CN103825825B - Flexible, extensible and safe inter-domain topology discovery method - Google Patents
Flexible, extensible and safe inter-domain topology discovery method Download PDFInfo
- Publication number
- CN103825825B CN103825825B CN201410023762.3A CN201410023762A CN103825825B CN 103825825 B CN103825825 B CN 103825825B CN 201410023762 A CN201410023762 A CN 201410023762A CN 103825825 B CN103825825 B CN 103825825B
- Authority
- CN
- China
- Prior art keywords
- territory
- timestamp
- packet
- domain
- lldp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000013507 mapping Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 2
- 230000004899 motility Effects 0.000 description 5
- 230000006854 communication Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a flexible, extensible and safe inter-domain topology discovery method. On the basis of the existing software definition network inter-domain topology discovery method, through improving a link layer discovery protocol data packet, a software definition network domain is discovered to be in topology connection with the adjacent software definition network domain in a distributed software definition network. The method disclosed by the invention is simple and safe, and can successfully solve the problem of inter-domain topology discovery among a plurality of domains in the distributed software definition network.
Description
Technical field
The present invention relates to software defined network technical field, particularly relates to topology discovery method between a kind of the most expansible and safe territory.
Background technology
In legacy network, between territory, Topology Discovery is to realize according to the Exterior Gateway Protocol of such as BGP, and due to traditional method, to depend on concrete agreement, motility and manageability poor, and Topology Discovery and router-level topology combine, and extensibility is poor.Thering is provided unified network view (Network View) interface as independent module to the business such as routing management using Topology Discovery in software defined network (SDN), by using domain-to-domain link layer to find, agreement (LLDP) realizes discovering network topology;Topology Discovery module real-time servicing the whole network concordance network view, it is not necessary to rely on other business, be effectively improved motility and the extensibility of network management.But existing mode does not accounts for the network attack such as Sybil, RIB Poisoning occurred in network, it will cause communication entity in communication process clueless and the safety problem such as information dropout.
When between the territory of legacy network, topological structure changes, its data surface renewal can be carried out according to the Exterior Gateway Protocol of such as BGP.BGP specifies, the boundary node in territory uses Transmission Control Protocol to be connected with the boundary node foundation of adjacent domains, to build neighborhood;NLRI more fresh information is mutually sent, to exchange routing table between neighbours.By these modes, boundary node is obtained up-to-date inter-domain routing topology in time.But there is Topology Discovery and depend on concrete agreement, manageability is poor with motility, and owing to renewal process depends on routing algorithm, convergence process is relatively slow, causes other business cannot obtain the up-to-date topological structure of network in time, there are security breaches.
In SDN framework, SDN controller controls the territory being made up of multiple switches in a centralised manner, between the territory of this territory and other interconnected domains, the consistency maintenance of topology is realized by LLDP agreement, and LLDP agreement sends LLDP packet every all of the port of certain time interval switch in territory.Topology Discovery is separate with other business, when when between territory, network topology changes, between territory, Topology Discovery module updates network view, and other business obtain up-to-date concordance network view by the interface that Topology Discovery module between territory is provided out, and improve motility and the extensibility of network.
The present invention relates to use existing concept, technology or instrument in following SDN:
SDN controller is the control software according to OpenFlow Protocol Design, is used for managing data stream, the configuration network equipment, formulation stream table (Flow Table), undertaking the Network communication with LA Management Room.One territory can be by a controller centralized Control, or by multiple controller distributed AC servo system.
Switch in SDN obeys OpenFlow agreement, claims OpenFlow switch (OFS).OFS is by SDN controller management and control, and its stream table is formulated by SDN controller and revised.
The escape way of OpenFlow agreement support realizes the communication between OFS and SDN controller.
Network view (Network View) is physical link state information in the territory of real-time servicing and between territory and each OFS node status information in SDN.
OpenFlow agreement sees: OpenFlow Switch
Specification Version 1.0.2 (Wire Protocol 0x01), December 31,2009.
Summary of the invention
It is an object of the invention to overcome the deficiencies in the prior art, it is provided that topology discovery method between a kind of the most expansible and safe territory.
It is an object of the invention to be achieved through the following technical solutions: topology discovery method between a kind of the most expansible and safe territory, comprise the steps:
Step 1: in initial network, each OpenFlow switch (OFS) is connected with software defined network (SDN) controller, a territory is formed by all OFS of same SDN controller management, each OFS has the unique identifier of the whole network (DataPathId), there is the unique Field Number of the whole network (Domain ID) in each territory, each controller has a pair public/private keys pair, private keys secret, a cipher key store safeguarded by each SDN controller, cipher key store comprises the public/private keys in this territory to and the PKI in other territories, PKI is searched cipher key store by unique Field Number in territory and is obtained.
Step 2:SDN controller is after receiving the link information that OFS sends, generate the LLDP packet expanded, the LLDP packet expanded is except including that the essential information that LLDP requires (includes Chassis ID, Port ID, TTL and End TLV) outside, also include Field Number (Domain ID), send sequence number (TimeStamp) and sign (Signature), wherein Domain ID is unique mark in each territory, TimeStamp is to verify whether the LLDP bag received is up-to-date one, Signature is other all fields verifying LLDP packet with the private key of this controller;
The expansion LLDP packet that step 2 is generated by step 3:SDN controller, is spaced at regular intervals and sends from OFS all of the port;
Step 4:SDN controller receives this territory OFS and sends the expansion LLDP packet of coming, and according to the DataPathId carried in packet, this DataPathId searched in the OFS information bank in this territory by SDN controller;If finding corresponding DataPathId, explanation is the expansion LLDP packet in this territory, then ignore;If not finding corresponding DataPathId, then explanation is the expansion LLDP packet that this territory receives other territories, and SDN controller is from expanding acquisition Signature, TimeStamp and Domain ID LLDP packet;
Step 5: the Domain ID obtained according to step 4 searches cipher key store and gets the PKI sending this expansion LLDP packet domain;
Step 6: the PKI obtained according to step 5 uses RSA cryptographic algorithms to carry out the Signature that verification step 4 obtains;
Step 7: if step 6 verifies that Signature does not passes through, then abandon this packet;If checking Signature passes through, SDN controller sends the switch ports themselves tuple (SwitchPortTuple) of the OFS of this expansion LLDP packet in obtaining this territory, the switch ports themselves tuple safeguarded at this SDN controller searches this SwitchPortTuple in TimeStamp mapping table;
Step 8: if step 7 finds this SwitchPortTuple, the TimeStamp then returned according to mapping table, the TimeStamp value obtained with step 4 compares, if to be TimeStamp little for result of the comparison, had been received by bigger TimeStamp before explanation, then abandoned;If step 7 does not find this SwitchPortTuple, then illustrate that this is first the expansion LLDP packet received after foundation connects, this SwitchPortTuple and sequence number TimeStamp are updated in mapping table, simultaneously network view (Network View) between more neofield.
The invention has the beneficial effects as follows:
First, contrast topology discovery method between other SDN controller area, the present invention uses the LLDP agreement identical with domain topology discovery, add Field Number (Domain ID), send sequence number (TimeStamp) and sign (Signature), the Field Number of controller and its PKI have corresponding relation, data and checking information are all contained in LLDP bag, and the PKI between domain controller is to search cipher key store by Field Number to obtain.Simultaneously because use the existing public/private keys of controller itself to Topology Discovery process between, signature verification territory, the present invention, on the premise of not increasing system complexity, improves the safety of concordance network view maintenance between territory.
Secondly, contrast network security scheme between existing territory, the present invention is based on software defined network (SDN), Topology Discovery is separate with router-level topology, get between unified territory after topology, it is possible to provide to various different Routing Protocols, and need not be obtained alone topological between territory by each Routing Protocol example and each realize safety approach, thus improve the motility of control strategy, enhance the extensibility of system simultaneously.
Accompanying drawing explanation
Fig. 1 is the flow chart of topology discovery method between a kind of the most expansible and safe territory;
Fig. 2 is network topology structure schematic diagram between software defined network territory.
Detailed description of the invention
Describe the present invention, the purpose of the present invention and effect below in conjunction with the accompanying drawings in detail will be apparent from.
The present invention is based on topology discovery method between the territory in existing SDN, it is proposed that topology discovery method between a kind of the most expansible and safe territory, comprises the following steps:
Step 1: in initial network, each OpenFlow switch (OFS) is connected with software defined network (SDN) controller, being formed a territory by all OFS of same SDN controller management, each OFS has the unique identifier of the whole network (DataPathId);There is the unique Field Number of the whole network (Domain ID) in each territory;Each controller has a pair public/private keys pair, private keys secret;A cipher key store safeguarded by each SDN controller, cipher key store comprises the public/private keys in this territory to and the PKI in other territories, the PKI in other territories is obtained by its Field Number.In Fig. 2, OFS1-OFS12 is OpenFlow switch, and OFS1-OFS4 forms a territory D1, SDN controller C1 control, and OFS5-OFS8 forms a territory D2, SDN controller C2 control, and OFS9-OFS12 forms a territory D3, SDN controller C3 control.
Step 2:SDN controller is after receiving the link information that OFS sends, generate the LLDP packet expanded, i.e. in addition to including the essential information (including Chassis ID, Port ID, TTL and End TLV) that LLDP requires, add Field Number (Domain ID), send sequence number (TimeStamp) and sign (Signature), wherein Domain ID is unique mark in each territory, TimeStamp is to verify whether the LLDP bag received is up-to-date one, and Signature is to verify other all fields in LLDP packet with the private key of this controller;
The expansion LLDP packet that step 2 is generated by step 3:SDN controller, is spaced at regular intervals and sends from OFS all of the port;
Time interval herein is by network manager or research worker sets itself, such as 5s, 15s etc..
Step 4:SDN controller receives this territory OFS and sends the expansion LLDP packet of coming, and according to the DataPathId carried in packet, this DataPathId searched in the OFS information bank in this territory by SDN controller;If finding corresponding DataPathId, explanation is the expansion LLDP packet in this territory, then ignore;If not finding corresponding DataPathId, then explanation is the expansion LLDP packet that this territory receives other territories, and SDN controller is from expanding acquisition Signature, TimeStamp and Domain ID LLDP packet;
Step 5: the Domain ID obtained according to step 4 searches cipher key store and gets the PKI sending this expansion LLDP packet domain;
Step 6: the PKI obtained according to step 5 uses RSA cryptographic algorithms to carry out the Signature that verification step 4 obtains;
Step 7: if step 6 verifies that Signature does not passes through, then abandon this packet;If checking Signature passes through, SDN controller sends the switch ports themselves tuple (SwitchPortTuple) of the OFS of this expansion LLDP packet in obtaining this territory, the switch ports themselves tuple safeguarded at this SDN controller searches this SwitchPortTuple in TimeStamp mapping table;
Step 8: if step 7 finds this SwitchPortTuple, the TimeStamp then returned according to mapping table, the TimeStamp value obtained with step 4 compares, if to be TimeStamp little for result of the comparison, had been received by bigger TimeStamp before explanation, then abandoned;If step 7 does not find this SwitchPortTuple, then illustrate that this is first the expansion LLDP packet received after foundation connects, this SwitchPortTuple and sequence number TimeStamp are updated in mapping table, simultaneously network view (Network View) between more neofield.
The present invention controls the Topology Discovery between territory by using topology discovery method between a kind of the most expansible and safe territory to realize distributed software definition network (SDN), based on topology discovery method between existing SDN territory, increase signature-verification process, the method realizes simply, safer, efficiently solve between distributed SDN territory Topology Discovery problem between the territory of safety.
Claims (1)
1. topology discovery method between a flexible expansible and safe territory, it is characterised in that include walking as follows
Rapid:
Step 1: in initial network, each OpenFlow switch and a software defined network controller
It is connected, all OpenFlow switches of same software defined network controller management forms a territory,
Each OpenFlow switch has the whole network unique identifier DataPathId, and there is the unique territory of the whole network in each territory
Numbering Domain ID, each controller has a pair public/private keys pair, private keys secret, each software definition
Network controller safeguards a cipher key store, cipher key store comprises the public/private keys in this territory to and the PKI in other territories,
PKI is searched cipher key store by unique Field Number in territory and is obtained;
Step 2: software defined network controller after receiving the link information that OpenFlow switch is sent,
Generating the LLDP packet expanded, the LLDP packet of expansion is except including the essential information that LLDP requires
Outside, also include Field Number Domain ID, send sequence number TimeStamp and signature Signature, wherein
Domain ID is unique mark in each territory, and TimeStamp is to verify that whether the LLDP bag received is
Up-to-date one, Signature is other all fields verifying LLDP packet with the private key of this controller;
Described essential information includes Chassis ID, Port ID, TTL and End TLV;
Step 3: the expansion LLDP packet that step 2 is generated by software defined network controller, every necessarily
Time interval sends from OpenFlow switch all of the port;
Step 4: software defined network controller receives this territory OpenFlow switch and sends the expansion LLDP of coming
Packet, according to the DataPathId carried in packet, software defined network controller is in this territory
OpenFlow exchanger information searches this DataPathId in storehouse;If finding corresponding DataPathId, say
Bright is the expansion LLDP packet in this territory, then ignore;If not finding corresponding DataPathId, then say
The bright expansion LLDP packet being this territory and receiving other territories, software defined network controller is from expanding LLDP
Packet obtains Signature, TimeStamp and Domain ID;
Step 5: the Domain ID obtained according to step 4 searches cipher key store and gets transmission this expansion LLDP
The PKI of packet domain;
Step 6: the PKI obtained according to step 5 uses RSA cryptographic algorithms to come what verification step 4 obtained
Signature;
Step 7: if step 6 verifies that Signature does not passes through, then abandon this packet;If checking Signature
Passing through, software defined network controller sends the OpenFlow of this expansion LLDP packet and hands in obtaining this territory
Switch ports themselves tuple SwitchPortTuple changed planes, in the exchange that this software defined network controller is safeguarded
Machine port tuple and TimeStamp mapping table search this SwitchPortTuple;
Step 8: if step 7 finds this SwitchPortTuple, then return according to mapping table
TimeStamp, the TimeStamp value obtained with step 4 compares, if result of the comparison is TimeStamp
Little, had been received by bigger TimeStamp before explanation, then abandoned;If step 7 does not find this
SwitchPortTuple, then illustrate that this is first the expansion LLDP packet received after foundation connects, should
SwitchPortTuple and the TimeStamp that sends sequence number is updated in mapping table, simultaneously network video between more neofield
Figure Network View.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410023762.3A CN103825825B (en) | 2014-01-18 | 2014-01-18 | Flexible, extensible and safe inter-domain topology discovery method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410023762.3A CN103825825B (en) | 2014-01-18 | 2014-01-18 | Flexible, extensible and safe inter-domain topology discovery method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103825825A CN103825825A (en) | 2014-05-28 |
| CN103825825B true CN103825825B (en) | 2017-01-11 |
Family
ID=50760664
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410023762.3A Active CN103825825B (en) | 2014-01-18 | 2014-01-18 | Flexible, extensible and safe inter-domain topology discovery method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103825825B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104038446B (en) * | 2014-06-06 | 2017-07-07 | 华为技术有限公司 | link discovery method and device |
| CN105337853A (en) * | 2014-06-11 | 2016-02-17 | 杭州华三通信技术有限公司 | Instance establishing method and apparatus in software defined network (SDN) |
| EP3188408B1 (en) * | 2014-09-23 | 2020-07-29 | Huawei Technologies Co. Ltd. | Method and apparatus for determining network topology, and centralized network state information storage device |
| WO2016070406A1 (en) * | 2014-11-07 | 2016-05-12 | 华为技术有限公司 | Topology discovery method and device |
| TW201618502A (en) * | 2014-11-12 | 2016-05-16 | 財團法人資訊工業策進會 | Network routing system and network packet routing method thereof |
| CN104519420A (en) * | 2014-12-24 | 2015-04-15 | 北京格林伟迪科技有限公司 | Packet forwarding method in passive optical network |
| CN105812293B (en) * | 2014-12-29 | 2020-05-01 | ***通信集团公司 | Method and device for determining controller and control domain thereof |
| CN105812201A (en) * | 2014-12-31 | 2016-07-27 | 华为技术有限公司 | Link state detection method, device and system |
| CN104980431B (en) * | 2015-05-14 | 2018-09-21 | 南京大学 | It is realized in a kind of SDN and flows orderly consistent update method |
| CN105656791A (en) * | 2016-01-28 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | TLV (Type Length Value) sending method and system |
| CN106453406B (en) * | 2016-11-22 | 2019-05-28 | 中国电子科技集团公司第三十研究所 | A kind of software definition data center network time slot scrambling of architecture |
| CN107070681B (en) * | 2016-12-07 | 2020-10-09 | 全球能源互联网研究院有限公司 | Network topology obtaining method and device based on Software Defined Network (SDN) |
| CN109391545B (en) * | 2017-08-08 | 2021-06-04 | 中国电信股份有限公司 | System and method for discovering inter-domain link |
| CN108449350B (en) * | 2018-03-23 | 2020-11-13 | 全球能源互联网研究院有限公司 | Multi-protocol arranging method and device |
| CN111163003A (en) * | 2019-12-24 | 2020-05-15 | 中国电子科技集团公司第三十研究所 | Topology discovery method of wireless multi-control-domain SDN |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714942A (en) * | 2009-11-12 | 2010-05-26 | 中国人民解放军国防科学技术大学 | BGP-guided method for discovering real-time autonomous system-level topology |
| CN103051565A (en) * | 2013-01-04 | 2013-04-17 | 中兴通讯股份有限公司 | Framework system of grade software defined network software controller and implementation method thereof |
| CN103428031A (en) * | 2013-08-05 | 2013-12-04 | 浙江大学 | Inter-domain link fast failure recovery method based on software defined network |
-
2014
- 2014-01-18 CN CN201410023762.3A patent/CN103825825B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714942A (en) * | 2009-11-12 | 2010-05-26 | 中国人民解放军国防科学技术大学 | BGP-guided method for discovering real-time autonomous system-level topology |
| CN103051565A (en) * | 2013-01-04 | 2013-04-17 | 中兴通讯股份有限公司 | Framework system of grade software defined network software controller and implementation method thereof |
| CN103428031A (en) * | 2013-08-05 | 2013-12-04 | 浙江大学 | Inter-domain link fast failure recovery method based on software defined network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103825825A (en) | 2014-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103825825B (en) | Flexible, extensible and safe inter-domain topology discovery method | |
| US10862783B2 (en) | OAM mechanisms for EVPN active-active services | |
| Fu et al. | Orion: A hybrid hierarchical control plane of software-defined networking for large-scale networks | |
| CN104901890B (en) | A kind of SDN route generation, matching process and system | |
| CN105515978B (en) | Realize the method and device of distributed routing, physical host access | |
| CN106712988B (en) | A kind of virtual network management method and device | |
| CN105308912A (en) | A method and system for synchronizing with a neighbor in a distributed resilient network interconnect (DRNI) link aggregation group | |
| US20090252170A1 (en) | Method and device of link aggregation and method and system for transceiving mac frames | |
| WO2018157299A1 (en) | Virtualization method for optical line terminal (olt) device, and related device | |
| CN101764709A (en) | Network physical topology discovering method and network management server based on SNMP | |
| WO2016177049A1 (en) | Method and device for achieving capacity expansion and reduction of access apparatus | |
| CN105119911B (en) | A kind of safety certifying method and system based on SDN streams | |
| CN103166876A (en) | Transmission method for data among OpenFlow network domains and device | |
| CN104901825B (en) | A kind of method and apparatus for realizing zero configuration starting | |
| CN102694732B (en) | Method and system for constructing virtual network based on local virtualization | |
| CN105245593A (en) | Software defined network (SDN) controlling system, method and device | |
| CN101141308A (en) | Topology discovering method of IP backbone network | |
| CN105191339A (en) | Software redundancy in a non-homogenous virtual chassis | |
| CN105681490B (en) | A kind of anti-IP address conflict method based on software defined network | |
| CN105721319A (en) | SDN based network topology discovery method and system | |
| WO2014094224A1 (en) | Method, network device, and virtual cluster for determining administrative domain | |
| CN104901884B (en) | Wide area network SDN collecting topologies implementation method and device | |
| CN101304338B (en) | Method and apparatus for discovering equipment in multi-protocol label switching three-layer VPN | |
| CN102801618B (en) | A kind of method and device determining three layer data paths in ethernet ring network | |
| CN104836688A (en) | Network device and method for virtually configuring underlying equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |