtual data center visual management method based on a Cairngorm framework can control the life cycle of each component in the network topology, and can complete works, such as issuing of an OpenFlow flow table, accessing of a component console, and accessing of the UI interface of different SDN controllers.

The invention discloses a method for processing an ineffective data packet by an OpenFlow flow table, wherein the method relates to the field of network protocol development. The method comprises the steps of transmitting a data packet into a switch, querying a data packet forwarding outlet by the switch according to the OpenFlow flow table; determining the data packet with a hit forwarding outlet entry in inquiry of the OpenFlow flow table as an effective data packet, and otherwise, determining the data packet as an ineffective data packet; forwarding the effective data packet by the switch according to a flow table rule, and simultaneously recording the MAC address of the ineffective data packet and storing the data packet; checking update of the OpenFlow flow table by the switch every certain time period; checking whether the ineffective data packet has a forwarding path, and processing the data packet according to a query result. The method has functions of realizing buffering of ineffective data packets in an OpenFlow protocol, reducing data loss rate and improving reliability of a whole switching system.

The invention discloses a method used for realizing control and forwarding function decoupling, an apparatus and a system thereof. Control surface equipment establishes a user context when receiving an establishment session request sent by a base station and sends first flow table expansion information to forwarding surface equipment. The first flow table expansion information comprises a tunnel identification and first motion indication information so that the forwarding surface equipment carries out expansion on a local OpenFlow flow table. The forwarding surface equipment sends second flow table expansion information when receiving downlink data. The control surface equipment carries out expansion on the local OpenFlow flow table when receiving the second flow table expansion information and sends an establishment session response to a base station so as to establish wireless bearing associated with the tunnel identification between user terminal and a mobile management entity. Through expanding the OpenFlow flow tables of a control surface and a forwarding surface, control forwarding function decoupling of a mobile network architecture can be effectively supported and flexibility and high effectiveness of network management and operation are realized.

The invention discloses a method for achieving visualization of an SDN flow table. A counter of the OpenFlow flow table is adopted as a basis, independent combination analysis and statistic counting are carried out on a static statistical object and a dynamic statistical object of the flow table based on statistics tasks and statistical objects input by a user, showing is achieved in real time in a graphical mode, maintenance personnel can know the internal state of the SDN flow table and the rule matching condition in real time, failures can be predicated fast, the failures can be fast located after the failures occur, and statistical data can powerfully support network planning in the future.

The invention discloses a QoS (Quality of Service)-aware OpenFlow flow table hierarchical storage architecture and application, and the architecture provided by the invention stores a high-priority flow in a TCAM (Ternary Content Addressable Memory), so that the grouping search performance of the high-priority flow is ensured; a Cuckoo hash structure is adopted to design an accurate flow cache mechanism and store low-priority and non-priority active accurate flows, so that data packets in the accurate flows directly hit caches, corresponding SRAM flow table entries are quickly found, the average flow table search time is remarkably shortened, and the performance of the OpenFlow switch is improved. According to the method, corresponding flow table searching speeds are provided for network flows with different priorities, wherein network packets in a high-priority flow directly hit a TCAM flow table, and corresponding flow table entries are quickly found; a hit Cuckoo cache is searched by a network packet in the low-priority flows, and a corresponding SRAM flow table entry is directly positioned; most of the groups in the priority-free flows can directly hit the Cuckoo cache, and a tuple space search method needs to be further adopted for searching the SRAM flow table for a small part of the groups, and therefore the overall searching efficiency is high.

The invention discloses a method and device for rapidly configuring POTN services based on an OpenFlow flow table, and relates to the technical field of POTN service configuration. The method comprises the steps of: creating an OpenFlow matching flow table; sending the OpenFlow matching flow table to a switch by an SDN controller; when the switch receives a data packet, matching the port number of the data packet in a port matching table of the OpenFlow matching flow table, so that the service type corresponding to the data packet is obtained; according to the service type, performing label matching in the corresponding label matching table; and finally, according to the current label state, matching the processing action corresponding to the data packet in a processing action matching table according to corresponding service requirements, and correspondingly encapsulating the data packet according to the matched processing action. By means of the method and the device disclosed by the invention, rapid configuration of Ethernet services, MPLS-TP services and ODUK services can be realized; the frequent bandwidth and path adjustment requirements can be satisfied; and thus, management, operation and maintenance of a network are simple and high-efficiency.

The invention discloses a network service provision method based on automatic identity recognition. The method mainly comprises the following steps of 1) adopting an sFlow technology to extract network user traffic feature information, namely a timestamp, a source IP address and traffic size; 2) counting online frequency of each IP address in a corresponding time interval in a week; 3) utilizing a k-means algorithm to carry out clustering analysis on the IP addresses according to the online frequency in the corresponding time interval in the week in order to obtain N user categories and a feature center value of respective feature information of each user category; 4) respectively making corresponding network policies for the N user categories; 5) issuing an OpenFlow flow table to an OVS switch; 6) forwarding on the OVS switch according to the flow table; and 7) matching the new network user traffic feature information and the feature center values of the N user categories weekly, affiliating the IP address to the user category with the highest similarity with the feature center value and updating the IP address included in the user category.

The invention discloses an SDN cloud network implementation method based on an FPGA accelerator card, a device thereof and equipment, the method comprises the following steps: when a network data packet enters network equipment, forwarding the network data packet to the FPGA accelerator card; after the FPGA acceleration card analyzes the network data packet, performing OpenFlow flow table rule matching on the network data packet; if yes, executing the matched OpenFlow flow table rule action by the FPGA accelerator card and forwarding the matched OpenFlow flow table rule action to the network equipment; if not, notifying the user mode from the kernel mode, and sending the data packet to the virtual machine control process; and when the control process inquires that the OpenFlow flow table rule in the user mode is matched, issuing the flow table to the FPGA accelerator card to execute the matched OpenFlow flow table rule action, and forwarding the matched OpenFlow flow table rule action to the network equipment. The FPGA acceleration card is added, the kernel data forwarding processing module of the virtual switch is unloaded to the FPGA acceleration card, Openflow rule flow table matching and data packet forwarding are achieved, and the problem that a large number of CPU and memory resources of a cloud node server are occupied by a traditional SDN cloud network method achieved through pure software is solved.

The embodiment of the invention provides a DDoS traffic re-injection method, an SDN controller, and a network system, and relates to the technical field of communication. The problem that a large amount of resources investment is needed to solve the DDoS traffic re-injection across a metropolitan area network, resulting in a relatively high operation cost in the prior art is solved. The method comprises the following steps: when an ARP message reported by a cleaning device forwarded by a central SDN forwarding device is received, issuing a first Openflow flow table to the central SDN forwarding device; and issuing a second Openflow flow table to an edge SDN forwarding device. The embodiment of the invention is applied to DDoS traffic re-injection.

The invention discloses a deployment method of a cloud physical machine, related equipment and a readable storage medium. In an SDN architecture, a protocol for communication between a controller and network equipment mostly adopts an OpenFlow protocol, and after a to-be-deployed cloud physical machine is determined, an IP address of the cloud physical machine and a firewall rule of the cloud physical machine are determined; a first OpenFlow flow table is generated based on the IP address of the cloud physical machine, a second OpenFlow flow table is generated based on the firewall rule of the cloud physical machine, and the first OpenFlow flow table comprises the IP address of the cloud physical machine and the MAC address of the cloud physical machine; and the second OpenFlow flow table comprises the IP address of the cloud physical machine and the firewall rule of the cloud physical machine. According to the scheme, the IP address can be allocated to the cloud physical machine based on the OpenFlow flow table, and the firewall is set for the cloud physical machine, so that the resource consumption and the construction cost of a cloud platform can be reduced.

The invention discloses a service chain high-availability method applied to an SDN (software defined network). The service chain high-availability method comprises the following steps of respectivelyconstructing a network service function link for the uplink direction and the downlink direction of each SDN switch in the SDN; constructing a service function path for each network service function link; constructing a determined service function path for each service function path; respectively constructing a service function forwarder graph for all the determined service function paths; according to each service function forwarder graph, respectively calculating an OpenFlow flow table set; creating a service functional path, constructing a service function forwarder graph, and calculating the OpenFlow flow mark set, so that the cross-switch flow traction problem is solved, the flow distribution is carried out among service functions (SF) on the different switches, the problems of single-point faults, load balancing and the like are solved on the two levels of the switches and the service functions, the high availability of a service chain is achieved, and the network communication efficiency is improved.

The invention discloses a multicast service processing method and device, a cloud platform, equipment and a readable storage medium. The method disclosed by the invention comprises the following steps: receiving network messages in parallel through a plurality of virtual network card queues; and if the network message belongs to the multicast service, using the plurality of virtual CPUs to processthe network message in parallel, and transmitting the processed network message according to the OpenFlow flow table, so as to improve the processing efficiency of the multicast service, wherein thevirtual network card queues are in one-to-one correspondence with the virtual CPUs, the physical CPUs corresponding to the plurality of virtual CPUs belong to the same NUMA domain. The physical CPUs belonging to the same NUMA domain access the same memory area, that is, a plurality of virtual CPUs access the same memory area without cross-domain access, so that access delay can be avoided, and high-performance multicast is realized. Correspondingly, the multicast service processing device, the cloud platform, the equipment and the readable storage medium provided by the invention also have theabove technical effects.