CN106685903B - SDN-based data transmission method, SDN controller and SDN system - Google Patents

SDN-based data transmission method, SDN controller and SDN system Download PDF

Info

Publication number
CN106685903B
CN106685903B CN201510762339.XA CN201510762339A CN106685903B CN 106685903 B CN106685903 B CN 106685903B CN 201510762339 A CN201510762339 A CN 201510762339A CN 106685903 B CN106685903 B CN 106685903B
Authority
CN
China
Prior art keywords
data
encrypted
encryption
sdn
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510762339.XA
Other languages
Chinese (zh)
Other versions
CN106685903A (en
Inventor
赖培源
陈天
樊勇兵
金华敏
刘艺
陈楠
丁圣勇
黄志兰
区洪辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201510762339.XA priority Critical patent/CN106685903B/en
Publication of CN106685903A publication Critical patent/CN106685903A/en
Application granted granted Critical
Publication of CN106685903B publication Critical patent/CN106685903B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4645Details on frame tagging
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses a data transmission method based on an SDN, an SDN controller and an SDN system, wherein the method comprises the following steps: the SDN controller receives an encrypted data notification message sent by a management platform, judges whether transmitted data needs to be encrypted or not based on the encrypted data notification message, if so, calculates a forwarding route of the data needing to be encrypted and transmitted, and enables the forwarding route to pass through an encryption device, and if judging that the transmitted data does not need to be encrypted, calculates a forwarding route of the data not needing to be encrypted and enables the forwarding route not to pass through the encryption device. According to the SDN-based data transmission method, the SDN controller and the SDN system, only important data needing to be encrypted can be encrypted and transmitted, and non-important data needing to be encrypted can not be processed by encryption equipment, so that the processing cost and time delay caused by processing of the data are reduced, the data are classified and processed based on network paths, the complex data classification analysis is reduced, and the utilization rate of resources is improved.

Description

SDN-based data transmission method, SDN controller and SDN system
Technical Field
The invention relates to the technical field of data transmission, in particular to a data transmission method based on an SDN, an SDN controller and an SDN system.
Background
With the wide application of virtualization technology, IT resources will become an infrastructure operable like water and electricity, and the resource management of a cloud data center as a bearer of important cloud infrastructure becomes an important research subject. The hybrid cloud integrates public cloud and private cloud, and is a main mode and development direction of cloud computing in recent years. For security reasons, most enterprises prefer to store data in the private cloud, but at the same time, IT is desirable to obtain rich and cheap IT resources of the public cloud, in which case the hybrid cloud is increasingly adopted, and the public cloud and the private cloud are mixed and matched to obtain the best effect, and the personalized solution achieves the purposes of saving money and being safe. The internal important data can be stored in the local data center by utilizing the safety of the private cloud; meanwhile, computing resources of public clouds can be used, work can be completed more efficiently and quickly, and the method is more perfect compared with a private cloud or a public cloud.
However, the connection and data transmission between the private cloud and the public cloud become a new hot spot of research in the industry. If all data are encrypted through various encryption algorithms before being transmitted among the data centers, safe transmission is carried out through ways such as a tunnel, and the like, for example, amazon cloud service mainly realizes cross-data center interconnection based on VPN; the interconnected cloud (InterCloud) proposed by Cisco encrypts all transmission data at two ends of the cloud respectively, and the solutions encrypt data which does not need encryption, thereby wasting related resources. With the increase of the scale of cloud data, a differentiated data encryption mode is not added, so that great burden is brought to encryption equipment, and the cloud data encryption system becomes an expansion bottleneck point of the system.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a data transmission method based on an SDN, an SDN controller and an SDN system, which are capable of performing encryption transmission on data that needs to be encrypted.
A data transmission method based on SDN comprises the following steps: a Software Defined Network (SDN) controller receives an encrypted data notification message sent by a management platform; and the SDN judges whether the transmitted data needs to be encrypted or not based on the encrypted data notification message, if so, calculates a forwarding route of the data needing to be encrypted and transmitted, and makes the forwarding route pass through the encryption equipment.
According to an embodiment of the present invention, further, if it is determined that the transmitted data does not need to be encrypted, a forwarding route of the data that does not need to be encrypted for transmission is calculated, and the forwarding route is not passed through the encryption device.
According to an embodiment of the present invention, further, the information carried by the encrypted data notification message includes: transmitting equipment information, vlan or vxlan information which needs to encrypt data; wherein the transmitting device information includes: IP address or port of a physical server or virtual machine.
Further, according to an embodiment of the present invention, the SDN determining whether the transmitted data needs to be encrypted based on the encrypted data notification message includes: according to the encrypted data notification message, the SDN controller carries out encryption label marking on sending equipment information, vlan or vxlan information which needs to be encrypted; and the SDN controller judges whether the transmitted data needs to be encrypted or not based on the encryption label during route calculation.
According to an embodiment of the present invention, further, the calculating a forwarding route of data to be encrypted for transmission, and passing the forwarding route through an encryption device includes: the SDN controller analyzes sending equipment information, vlan or vxlan information for sending the data packet from the received data packet; the transmitting device information includes: an IP address or port of a physical server or virtual machine; the SDN controller judges whether sending equipment information, vlan or vxlan information for sending the data packet is marked with an encryption label, if so, the SDN controller performs routing selection, so that a forwarding route of the data packet passes through encryption equipment, and sends the routing information to the sending equipment; and carrying out encryption processing when the data packet passes through the encryption device.
According to an embodiment of the present invention, further, comprising: and the SDN controller judges that the sending equipment information of the data packet is not marked with an encryption label, and then the SDN controller performs routing so that the forwarding route of the data packet does not pass through encryption equipment.
According to an embodiment of the present invention, further, the sending device, the vlan, or the vxlan of the data packet belongs to a first cloud data center or a first cloud service provider, and the target device, the target vlan, or the vxlan that receives the data packet belongs to a second cloud data center or a second cloud service provider.
Further, according to an embodiment of the present invention, the routing by the SDN controller includes: the SDN performs path calculation by adopting a distance vector routing algorithm or a link state routing algorithm.
A software defined network, SDN, controller comprising: the encrypted information receiving unit is used for receiving an encrypted data notification message sent by the management platform; and the route planning unit is used for judging whether the transmitted data needs to be encrypted or not based on the encrypted data notification message, if so, calculating a forwarding route of the data needing to be encrypted and transmitted, and enabling the forwarding route to pass through the encryption equipment.
According to an embodiment of the present invention, further, the route planning unit is further configured to calculate a forwarding route of the data that does not need to be encrypted for transmission if it is determined that the transmitted data does not need to be encrypted, and make the forwarding route not pass through the encryption device.
According to an embodiment of the present invention, further, the information carried by the encrypted data notification message includes: transmitting equipment information, vlan or vxlan information which needs to encrypt data; wherein the transmitting device information includes: IP address or port of a physical server or virtual machine.
According to an embodiment of the present invention, further, comprising: the encrypted tag labeling unit is used for carrying out encrypted tag labeling on transmitting equipment information, vlan or vxlan information which needs to encrypt data according to the encrypted data notification message; the route planning unit is further configured to determine whether the transmitted data needs to be encrypted based on the encryption tag during route calculation.
According to an embodiment of the present invention, further, the route planning unit includes: the information extraction module is used for analyzing the sending equipment information, the vlan or the vxlan information for sending the data packet from the received data packet; the transmitting device information includes: an IP address or port of a physical server or virtual machine; the routing selection module is used for judging whether the sending equipment information, the vlan or the vxlan information for sending the data packet is marked with an encryption label, if so, routing selection is carried out, so that the forwarding route of the data packet passes through the encryption equipment, and the routing information is sent to the sending equipment; wherein the encryption processing is performed when the data packet passes through the encryption device.
According to an embodiment of the present invention, the routing module is further configured to determine that the sending device information of the data packet is not labeled with an encryption tag, and then the SDN controller performs routing so that a forwarding route of the data packet does not pass through an encryption device.
According to an embodiment of the present invention, further, the sending device, the vlan, or the vxlan of the data packet belongs to a first cloud data center or a first cloud service provider, and the target device, the target vlan, or the vxlan that receives the data packet belongs to a second cloud data center or a first cloud service provider.
According to an embodiment of the present invention, the routing module is further configured to perform path calculation by using a distance vector routing algorithm or a link state routing algorithm.
An SDN system comprising: a management platform, an SDN controller as described above.
According to the data transmission method based on the SDN, the SDN controller and the SDN system, only important data needing to be encrypted can be encrypted and transmitted, and non-important data needing to be encrypted can not be processed by encryption equipment, so that the processing cost and time delay caused by processing of the data are reduced, the utilization rate of a network is improved, the data are classified and processed based on network paths through the centralized SDN network controller, complex data classification analysis is reduced, and the utilization rate of resources is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of an SDN-based data transmission method according to an embodiment of the present invention;
fig. 2 is a schematic view of an application scenario of the SDN-based data transmission method of the present invention;
figure 3 is a block diagram of one embodiment of an SDN controller according to the present invention;
fig. 4 is a block diagram of a route planning unit in an embodiment of an SDN controller according to the present invention.
Detailed Description
The present invention now will be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. The technical solution of the present invention is described in various aspects below with reference to various figures and embodiments.
The Software Defined Network (SDN) is a novel network innovation architecture, has the characteristics of control forwarding separation, centralized control, openness and programmability and the like, can realize network virtualization of a data center, and bears multiple tenants. Hereinafter, "first", "second", etc. are descriptively distinct and have no other special meaning.
Fig. 1 is a schematic flowchart of an embodiment of a SDN-based data transmission method according to the present invention, as shown in fig. 1:
step 101, an SDN controller receives an encrypted data notification message sent by a management platform.
Step 102, the SDN determines whether the transmitted data needs to be encrypted based on the encrypted data notification message.
And step 103, if yes, calculating a forwarding route of the data needing to be encrypted for transmission, and enabling the forwarding route to pass through the encryption equipment.
And if the transmitted data does not need to be encrypted, calculating a forwarding route of the data which does not need to be encrypted for transmission, and enabling the forwarding route not to pass through the encryption equipment. The management platform in the invention can be a management platform of a data center, and can be a cloud management platform or a data management platform and the like.
Before transmission among data centers, in order to protect data security in a private cloud, most systems encrypt all data through various encryption algorithms and perform secure transmission in ways such as a tunnel, and related resources are wasted due to encryption of data which does not need to be encrypted. With the increase of the scale of cloud data, a differentiated data encryption mode is not added, so that great burden is brought to encryption equipment, and the cloud data encryption system becomes an expansion bottleneck point of the system.
According to the data transmission method based on the SDN, the data needing encryption and the data not needing encryption are transmitted through different forwarding paths through the SDN network centralized controller according to the configuration strategy, and encryption and decryption are respectively carried out at the transmission start end and the transmission tail end of the data center, so that the transmission efficiency can be effectively improved, and the disaster recovery cost is reduced.
In one embodiment, the information carried by the encrypted data notification message includes: and transmitting transmission device information, vlan or vxlan information, and the like, which require encrypted data. The transmitting device information includes: IP address or port of a physical server or virtual machine, etc. According to the encrypted data notification message, the SDN controller carries out encryption label marking on sending equipment information, vlan or vxlan information which needs to encrypt data, and the SDN controller judges whether the transmitted data needs to be encrypted or not based on the encryption label when carrying out routing calculation.
In one embodiment, the SDN controller parses the sending device information, vlan, or vxlan information of the sending data packet from the received data packet. The transmitting device information includes: IP address or port of a physical server or virtual machine.
The SDN controller judges whether sending equipment information, vlan or vxlan information for sending the data packet are marked with encryption labels, and if yes, the SDN controller performs routing selection, so that forwarding routes of the data packet pass through the encryption equipment, and the routing information is sent to the sending equipment. The encryption process is performed when the data packet passes through the encryption device. The encryption tag may be notified by the management platform to the SDN controller, e.g., which vlans, vxlans need to be encrypted or not.
When the SDN controller judges that the sending equipment information, the vlan or the vxlan information of the data packet are not marked with the encryption label, the SDN controller performs routing selection to enable the forwarding route of the data packet not to pass through the encryption equipment.
The sending device of the data packet, the vlan or the vxlan may belong to a first cloud data center or a first cloud service provider, note that: such as amazon and microsoft, Baidu and Tencent, etc. The target device, the target vlan or the vxlan receiving the data packet may belong to a second cloud data center or a second cloud service provider, and may implement transmission between the data centers. The SDN performs path calculation using a distance vector routing algorithm or a link state routing algorithm.
In the data transmission method based on the SDN in the above embodiment, during the transmission across the data center, the SDN controller configures the route to implement the classified encryption of the data, and in the classification of whether the data is encrypted, one or more server (virtual machine) nodes such as a port, an IP, and even a vlan cluster may be selected according to the encryption requirement, and the management platform and the SDN controller may cooperate to complete the classified encryption of the data as needed.
In the data relocation process, path selection is respectively carried out on transmission data according to encryption requirements and transmission data not needing encryption, and the path selection is realized by an SDN controller, so that data transmission between data centers can be more efficiently classified and processed according to encryption requirements by means of a centralized network control platform.
As shown in fig. 2, in an original data center (which may be a production data center or an enterprise private cloud data center), a centrally controlled SDN network is used, and a controller of the SDN network can effectively control transmission paths of nodes in the data center. The management platform or system (which may be a cloud management platform or a data management platform) and the SDN network controller may communicate directly.
For data transmitted between data centers, the data center management platform can set corresponding strategies according to the needs of actual services, and specify which data need to be encrypted and which data can not be encrypted. The implementation of the encryption policy is performed by the SDN controller, and for data with encryption requirements, the SDN controller sets a relevant data forwarding path to the encryption device, whereas for data transmission without encryption requirements, the SDN controller sets the relevant data forwarding path to the direct forwarding device.
When data classification is performed by the SDN controller, generally taking data flow as a basic unit, all data may be selected to pass through an encryption device when a physical server or a virtual machine is backed up across a data center, which may generally use an IP of the physical server or the virtual machine as a classification tag.
Or, a part of the service data of the physical server or the virtual machine may be selected to be encrypted, and then, a part of the port data may be generally classified and encrypted. In a large-scale data center application scenario, one vlan or one vxlan may also be used as a classification label, that is, backup data of all nodes in a certain vlan or vxlan may be encrypted or unencrypted.
The encryption label is a kind of identification, and may be a set character or a numerical value, etc. The setting of the encryption tag mainly depends on the scale of the system, and in a large-scale scenario, a larger granularity, such as vlan or vxlan, is usually used, whereas in an application scenario requiring fine management, encryption transmission management with a port as the granularity may be used.
In the classified encryption transmission across data centers, the existing cloud resource pool mostly uses a full data encryption mode, including the backup data or the transverse communication data among services, such as core data and log data in a certain large-scale service system; and the modules of a large service platform may be deployed in different data centers, and on the network side, these data are usually processed identically without distinction, i.e., all encrypted or all unencrypted.
By adopting the SDN-based data transmission method, the transmission path planning is carried out according to the encryption requirement in the data transmission of the cross-data center according to the setting of the encryption label. Firstly, the management platform notifies the SDN controller whether a certain traffic data that needs to be transmitted needs to be encrypted, and after receiving the notification, the SDN controller identifies the corresponding data, for example, identifies that the data transmitted through a certain port of the virtual machine needs to pass through a certain encryption device.
Next, in the transmission flow table returned to the virtual machine by the SDN controller, the route of the traffic data must pass through a certain encryption device, and a corresponding encryption device is selected. When a virtual machine needs to initiate related data transmission through a certain port, according to a normal network communication flow, a network agent module of the virtual machine firstly requests a forwarding route to an SDN controller, the SDN controller inquires whether the port of the virtual machine has a related encryption requirement after receiving the routing request, and if so, a routing result passing through an encryption device is returned according to a corresponding encryption device serving as a gateway node strategy. If not, returning to the network agent module of the virtual machine according to the routing of direct forwarding.
In one embodiment, it is assumed that there are three different server clusters in the system, and the data of three virtual machines a, B and C, D, E are classified, encrypted and transmitted, and encrypted and backed up from the data center X to the data center Y, and there are an encryption device a, an encryption device B and an encryption device c. Nodes A, B, C, D, E are each under the management of an SDN network controller.
Suppose that a system administrator requests a-type encryption of all data of the virtual machine a through the data center management platform, that is, all data of the virtual machine a in the data center X are required to pass through the encryption device a, and then ciphertext can be transmitted to the data center Y. Therefore, the data center management platform informs the SDN controller, and the SDN controller informs the routing module of the SDN controller, and all data of the virtual machine a is required to pass through the encryption device a.
In one case, it is assumed that a system administrator requests, through a data center management platform, a type B encryption of data from a 500 port of a virtual machine B, that is, all data of the virtual machine B in the data center X is required to pass through an encryption device B before a ciphertext can be transmitted to the data center Y. Therefore, the data center management platform informs the SDN controller, and the SDN controller informs the routing module of the SDN controller, and the data of 500 ports coming out of the virtual machine B is required to pass through the encryption device B, which is simple, and the data routing request of the virtual machine B at 500 ports can be set to the IP address that must pass through the device B.
In another case, it is assumed that a system administrator requests c-type encryption of all data from the physical machine C, D, E through the data center management platform, that is, all data of the physical machine C, D, E in the data center X is required to pass through the encryption device c before ciphertext can be transmitted to the data center Y. Assuming that the physical machines C, D, E are all within a vlan 100, the data center management platform therefore notifies the SDN controller, which notifies its routing module that all data coming out of the vlan 100 is required to pass through the encryption device c, and simply the gateway of the vlan 100 can be set to the IP address of the device c.
As shown in fig. 3, the present invention provides a software defined network SDN controller. The encrypted information receiving unit 31 receives the encrypted data notification message sent by the management platform. The route planning unit 32 judges whether the transmitted data needs to be encrypted based on the encrypted data notification message, and if so, calculates a forwarding route of the data that needs to be encrypted for transmission, and passes the forwarding route through the encryption device. If the route planning unit 32 judges that the transmitted data does not need to be encrypted, a forwarding route of the data which does not need to be encrypted for transmission is calculated and is not passed through the encryption device.
The encrypted tag labeling unit 33 performs encrypted tag labeling on transmitting device information, vlan or vxlan information, which transmits data to be encrypted, according to the encrypted data notification message; the route planning unit 32 determines whether the transmitted data needs to be encrypted based on the encryption tag when performing the route calculation.
As shown in fig. 4, the route planning unit includes: an information extraction module 41 and a routing module 42. The information extraction module 41 parses the transmission device information, vlan, or vxlan information of the transmission packet from the received packet. The transmitting device information includes: IP address or port of a physical server or virtual machine.
The route selection module 42 determines whether the sending device information, vlan or vxlan information, which is used to send the data packet, is labeled with an encryption tag, and if so, performs route selection, so that the forwarding route of the data packet passes through the encryption device, and sends the route information to the sending device. The encryption process is performed when the data packet passes through the encryption device.
The routing module 42 determines that the sending device information, vlan or vxlan information of the data packet are not labeled with the encryption tag, and then the SDN controller performs routing so that the forwarding route of the data packet does not pass through the encryption device. The routing module 42 performs path calculation using a distance vector routing algorithm or a link state routing algorithm, etc.
In one embodiment, the present invention provides an SDN system comprising: a management platform, an SDN controller as above.
The SDN-based data transmission method, the SDN controller, and the SDN system provided in the embodiments can classify whether data is encrypted, and only important data that needs to be encrypted can be encrypted and transmitted, while non-important data that does not need to be encrypted can not be processed by an encryption device, so that the processing cost and the processing time delay of data are reduced, and the network utilization rate is improved; through the centralized SDN controller, data are classified and processed based on network paths, complex data classification analysis is reduced, and the utilization rate of resources is improved.
The method and system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims (10)

1. A data transmission method based on SDN is characterized by comprising the following steps:
a Software Defined Network (SDN) controller receives an encrypted data notification message sent by a management platform; wherein, the information carried by the encrypted data notification message includes: transmitting equipment information, vlan or vxlan information which needs to encrypt data; the transmitting device information includes: an IP address or port of a physical server or virtual machine;
the SDN judges whether the transmitted data needs to be encrypted or not based on the encrypted data notification message, if so, calculates a forwarding route of the data needing to be encrypted and transmitted, and makes the forwarding route pass through an encryption device;
according to the encrypted data notification message, the SDN controller carries out encryption label labeling on sending equipment information, vlan or vxlan information which needs to be encrypted and sends data; the SDN controller judges whether transmitted data need to be encrypted or not based on the encryption label during routing calculation;
the calculating the forwarding route of the data needing to be transmitted in an encrypted mode and enabling the forwarding route to pass through the encryption device comprises the following steps:
the SDN controller analyzes sending equipment information, vlan or vxlan information for sending the data packet from the received data packet;
the SDN controller judges whether sending equipment information, vlan or vxlan information for sending the data packet are marked with encryption labels, if so, the SDN controller performs routing selection, so that forwarding routes of the data packet pass through encryption equipment, and route information is sent to the sending equipment; and carrying out encryption processing when the data packet passes through the encryption device.
2. The method of claim 1, comprising:
and if the transmitted data does not need to be encrypted, the SDN calculates a forwarding route of the data which does not need to be encrypted and transmitted, and the forwarding route does not pass through the encryption equipment.
3. The method of claim 2, comprising:
and the SDN controller judges that the sending equipment information of the data packet is not marked with an encryption label, and then the SDN controller performs routing so that the forwarding route of the data packet does not pass through encryption equipment.
4. The method of claim 2, wherein:
the sending device, the vlan or the vxlan of the data packet belong to a first cloud data center or a first cloud service provider, and the target device, the target vlan or the vxlan of the data packet receiving device belongs to a second cloud data center or a second cloud service provider.
5. The method of claim 2, wherein the SDN controller routing comprises:
the SDN performs path calculation by adopting a distance vector routing algorithm or a link state routing algorithm.
6. A software defined network, SDN, controller, comprising:
the encrypted information receiving unit is used for receiving an encrypted data notification message sent by the management platform; wherein, the information carried by the encrypted data notification message includes: transmitting equipment information, vlan or vxlan information which needs to encrypt data; the transmitting device information includes: an IP address or port of a physical server or virtual machine;
the route planning unit is used for judging whether the transmitted data needs to be encrypted or not based on the encrypted data notification message, if so, calculating a forwarding route of the data needing to be encrypted and transmitted, and enabling the forwarding route to pass through the encryption equipment;
the encrypted tag labeling unit is used for carrying out encrypted tag labeling on transmitting equipment information, vlan or vxlan information which needs to encrypt data according to the encrypted data notification message;
the route planning unit is further configured to determine whether transmitted data needs to be encrypted based on the encryption tag during route calculation;
wherein, the route planning unit includes:
the information extraction module is used for analyzing sending equipment information, vlan or vxlan information for sending the data packet from the received data packet;
the routing selection module is used for judging whether the sending equipment information, the vlan or the vxlan information for sending the data packet is marked with an encryption label, if so, routing selection is carried out, so that the forwarding route of the data packet passes through the encryption equipment, and the routing information is sent to the sending equipment;
wherein the encryption processing is performed when the data packet passes through the encryption device.
7. The SDN controller of claim 6, comprising:
and the route planning unit is also used for calculating a forwarding route of the data which does not need to be encrypted for transmission if the transmitted data does not need to be encrypted, and enabling the forwarding route not to pass through the encryption equipment.
8. The SDN controller of claim 7, wherein:
the routing module is further configured to determine that the sending device information of the data packet is not labeled with an encryption tag, and then the SDN controller performs routing so that a forwarding route of the data packet does not pass through an encryption device.
9. The SDN controller of claim 7, wherein:
the routing module is further configured to perform path calculation by using a distance vector routing algorithm or a link state routing algorithm.
10. An SDN system, characterized by:
the method comprises the following steps: management platform, SDN controller according to any of claims 6 to 9.
CN201510762339.XA 2015-11-10 2015-11-10 SDN-based data transmission method, SDN controller and SDN system Active CN106685903B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510762339.XA CN106685903B (en) 2015-11-10 2015-11-10 SDN-based data transmission method, SDN controller and SDN system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510762339.XA CN106685903B (en) 2015-11-10 2015-11-10 SDN-based data transmission method, SDN controller and SDN system

Publications (2)

Publication Number Publication Date
CN106685903A CN106685903A (en) 2017-05-17
CN106685903B true CN106685903B (en) 2021-04-09

Family

ID=58863896

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510762339.XA Active CN106685903B (en) 2015-11-10 2015-11-10 SDN-based data transmission method, SDN controller and SDN system

Country Status (1)

Country Link
CN (1) CN106685903B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10728288B2 (en) * 2017-11-21 2020-07-28 Juniper Networks, Inc. Policy-driven workload launching based on software defined networking encryption policies
US10742690B2 (en) 2017-11-21 2020-08-11 Juniper Networks, Inc. Scalable policy management for virtual networks
CN108073820A (en) * 2017-11-27 2018-05-25 北京传嘉科技有限公司 Security processing, device and the mobile terminal of data
US10778724B1 (en) 2018-06-29 2020-09-15 Juniper Networks, Inc. Scalable port range management for security policies
CN110875913A (en) * 2018-09-03 2020-03-10 阿里巴巴集团控股有限公司 Data transmission method and system
CN109981221A (en) * 2019-03-26 2019-07-05 南京罗拉穿云物联网科技有限公司 Industrial DTU data preprocessing method and device
US11216309B2 (en) 2019-06-18 2022-01-04 Juniper Networks, Inc. Using multidimensional metadata tag sets to determine resource allocation in a distributed computing environment
US11700236B2 (en) 2020-02-27 2023-07-11 Juniper Networks, Inc. Packet steering to a host-based firewall in virtualized environments
CN111526080B (en) * 2020-05-07 2022-03-11 网经科技(苏州)有限公司 Method for gateway VXLAN to select encrypted data transmission
CN114679326A (en) * 2022-03-30 2022-06-28 晨贝(天津)技术有限公司 Method, device and storage medium for forwarding service message

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103746997A (en) * 2014-01-10 2014-04-23 浪潮电子信息产业股份有限公司 Network security solution for cloud computing center
CN104935594A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Message processing method based on virtual extensible local area network tunnel and device
CN104935593A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Data message transmitting method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103746997A (en) * 2014-01-10 2014-04-23 浪潮电子信息产业股份有限公司 Network security solution for cloud computing center
CN104935594A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Message processing method based on virtual extensible local area network tunnel and device
CN104935593A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Data message transmitting method and device

Also Published As

Publication number Publication date
CN106685903A (en) 2017-05-17

Similar Documents

Publication Publication Date Title
CN106685903B (en) SDN-based data transmission method, SDN controller and SDN system
CN112217637B (en) Quantum key relay method and device based on centralized management and control network
CN106656801B (en) Reorientation method, device and the Business Stream repeater system of the forward-path of Business Stream
US10148517B2 (en) Systems and methods for topology discovery and application in a border gateway protocol based data center
CN105991384B (en) The space flight ethernet communication method of compatible time trigger Ethernet and 1553B
US9755959B2 (en) Dynamic service path creation
RU2651149C2 (en) Sdn-controller, data processing center system and the routed connection method
CN102884763B (en) Cross-data-center virtual machine migration method, service control gateway and system
CN106713137B (en) VPN method, device and system based on segmented routing and SDN technology
CN108243106A (en) Control method, forwarding unit, control device and the communication system of network slice
EP2999172B1 (en) Method and devices to certify a trusted path in a software defined network
CN103703722A (en) Bootstrapping fault detection sessions over a p2mp tunnel
CN104584484A (en) System and method providing policy based data center network automation
CN107733795B (en) Ethernet virtual private network EVPN and public network intercommunication method and device
CN104320350A (en) Method and system for providing credit-based flow control
US11799972B2 (en) Session management in a forwarding plane
US20170310581A1 (en) Communication Network, Communication Network Management Method, and Management System
KR20210151979A (en) Message detection method, device, and system
KR101586474B1 (en) Apparatus and method for openflow routing
Chaudhary et al. A comprehensive survey on software‐defined networking for smart communities
CN110391961A (en) A kind of tunnel binding method, equipment and system
KR101953584B1 (en) NFV service provider, VNF service provider, system for extending service chaining including them and method for extending service chaining
KR101952187B1 (en) Method and apparatus for processing service node ability, service classifier and service controller
US20190190813A1 (en) Method for Synchronizing Topology Information in SFC Network, and Routing Network Element
CN109150707B (en) Routing path analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant