CN103051557B - Data flow processing method and system, controller, switching equipment - Google Patents

Data flow processing method and system, controller, switching equipment Download PDF

Info

Publication number
CN103051557B
CN103051557B CN201210579220.5A CN201210579220A CN103051557B CN 103051557 B CN103051557 B CN 103051557B CN 201210579220 A CN201210579220 A CN 201210579220A CN 103051557 B CN103051557 B CN 103051557B
Authority
CN
China
Prior art keywords
data stream
switching equipment
feature information
instruction
described data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210579220.5A
Other languages
Chinese (zh)
Other versions
CN103051557A (en
Inventor
孟健
王雨晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201210579220.5A priority Critical patent/CN103051557B/en
Publication of CN103051557A publication Critical patent/CN103051557A/en
Application granted granted Critical
Publication of CN103051557B publication Critical patent/CN103051557B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiment of the present invention provides a kind of data flow processing method and system, controller, switching equipment, data flow processing method includes: receive the fisrt feature information of the data stream that arbitrary switching equipment sends in software defined network, the data stream corresponding to fisrt feature information according to preset security rule detection data stream whether safety, it is thus achieved that testing result;If testing result is safety, then formulates forwarding data flow strategy for data stream, and be handed down to switching equipment, according to forwarding strategy, data stream is carried out forward process for switching equipment;If testing result is dangerous, it indicates that switching equipment abandons data stream, the data flow processing method of the embodiment of the present invention and system, controller, switching equipment are capable of the data stream of switching equipment any in SDN is carried out safety detection.

Description

Data flow processing method and system, controller, switching equipment
Technical field
The present embodiments relate to communication technology, particularly relate to data flow processing method and system, controller, switching equipment.
Background technology
In traditional network architecture, generally including some route exchange devices, each route exchange device can connect some main process equipments, and all route exchange devices are all directly or indirectly connected with gateway device, gateway device be connected with external network.When the traffic security in network is detected, it is possible to dispose flow detection device at the critical path place of network.Such as, for a LAN or corporate network, generally can dispose flow detection device on the gateway device access path with external network, detect the overall flow safety of LAN or corporate network with this.
Development along with communication technology, occur in that a kind of novel network architecture, i.e. software defined network (SoftwareDefinedNetwork, it is called for short SDN), it is also referred to as programmable networks, network device control plane and data Forwarding plane are separated by SDN, be a kind of new network control planes realize method, SDN can not only reduce network complexity, meet network virtualization and the requirement of cloud computing, the complexity of data Forwarding plane equipment can also be reduced, therefore, it is the development trend of new network framework.
The research process of prior art is being found by inventor, if adopting the flow rate testing methods of legacy network in SDN, then it is only capable of the safety of detection network entirety flow, and be difficult to the safety of institute's delivery flow rate between network internal switching equipment is detected, thus cause that network traffics detection is inaccurate.
Summary of the invention
The purpose of the embodiment of the present invention is in that to provide a kind of data flow processing method and system, controller, switching equipment, cannot detect the problem whether the data stream of switching equipment reception or forwarding is safe in solution SDN.
First aspect, the embodiment of the present invention provides a kind of data flow processing method, including:
Receive the fisrt feature information of the data stream that arbitrary switching equipment sends in software defined network, according to the regular and described fisrt feature information of preset security, detect described data stream whether safety, it is thus achieved that testing result;
If described testing result is safety, then it is that described data stream formulates forwarding strategy, issues described forwarding strategy to described switching equipment, according to described forwarding strategy, described data stream is carried out forward process for described switching equipment;
If described testing result is dangerous, then generating the first instruction, and issue described first instruction to described switching equipment, described first instruction is in order to indicate described switching equipment to abandon described data stream.
In conjunction with first aspect, in the first possible implementation of first aspect, described preset security rule includes:
Forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation.
In conjunction with first aspect, in the implementation that the second of first aspect is possible, described fisrt feature information is that report for the first time packet header of literary composition, or the literary composition of reporting for the first time of described data stream, or described data stream of described data stream includes reporting for the first time literary composition at interior multiple packets.
In conjunction with in the implementation that the first possible implementation of first aspect or first aspect or the second of first aspect are possible, in the third possible implementation of first aspect, if described testing result is for being temporarily confirmed whether safety, then issue the second instruction, the second feature information that described second instruction sends described data stream in order to indicate described switching equipment to described switching equipment.
The third possible implementation in conjunction with first aspect, in the 4th kind of possible implementation of first aspect, described second feature information is the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of described data stream.
Second aspect, the embodiment of the present invention provides a kind of data flow processing method, including:
Receive data stream, it is judged that whether the forwarding strategy table of storage exists the forwarding strategy that described data stream is corresponding;
If described forwarding strategy table is absent from the forwarding strategy of correspondence, then send the fisrt feature information of described data stream to the controller in software defined network;
Receiving the process instruction that described controller issues, described process instruction is after described controller data stream whether safety according to preset security rule and described fisrt feature infomation detection, issues according to testing result;
If described process is designated as forwarding strategy, then according to described forwarding strategy, described data stream being carried out forward process, described forwarding strategy is that controller is formulated for described data stream when described testing result is safe;
If described process is designated as the first instruction indicating described switching equipment to abandon described data stream, then abandon described data stream according to described first instruction.
In conjunction with second aspect, in the first possible implementation of second aspect, described preset security rule includes:
Forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation.
In conjunction with second aspect, in the implementation that the second of second aspect is possible, the fisrt feature information of described data stream is that report for the first time packet header of literary composition, or the literary composition of reporting for the first time of described data stream, or described data stream of described data stream includes reporting for the first time literary composition at interior multiple packets.
In conjunction with the implementation that the first possible implementation of second aspect or second aspect or the second of second aspect are possible, in the third possible implementation of second aspect, also include:
If described process is designated as the second instruction of the second feature information indicating described switching equipment to send described data stream, then send the second feature information of described data stream to described controller.
The third possible implementation in conjunction with second aspect, in the 4th kind of possible implementation of second aspect, the second feature information of described data stream is the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of described data stream.
The third aspect, the embodiment of the present invention provides a kind of controller, including:
Receiver module, for receiving the fisrt feature information of the data stream that arbitrary switching equipment sends in software defined network;
Safety detection module, for the described fisrt feature information according to the reception of preset security regular and described receiver module, detects described data stream whether safety, it is thus achieved that testing result;
Security strategy generation module, for when the testing result of described safety detection module is safe, formulating forwarding strategy for described data stream;Or, when the testing result in described safety detection module is dangerous, generating the first instruction, described first instruction is in order to indicate described switching equipment to abandon described data stream;
Sending module, for issuing, to described switching equipment, the described forwarding strategy that described security strategy generation module generates, carries out forward process according to described forwarding strategy to described data stream for described switching equipment;Or, issue, to described switching equipment, described first instruction that described security strategy generation module generates.
In conjunction with the third aspect, in the first possible implementation of the third aspect, described security strategy generation module, it is additionally operable to when the testing result of described safety detection module is for being temporarily confirmed whether safe, generate the second instruction, the second feature information that described second instruction sends described data stream in order to indicate described switching equipment;Described sending module is additionally operable to when described testing result is for being temporarily confirmed whether safe, issues the second instruction, the second feature information that described second instruction sends described data stream in order to indicate described switching equipment to described switching equipment.
Fourth aspect, the embodiment of the present invention provides a kind of switching equipment, including:
Receiver module, is used for receiving data stream, it is judged that whether there is the forwarding strategy that described data stream is corresponding in the forwarding strategy table of storage;
Sending module, for when described receiver module judges the forwarding strategy being absent from correspondence in described forwarding strategy table, sending the fisrt feature information of described data stream to the controller in software defined network;
Described receiver module, it is additionally operable to receive the process instruction that described controller issues, described process the whether safety of data stream described in the instruction described fisrt feature infomation detection that to be described controller send according to preset security rule and described sending module after, issue according to testing result;
Processing module, when described process for receiving at described receiver module is designated as forwarding strategy, according to described forwarding strategy, described data stream being carried out forward process, described forwarding strategy is that controller is formulated for described data stream when described testing result is safe;When described process is designated as to indicate the first instruction that described switching equipment abandons described data stream, abandon described data stream according to described first instruction.
In conjunction with fourth aspect, in the first possible implementation of fourth aspect, described processing module is additionally operable to, when described process is designated as the second instruction indicating the second feature information of the described switching equipment described data stream of transmission, notify that described sending module sends the second feature information of described data stream to described controller.
5th aspect, the embodiment of the present invention provides a kind of data flow processing system, including any controller in the first possible implementation of the embodiment of the present invention third aspect or the third aspect, and at least one arbitrary switching equipment in the first possible implementation of fourth aspect present invention or fourth aspect.
The data flow processing method of the embodiment of the present invention and system, controller, switching equipment, by preset security rule detection, the fisrt feature information of the data stream that arbitrary switching equipment in software defined network sends is carried out safety detection, if testing result is safety, then formulate forwarding data flow strategy for data stream, and it is handed down to switching equipment, according to forwarding strategy, data stream is carried out forward process for switching equipment;If testing result is dangerous, it indicates that switching equipment abandons data stream, it is possible to realize the data stream of switching equipment any in SDN is carried out safety detection, improve security of system performance.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is SND schematic network structure;
Fig. 2 is the flow chart of data flow processing method embodiment one of the present invention;
Fig. 3 is the flow chart of data flow processing method embodiment two of the present invention;
Fig. 4 is the structural representation of controller embodiment one of the present invention;
Fig. 5 is the structural representation of switching equipment embodiment one of the present invention;
Fig. 6 is the structural representation of data flow processing system embodiment one of the present invention;
Fig. 7 is the structural representation of controller embodiment two of the present invention;
Fig. 8 is the structural representation of switching equipment embodiment two of the present invention.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with the accompanying drawing in the present invention, the technical scheme in the present invention is clearly and completely described, it is clear that, described embodiment is a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
nullFig. 1 is SDN structural representation,As shown in Figure 1,SDN comprises two kinds of equipment,One is controller (Controller) 11,One is switching equipment (Switchingequipment,It is called for short SW) 12,Each switching equipment 12 transmitted traffic forwarding strategy that controller 11 primary responsibility connects to this controller 11 is to inform how switching equipment 12 processes data stream,Switching equipment 12 abandons or to terminal unit 121 transmitting data flow specified according to the flow forwarding strategy received,Visible,In existing SDN,When whether the data stream needing detection switching equipment 12 is safe,The data-flow detection method of existing SDN cannot meet,Therefore,Need a kind of data stream safety detection scheme suitable in SDN badly.
For the problems referred to above, embodiments provide the processing method of a kind of data stream.The data flow processing method of the present embodiment can adopt controller to realize, controller can the integrated data flow processing method realizing the present embodiment in a computer, or be integrated in the data flow processing method realizing the present embodiment in the controller network element of software defined network.
Fig. 2 is the flow chart of data flow processing method embodiment one of the present invention, as in figure 2 it is shown, the present embodiment data flow processing method, including:
The fisrt feature information of the data stream that arbitrary switching equipment sends in S201, reception software defined network.
In SDN, switching equipment, when transmitting each data stream, is required for obtaining forwarding rule from controller, and is stored in stream table using forwarding rule as a list item, and namely each list item of switch institute storage flow table can identify a data stream.Generally when switch transmits certain data stream, owing to not having the forwarding rule of this data stream in stream table, therefore, the fisrt feature information of this data stream is sent to controller by switch, in order to ask the forwarding rule of this data stream to controller.
S202, according to preset security rule and fisrt feature information, detection data stream whether safety, it is thus achieved that testing result, if described testing result is safety, then perform S203;If described testing result is dangerous, then perform S204.
Specifically, the safety regulation preset can for forbid that in the specific network segment, the equipment of specific internet address accesses the equipment of specific internet address in another specific network segment, or, forbid that in the specific network segment, the equipment of particular port accesses the equipment of particular port in another specific network segment, or, the particular device forbidden in the specific network segment performs to send test packet operation to the particular device in another specific network segment, in other embodiments, the safety regulation preset can also be that another data flow receiving apparatus with special characteristic information is performed specific operation by the traffic initiation equipment forbidding or allow to have special characteristic information, this specific operation can be such as: sends test packet, send access request message or check network connection.
The fisrt feature information of the data stream of reception is compared by controller with the rule of setting in the safety regulation preset, if the fisrt feature information of data stream is identical with the feature in any one rule in the safety regulation preset, then represent that this data stream corresponding to data flow characteristics information does not meet safety regulation, the testing result of the fisrt feature information according to this data stream is dangerous, and performs following S203;If the fisrt feature information of data stream is different from the feature in any one rule in the safety regulation preset, then represent that the data stream corresponding to fisrt feature information of this data stream meets safety regulation, testing result according to this data flow characteristics information is safety, and performs following S204.
S203, for data stream formulate forwarding strategy, issue forwarding strategy to switching equipment, according to forwarding strategy, data stream carried out forward process for switching equipment.
Specifically, the fisrt feature information of data stream such as can be reacted by following multiple territories, has concrete value to identify the feature represented by this territory in each territory.
Controller formulates the forwarding strategy of this data stream according to the characteristic information in territory, at least including a behavior instruction in this forwarding strategy, behavior instruction can be such as: is forwarded from certain Single port of switching equipment to particular device by the data stream corresponding to the fisrt feature information of this data stream.
Determine that the testing result of fisrt feature information of this data stream is for after safety, the forwarding strategy of this data stream is sent to switching equipment by controller, and stream compression can be issued, according to this forwarding strategy, the target switching equipment being characterized as destination slogan, purpose internet address, purpose Media Access Control address by switching equipment.
S204, generation the first instruction, issue the first instruction to described switching equipment, and the first instruction is in order to indicate switching equipment to abandon data stream.
Specifically, determine the testing result of the fisrt feature information of this data stream be dangerous after, controller sends the first instruction to switching equipment, and instruction switching equipment abandons the data stream corresponding to fisrt feature information of this data stream, invades so that switching equipment protects against to be flowed into by dangerous data.
In the present embodiment, by preset security rule detection, the fisrt feature information of the data stream that arbitrary switching equipment in SDN sends is carried out safety detection, if testing result is safety, then formulate forwarding data flow strategy for data stream, and it is handed down to switching equipment, according to forwarding strategy, data stream is carried out forward process for switching equipment;If testing result is dangerous, it indicates that switching equipment abandons data stream, it is possible to realize the data stream of switching equipment any in SDN is carried out safety detection, to improve security of system performance.
nullFurther,On the basis of above-described embodiment,The fisrt feature information of data stream can for data stream report for the first time literary composition packet header,Or the literary composition of reporting for the first time of data stream,Or data stream includes reporting for the first time literary composition in interior multiple data,If testing result is for being temporarily confirmed whether safety,Such as,If the fisrt feature information of data stream is all incomplete same with the feature in any one rule in the safety regulation preset,Then represent that the data stream corresponding to fisrt feature information of this data stream is not in full conformity with safety regulation,Testing result according to this data flow characteristics information is for being temporarily confirmed whether safety,Then controller can issue the second instruction to switching equipment,Second instruction sends the second feature information of data stream in order to indicate switching equipment,Second feature information can be the literary composition of reporting for the first time of data stream,Or data stream includes reporting for the first time literary composition at interior multiple packets,Or the entire packet of data stream.
nullSpecifically,The fisrt feature information of the data stream that controller receives can be the packet header of the literary composition of reporting for the first time of data stream、Controller judges the data stream whether safety corresponding to packet header of the literary composition of reporting for the first time of this data stream according to the packet header of the literary composition of reporting for the first time of this data stream,The burden of controller can be reduced,The header packet information reporting for the first time civilian deficiency when the data stream that controller receives,Controller cannot judge according to the packet header of the literary composition of reporting for the first time of this data stream when whether the data stream corresponding to packet header of the literary composition of reporting for the first time of this data stream is safe,The second feature information of data stream and the literary composition of reporting for the first time of data stream can also be received,Or,The information of the literary composition of reporting for the first time of data stream is also not enough,When controller cannot judge that whether the data stream corresponding to literary composition of reporting for the first time of this data stream is safe according to the literary composition of reporting for the first time of this data stream,,Multiple packets of the literary composition that includes reporting for the first time can also be received so that controller judges the whether safety of the data stream corresponding to multiple packets of this literary composition that includes reporting for the first time according to multiple packets of this literary composition that includes reporting for the first time,Or,The information of multiple packets of literary composition of reporting for the first time the including of data stream is also not enough,When controller cannot judge that whether data stream is safe according to these multiple packets including reporting for the first time literary composition,,Controller can also receive the entire packet of data stream.It is to say, controller sends the second instruction to switching equipment, request switching equipment sends the process of the more features information of described data stream, it is possible to repeat repeatedly.
The data flow processing method of following embodiment can adopt switching equipment to realize, switching equipment can the integrated data flow processing method realizing the present embodiment in the router, or be integrated in the exchange network element of software defined network and realize the data flow processing method of the present embodiment.
Fig. 3 is the flow chart of data flow processing method embodiment two of the present invention, as it is shown on figure 3, the data flow processing method of the present embodiment includes:
301, data stream is received, it is judged that whether the forwarding strategy table of storage exists the forwarding strategy that data stream is corresponding.
Specifically, in SDN, when switching equipment receives each data stream, search the stream table being made up of forwarding rule of switching equipment storage, judge the forwarding strategy that whether there is this data stream in this stream table, if stream table exists a forwarding rule identifying this data stream, then illustrate that this data stream is non-strange data stream, this data stream can be processed by switching equipment according to the processing rule of record in this Xiang Liubiao, and this stream compression is issued the target device of record in this Xiang Liubiao.
If 302 forwarding strategy tables are absent from the forwarding strategy of correspondence, then send the fisrt feature information of data stream to the controller in software defined network.
Specifically, if stream table is absent from the forwarding strategy of this data stream, then illustrate that this data stream is strange data stream, the fisrt feature information of data stream is sent to the controller of SDN, according to preset security rule, this data stream carried out safety detection for controller, and issue the process instruction of correspondence according to testing result to this switching equipment.
303, receiving the process instruction that controller issues, whether be controller according to preset security rule and fisrt feature infomation detection data stream safety after, issue according to testing result, be designated as forwarding strategy if processing, then perform 304 if processing instruction;If processing the first instruction being designated as to indicate switching equipment to abandon data stream, then perform 305.
304, according to forwarding strategy, data stream being carried out forward process, described forwarding strategy is that controller is formulated for described data stream when described testing result is safe.
Specifically, the fisrt feature information of the data stream that switching equipment is sent to by controller, after carrying out safety detection according to preset security rule, instruction is processed to switching equipment transmission according to result, be designated as forwarding strategy if processing, switching equipment according to this forwarding data flow strategy to this data stream of purpose device forwards of instruction in forwarding strategy.
305, data stream is abandoned according to the first instruction.
Specifically, the fisrt feature information of the data stream that switching equipment is sent to by controller, after carrying out safety detection according to preset security rule, instruction is processed to switching equipment transmission according to result, if processing and being designated as the first instruction, then illustrating that this data stream is dangerous data stream, this unsafe data stream is carried out discard processing according to this first instruction by switching equipment.
In the present embodiment, by judging whether the data stream received is strange data stream according to forwarding strategy table, the fisrt feature information of strange data stream is sent to controller, obtain the safety detection result of this data stream, according to safety detection result, this data stream is forwarded or discard processing, achieve according to safety detection result to receive SDN in data stream forward or discard processing, to improve security of system performance.
On the basis of above-described embodiment, further, the fisrt feature information of data stream can for data stream report for the first time literary composition packet header, or the literary composition of reporting for the first time of data stream, or data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of data stream, if processing the second instruction being designated as to indicate the second feature information of switching equipment transmission data stream, the second feature information of data stream is then sent to controller, the second feature information of data stream can for the literary composition of reporting for the first time of institute's data stream, or data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of data stream.
Specifically, the fisrt feature information of the data stream that switching equipment sends to controller or second feature information be specially data stream report for the first time literary composition packet header, or the literary composition of reporting for the first time of data stream, or data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of data stream can be consistent with above-described embodiment, repeat no more herein.
On the basis of above-described embodiment, further, it is also possible to forwarding data flow policy store step 303 received is in forwarding strategy table.
Specifically, switching equipment is after receiving the forwarding data flow strategy that controller is sent to, can also by this forwarding data flow policy store in the forwarding strategy table of this switching equipment, so that when receiving the data stream identical with the characteristic information of this data stream after switching equipment again, directly can perform corresponding process according to this forwarding strategy, safety detection request is sent, it is possible to improve treatment effeciency without to controller.
Fig. 4 is the structural representation of controller embodiment one of the present invention, as shown in Figure 4, the controller of the present embodiment includes: receiver module 401, safety detection module 402, security strategy generation module 403 and sending module 404, wherein, receiver module 401, for receiving the fisrt feature information of the data stream that arbitrary switching equipment sends in software defined network;Safety detection module 402 is connected with receiver module 401, for the fisrt feature information of data stream received according to preset security rule and receiver module 401, and detection data stream whether safety, it is thus achieved that testing result;Security strategy generation module 403 is connected with safety detection module 402, for when the testing result of safety detection module 402 is safe, formulating forwarding strategy for data stream;Or, when the testing result in safety detection module 402 is dangerous, generate the first instruction.Sending module 404 is connected with security strategy generation module 403, for issuing the forwarding strategy of the generation of safety detection module 402 to switching equipment, according to forwarding strategy, data stream is carried out forward process for switching equipment;Or, the first instruction of the generation of safety detection module 402 is issued to switching equipment, the first instruction is in order to indicate switching equipment to abandon data stream.
In the present embodiment, the safety detection module of controller carries out safety detection according to the fisrt feature information of the data stream that arbitrary switching equipment in the regular software defined network that receiver module is received of preset security sends, if testing result is safety, security strategy generation module then formulates forwarding data flow strategy for data stream, and it is handed down to switching equipment by sending module, according to forwarding strategy, data stream is carried out forward process for switching equipment;If testing result is dangerous, security strategy generation module then generates the first instruction to indicate switching equipment to abandon data stream, it is possible to realize the data stream of switching equipment any in SDN is carried out safety detection, to improve security of system performance.
On the basis of above-described embodiment, preset security rule specifically may include that another data flow receiving apparatus with special characteristic information is performed specific operation by the traffic initiation equipment forbidding or allowing having special characteristic information.
Specifically, such as, by what the fisrt feature information of data stream that receiver module 401 receives and preset security rule included, safety detection module 402 specifically can forbid that in the specific network segment, the equipment of specific internet address accesses the equipment of specific internet address in another specific network segment, or, forbid that in the specific network segment, the equipment of particular port accesses the equipment of particular port in another specific network segment, or, forbid that the particular device in the specific network segment performs to send the rules such as test packet operation to the particular device in another specific network segment and compares one by one, to obtain testing result.
On the basis of above-described embodiment, further, security strategy generation module 403, it is additionally operable to when the testing result of described safety detection module is for being temporarily confirmed whether safe, generate the second instruction, the second feature information that described second instruction sends described data stream in order to indicate described switching equipment;
Sending module 404 can be also used for, when the testing result of security strategy generation module 403 is for being temporarily confirmed whether safe, issuing the second instruction to switching equipment, and the second instruction sends the second feature information of data stream in order to indicate switching equipment.
On the basis of above-described embodiment, further, receiver module 401, can be also used for receiving the data stream that arbitrary switching equipment sends in software defined network to report for the first time packet header of literary composition, or the literary composition of reporting for the first time of data stream, or data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of data stream.
Fig. 5 is the structural representation of switching equipment embodiment one of the present invention, as shown in Figure 5, the switching equipment of the present embodiment includes: receiver module 501, sending module 502 and processing module 503, wherein, receiver module 501, for receiving data stream, it is judged that whether the forwarding strategy table of storage exists the forwarding strategy that described data stream is corresponding;Sending module 502 is connected with processing module 503, during for being absent from corresponding forwarding data flow strategy in forwarding strategy table, sends the fisrt feature information of data stream to the controller in software defined network;Receiver module 501, it is additionally operable to receive the process instruction that described controller issues, described process the whether safety of data stream described in the instruction described fisrt feature infomation detection that to be described controller send according to preset security rule and described sending module 502 after, issue according to testing result;Processing module 503 is connected with receiver module 501 and sending module 502, when process for receiving at receiver module 501 is designated as forwarding strategy, according to forwarding strategy, data stream being carried out forward process, forwarding strategy is that controller is formulated for data stream when testing result is safe;Process be designated as to indicate the first instruction that described switching equipment abandons described data stream time, abandon data stream according to the first instruction.
In the present embodiment, switching equipment sends the data flow characteristics information of data stream when judging to know, according to forwarding strategy table, the forwarding data flow strategy not having correspondence in forwarding strategy table by sending module 502 to controller, obtain the safety detection result of this data stream, this data stream is forwarded or discard processing by processing module 503 according to safety detection result, achieve according to safety detection result to receive SDN in data stream forward or discard processing, to improve security of system performance, and need not possess safety detection function by switching equipment, reduce switching equipment cost.
On the basis of above-described embodiment, further, preset security rule includes: forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation.
On the basis of above-described embodiment, further, processing module 503 is additionally operable to when processing the second instruction being designated as to indicate the second feature information of switching equipment transmission data stream, and notice sending module 501 sends the second feature information of data stream to controller.
On the basis of above-described embodiment, further, sending module 502, it is additionally operable to send report for the first time packet header of literary composition, or the literary composition of reporting for the first time of data stream, or data stream of data stream to controller and includes reporting for the first time literary composition at interior multiple packets, or the entire packet of data stream.
Fig. 6 is the structural representation of data flow processing system embodiment one of the present invention, as shown in Figure 6, the data flow processing system of the present embodiment includes: controller 601 and at least one switching equipment 602, switching equipment 602 is connected by software defined network with controller 601, wherein, controller 601, may be used for receiving the fisrt feature information of the data stream that arbitrary switching equipment sends in software defined network, according to preset security rule and fisrt feature information, detection data stream whether safety, it is thus achieved that testing result;If testing result is safety, then formulates forwarding strategy for data stream, issue forwarding strategy to switching equipment, according to forwarding strategy, data stream is carried out forward process for switching equipment;If testing result is dangerous, then generating the first instruction, and issue the first instruction to switching equipment, the first instruction is in order to indicate switching equipment to abandon data stream;Switching equipment 602 is used for receiving data stream, judge whether the forwarding strategy table of storage exists the forwarding strategy that data stream is corresponding, if forwarding strategy table is absent from the forwarding strategy of correspondence, then send the fisrt feature information of data stream to the controller in software defined network;Receiving the process instruction that described controller issues, described process instruction is after described controller data stream whether safety according to preset security rule and described fisrt feature infomation detection, issues according to testing result;If processing and being designated as forwarding strategy, then according to forwarding strategy, data stream being carried out forward process, forwarding strategy is that controller is formulated for data stream when testing result is safe;If processing the first instruction being designated as to indicate described switching equipment to abandon described data stream, then abandon data stream according to the first instruction.
The operation principle of controller 601 and switching equipment 602 refer to the description in previous methods embodiment, is here not repeated.
Further, on the basis of above-described embodiment, data flow processing system can also include multiple controller, when the switching equipment in SDN is a lot, the processing pressure of single controller can also be reduced by arranging multiple controller, improve the safety detection efficiency of single controller.
Refer to accompanying drawing 7, another embodiment of the present invention provides a kind of controller, including memorizer 701 processor 702, wherein,
Memorizer 701, is used for depositing program.Specifically, program can include program code, and described program code includes computer-managed instruction.
This processor 702, for reading the program code of storage in memorizer 701, performs following steps:
Receive the fisrt feature information of the data stream that arbitrary switching equipment sends in software defined network, the fisrt feature information according to preset security rule and data stream, detects described data stream whether safety, it is thus achieved that testing result;
If described testing result is safety, then it is that described data stream formulates forwarding strategy, issues described forwarding strategy to described switching equipment, according to described forwarding strategy, described data stream is carried out forward process for described switching equipment;
If described testing result is dangerous, then generating the first instruction, and issue described first instruction to described switching equipment, described first instruction is in order to indicate described switching equipment to abandon described data stream.
Further, in the above-mentioned steps that the processor 702 of controller performs, described preset security rule may include that
Forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation.
Further, in the above-mentioned steps that the processor 702 of controller performs, described fisrt feature information can be that described data stream be reported for the first time packet header of literary composition or the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets.
Yet further, in the above-mentioned steps that the processor 702 of controller performs, if described testing result is for being temporarily confirmed whether safety, then can issue the second instruction, the second feature information that described second instruction sends described data stream in order to indicate described switching equipment to described switching equipment.
Further, in the above-mentioned steps that the processor of controller performs, described second feature information can be the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of described data stream.
Refer to accompanying drawing 8, another embodiment of the present invention provides a kind of switching equipment, including memorizer 801 and processor 802, wherein,
Memorizer 801, is used for depositing program.Specifically, program can include program code, and described program code includes computer-managed instruction.
This processor 802 is used for performing following steps:
Receive data stream, it is judged that whether the forwarding strategy table of storage exists the forwarding strategy that described data stream is corresponding, if described forwarding strategy table is absent from the forwarding strategy of correspondence, then send the fisrt feature information of described data stream to the controller in software defined network;
Receiving the process instruction that described controller issues, described process instruction is after described controller data stream whether safety according to preset security rule and described fisrt feature infomation detection, issues according to testing result;
If described process is designated as forwarding strategy, then according to described forwarding strategy, described data stream being carried out forward process, described forwarding strategy is that controller is formulated for described data stream when described testing result is safe;
If described process is designated as the first instruction indicating described switching equipment to abandon described data stream, then abandon described data stream according to described first instruction.
Further, in the above-mentioned steps that the processor 802 of switch performs, described preset security rule includes:
Forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation.
Further, in the above-mentioned steps that the processor 802 of switch performs, described data stream fisrt feature information can be that described data stream be reported for the first time packet header of literary composition or the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets.
Yet further, in the above-mentioned steps that the processor 802 of switch performs, if described process is designated as the second instruction of the second feature information indicating described switching equipment to send described data stream, then can send the second feature information of described data stream to described controller.
Further, in the above-mentioned steps that the processor 802 of switch performs, the second feature information of described data stream can be the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of described data stream.
Further, the processor 802 of switch can also carry out described forwarding data flow policy store in described forwarding strategy table.
In several embodiments provided by the present invention, it should be understood that disclosed apparatus and method, it is possible to realize by another way.Such as, device embodiment described above is merely schematic, such as, the division of described module, being only a kind of logic function to divide, actual can have other dividing mode when realizing, for instance multiple modules can in conjunction with or be desirably integrated into another system, or some features can ignore, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be through INDIRECT COUPLING or the communication connection of some interfaces, device or unit, it is possible to be electrical, machinery or other form.
The described module illustrated as separating component can be or may not be physically separate, and the parts shown as module can be or may not be physical location, namely may be located at a place, or can also be distributed on multiple NE.Some or all of unit therein can be selected according to the actual needs to realize the purpose of the present embodiment scheme.
It addition, each functional module in each embodiment of the present invention can be integrated in a processing unit, it is also possible to be that modules is individually physically present, it is also possible to two or more modules are integrated in a unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, it would however also be possible to employ hardware adds the form of SFU software functional unit and realizes.
The above-mentioned integrated unit realized with the form of SFU software functional unit, it is possible to be stored in a computer read/write memory medium.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions with so that a computer equipment (can be personal computer, server, or the network equipment etc.) or processor (processor) perform the part steps of method described in each embodiment of the present invention.And aforesaid storage medium includes: the various media that can store program code such as USB flash disk, portable hard drive, read only memory (Read-OnlyMemory, ROM), random access memory (RandomAccessMemory, RAM), magnetic disc or CDs.
Those skilled in the art are it can be understood that arrive, for convenience and simplicity of description, only it is illustrated with the division of above-mentioned each functional module, in practical application, as desired above-mentioned functions distribution can be completed by different functional modules, it is divided into different functional modules, to complete all or part of function described above by the internal structure of device.The specific works process of the device of foregoing description, it is possible to reference to the corresponding process in preceding method embodiment, do not repeat them here.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, it is not intended to limit;Although the present invention being described in detail with reference to foregoing embodiments, it will be understood by those within the art that: the technical scheme described in foregoing embodiments still can be modified by it, or wherein some or all of technical characteristic is carried out equivalent replacement;And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims (5)

1. a data flow processing method, it is characterised in that including:
Receive the fisrt feature information of the data stream that arbitrary switching equipment sends in software defined network, according to the regular and described fisrt feature information of preset security, detect described data stream whether safety, it is thus achieved that testing result;Wherein, described preset security rule includes: forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation;
If described testing result is safety, then it is that described data stream formulates forwarding strategy, issues described forwarding strategy to described switching equipment, according to described forwarding strategy, described data stream is carried out forward process for described switching equipment;
If described testing result is dangerous, then generating the first instruction, and issue described first instruction to described switching equipment, described first instruction is in order to indicate described switching equipment to abandon described data stream;
If described testing result is for being temporarily confirmed whether safety, then issue the second instruction, the second feature information that described second instruction sends described data stream in order to indicate described switching equipment to described switching equipment;Wherein, when described fisrt feature information be described data stream report for the first time packet header of literary composition time, described second feature information is the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of described data stream;When described fisrt feature information is that described data stream includes reporting for the first time literary composition when interior multiple packet, described second feature information is the entire packet of described data stream.
2. a data flow processing method, it is characterised in that including:
Receive data stream, it is judged that whether the forwarding strategy table of storage exists the forwarding strategy that described data stream is corresponding;
If described forwarding strategy table is absent from the forwarding strategy of correspondence, then send the fisrt feature information of described data stream to the controller in software defined network;
Receiving the process instruction that described controller issues, described process instruction is after described controller data stream whether safety according to preset security rule and described fisrt feature infomation detection, issues according to testing result;Wherein, described preset security rule includes: forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation;
If described process is designated as forwarding strategy, then according to described forwarding strategy, described data stream being carried out forward process, described forwarding strategy is that controller is formulated for described data stream when described testing result is safe;
If described process is designated as the first instruction indicating described switching equipment to abandon described data stream, then abandon described data stream according to described first instruction;
If described process is designated as the second instruction of the second feature information indicating described switching equipment to send described data stream, then send the second feature information of described data stream to described controller;Wherein, when described fisrt feature information be described data stream report for the first time packet header of literary composition time, described second feature information is the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of described data stream;When described fisrt feature information is that described data stream includes reporting for the first time literary composition when interior multiple packet, described second feature information is the entire packet of described data stream.
3. a controller, it is characterised in that including:
Receiver module, for receiving the fisrt feature information of the data stream that arbitrary switching equipment sends in software defined network;
Safety detection module, for the described fisrt feature information according to the reception of preset security regular and described receiver module, detects described data stream whether safety, it is thus achieved that testing result;Wherein, described preset security rule includes: forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation;
Security strategy generation module, for when the testing result of described safety detection module is safe, formulating forwarding strategy for described data stream;Or, when the testing result in described safety detection module is dangerous, generating the first instruction, described first instruction is in order to indicate described switching equipment to abandon described data stream;Or, when the testing result of described safety detection module is for being temporarily confirmed whether safe, generate the second instruction, the second feature information that described second instruction sends described data stream in order to indicate described switching equipment;
Sending module, for issuing, to described switching equipment, the described forwarding strategy that described security strategy generation module generates, carries out forward process according to described forwarding strategy to described data stream for described switching equipment;Or, issue, to described switching equipment, described first instruction that described security strategy generation module generates;Or, issue, to described switching equipment, described second instruction that described security strategy generation module generates;
Wherein, when described fisrt feature information be described data stream report for the first time packet header of literary composition time, described second feature information is the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of described data stream;When described fisrt feature information is that described data stream includes reporting for the first time literary composition when interior multiple packet, described second feature information is the entire packet of described data stream.
4. a switching equipment, it is characterised in that including:
Receiver module, is used for receiving data stream, it is judged that whether there is the forwarding strategy that described data stream is corresponding in the forwarding strategy table of storage;
Sending module, for when described receiver module judges the forwarding strategy being absent from correspondence in described forwarding strategy table, sending the fisrt feature information of described data stream to the controller in software defined network;
Described receiver module, it is additionally operable to receive the process instruction that described controller issues, described process the whether safety of data stream described in the instruction described fisrt feature infomation detection that to be described controller send according to preset security rule and described sending module after, issue according to testing result;Wherein, described preset security rule includes: forbid or allow to have the traffic initiation equipment of special characteristic information another data flow receiving apparatus with special characteristic information is performed specific operation;
Processing module, when described process for receiving at described receiver module is designated as forwarding strategy, according to described forwarding strategy, described data stream being carried out forward process, described forwarding strategy is that controller is formulated for described data stream when described testing result is safe;When described process is designated as to indicate the first instruction that described switching equipment abandons described data stream, abandon described data stream according to described first instruction;When described process is designated as the second instruction indicating the second feature information of the described switching equipment described data stream of transmission, notify that described sending module sends the second feature information of described data stream to described controller;
Wherein, when described fisrt feature information be described data stream report for the first time packet header of literary composition time, described second feature information is the literary composition of reporting for the first time of described data stream, or described data stream includes reporting for the first time literary composition at interior multiple packets, or the entire packet of described data stream;When described fisrt feature information is that described data stream includes reporting for the first time literary composition when interior multiple packet, described second feature information is the entire packet of described data stream.
5. a data flow processing system, it is characterised in that include controller as claimed in claim 3 and switching equipment as claimed in claim 4.
CN201210579220.5A 2012-12-27 2012-12-27 Data flow processing method and system, controller, switching equipment Active CN103051557B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210579220.5A CN103051557B (en) 2012-12-27 2012-12-27 Data flow processing method and system, controller, switching equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210579220.5A CN103051557B (en) 2012-12-27 2012-12-27 Data flow processing method and system, controller, switching equipment

Publications (2)

Publication Number Publication Date
CN103051557A CN103051557A (en) 2013-04-17
CN103051557B true CN103051557B (en) 2016-07-06

Family

ID=48064062

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210579220.5A Active CN103051557B (en) 2012-12-27 2012-12-27 Data flow processing method and system, controller, switching equipment

Country Status (1)

Country Link
CN (1) CN103051557B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254338A (en) * 2016-07-29 2016-12-21 杭州华三通信技术有限公司 Message detecting method and device

Families Citing this family (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281318B (en) * 2013-05-09 2016-06-08 浙江师范大学 A kind of attack test device for software definition network
CN104158749A (en) * 2013-05-14 2014-11-19 华为技术有限公司 Message forwarding method in software defined networking, network equipment and software defined networking
CN103326884B (en) * 2013-05-30 2016-06-01 烽火通信科技股份有限公司 SDN combines Business Stream sensory perceptual system and the method for stream detection and bag detection
CN104219218B (en) * 2013-06-04 2018-05-08 新华三技术有限公司 A kind of method and device of active safety defence
JP6752141B2 (en) * 2013-06-14 2020-09-09 華為技術有限公司Huawei Technologies Co.,Ltd. Methods and forwarders for processing packets
WO2014202021A1 (en) * 2013-06-20 2014-12-24 Huawei Technologies Co., Ltd. A method and network apparatus of establishing path
CN103457819B (en) * 2013-08-01 2016-08-10 北京华为数字技术有限公司 The processing method and processing device of common gateway user service message
US9137140B2 (en) * 2013-09-10 2015-09-15 Cisco Technology, Inc. Auto tunneling in software defined network for seamless roaming
CN104601526B (en) 2013-10-31 2018-01-09 华为技术有限公司 A kind of method, apparatus of collision detection and solution
CN103607379A (en) * 2013-11-04 2014-02-26 中兴通讯股份有限公司 Software definition network safety enforcement method, system and controller thereof
CN104639504B (en) * 2013-11-12 2018-09-21 华为技术有限公司 Network cooperating defence method, device and system
FI20136138L (en) * 2013-11-18 2015-05-19 Tellabs Oy A network element and a controller to manage the network element
CN103647658B (en) * 2013-11-27 2016-12-07 华为技术有限公司 The management method of the network equipment and controller in a kind of software defined network system
CN104734987A (en) * 2013-12-19 2015-06-24 上海宽带技术及应用工程研究中心 System and method for managing flow in software defined network
CN104753704B (en) * 2013-12-27 2019-03-12 中兴通讯股份有限公司 State transfer method and interchanger in a kind of software defined network
CN103763309B (en) * 2013-12-31 2018-03-30 曙光云计算集团有限公司 Safety domain control method and system based on virtual network
CN104811392B (en) * 2014-01-26 2018-04-17 国际商业机器公司 For handling the method and system of the resource access request in network
CN104104614B (en) * 2014-06-13 2018-05-01 中国科学院计算技术研究所 Name the software defined network controller system and its method in data network
CN104023034B (en) * 2014-06-25 2017-05-10 武汉大学 Security defensive system and defensive method based on software-defined network
CN105721334B (en) * 2014-12-04 2020-02-18 ***通信集团公司 Method and equipment for determining transmission path and updating ACL
CN104580168B (en) * 2014-12-22 2019-02-26 华为技术有限公司 A kind of processing method of Attacking Packets, apparatus and system
CN105871576A (en) * 2015-01-21 2016-08-17 杭州华三通信技术有限公司 Strategy management method and strategy management device based on SDN (Software Defined Network)
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计***技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
CN104917760B (en) * 2015-05-26 2018-12-11 北京邮电大学 A kind of global flow table generating method and device based on SDN
CN106411820B (en) * 2015-07-29 2019-05-21 中国科学院沈阳自动化研究所 A kind of industrial communication based on SDN framework spreads defeated method of controlling security
CN106412880B (en) * 2015-07-29 2019-09-24 中国科学院沈阳自动化研究所 A kind of wireless mesh safety classification transmission method based on SDN
CN105187424A (en) * 2015-08-31 2015-12-23 广州市优普计算机有限公司 Network security detection method and device
CN107210969B (en) * 2015-10-31 2020-05-26 北京花旺在线商贸有限公司 Data processing method based on software defined network and related equipment
CN105681102A (en) * 2016-03-01 2016-06-15 上海斐讯数据通信技术有限公司 Behavioral strategy method and system based on SDN
CN107181720B (en) * 2016-03-11 2021-06-15 中兴通讯股份有限公司 Software Defined Networking (SDN) secure communication method and device
CN105933225B (en) * 2016-04-20 2020-04-10 上海斐讯数据通信技术有限公司 Strategy routing method and system based on SDN
CN106027405B (en) * 2016-05-03 2020-04-10 浙江宇视科技有限公司 Data stream shunting method and device
CN107645400B (en) * 2016-07-22 2019-09-03 中兴通讯股份有限公司 Tactful sending, receiving method, device and controller
EP3501146A1 (en) * 2016-08-26 2019-06-26 Huawei Technologies Co., Ltd. A data packet forwarding unit in a data transmission network
CN106330625A (en) * 2016-11-25 2017-01-11 国网安徽省电力公司信息通信分公司 SDN-based flow detection method
CN108156117B (en) * 2016-12-05 2021-04-27 ***通信有限公司研究院 Method for carrying out safety control, switch and filtering equipment
CN108289007B (en) 2017-01-10 2022-04-15 中兴通讯股份有限公司 Data packet transmission method and device
CN110943996B (en) * 2019-12-03 2022-03-22 迈普通信技术股份有限公司 Management method, device and system for business encryption and decryption
CN111294344A (en) * 2020-01-19 2020-06-16 中移(杭州)信息技术有限公司 Data forwarding control system, method, electronic device and storage medium
CN112152854B (en) * 2020-09-25 2023-11-07 绿盟科技集团股份有限公司 Information processing method and device
CN112351044A (en) * 2020-12-02 2021-02-09 杭州云梯科技有限公司 Network security system based on big data
EP4295554A4 (en) * 2021-03-06 2024-04-17 Huawei Tech Co Ltd Systems and methods on id swapping during data forwarding

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102763382A (en) * 2010-01-29 2012-10-31 日本电气株式会社 Front end system and front end processing method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102763382A (en) * 2010-01-29 2012-10-31 日本电气株式会社 Front end system and front end processing method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254338A (en) * 2016-07-29 2016-12-21 杭州华三通信技术有限公司 Message detecting method and device
CN106254338B (en) * 2016-07-29 2019-09-06 新华三技术有限公司 Message detecting method and device

Also Published As

Publication number Publication date
CN103051557A (en) 2013-04-17

Similar Documents

Publication Publication Date Title
CN103051557B (en) Data flow processing method and system, controller, switching equipment
CN107342952B (en) Service link selection control method and equipment
US9871781B2 (en) Systems and methods for path maximum transmission unit discovery
WO2018054397A1 (en) Service function chain detection path method and device
CN104660565A (en) Hostile attack detection method and device
CN101304389B (en) Method, apparatus and system for processing packet
US20150319090A1 (en) Method and apparatus for notifying network abnormality
CN102377640B (en) Message processing apparatus, message processing method and preprocessor
CN103746911A (en) SDN (software defined networking) structure and communication method thereof
CN102571492B (en) Method and device for detecting failure of routing equipment
CN103401707B (en) link aggregation method and access device
CN101699786A (en) Method, device and system for detecting packet loss
US9450856B2 (en) Expanding member ports of a link aggregation group between clusters
CN102447638A (en) Load balancing method and forwarding apparatus
CN106470116A (en) A kind of Network Fault Detection and restoration methods and device
CN110011941B (en) Message forwarding method and device
CN106685827A (en) Downlink message forwarding method and AP device
CN105141637A (en) Transmission encryption method taking flows as granularity
CN106685693A (en) Network anomaly detection method, system and network device
CN107547430A (en) A kind of file transmitting method and device
CN108028828A (en) A kind of distributed denial of service ddos attack detection method and relevant device
CN104506548A (en) Data packet redirecting device as well as safety protection method and system for virtual machine
CN102523113A (en) Chip realization method for MEP configuration on cross-chip aggregated link in Ethernet network OAM and chip realization system
CN107196878B (en) Photoelectric hybrid network, system determination method and access switch
CN103812746A (en) Bridging device based on linux operation system and communication method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant