CN107113280A - A kind of network control method and virtual switch - Google Patents

A kind of network control method and virtual switch Download PDF

Info

Publication number
CN107113280A
CN107113280A CN201480084433.8A CN201480084433A CN107113280A CN 107113280 A CN107113280 A CN 107113280A CN 201480084433 A CN201480084433 A CN 201480084433A CN 107113280 A CN107113280 A CN 107113280A
Authority
CN
China
Prior art keywords
message
virtual switch
validity
identification information
stream identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201480084433.8A
Other languages
Chinese (zh)
Inventor
李太安
李明
吴天议
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN107113280A publication Critical patent/CN107113280A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiments of the invention provide a kind of network control method, server CPU resource can be saved, reduction server CPU power consumption shortens Time Delay of Systems, lifts the efficiency of Message processing.The first virtual switch that network control method provided in an embodiment of the present invention includes purpose VM receives the first message that source virtual machine VM is sent;First virtual switch is configured with secure group rule, and the first virtual switch obtains the stream identification information of the first message, and the validity of first message is judged according to the stream identification information of secure group rule and the first message;If it is determined that first message is invalid, the second message is sent to the second virtual switch of the source VM, the second message is used to represent that the first message is invalid.The invention also provides related virtual switch and server.

Description

A kind of network control method and virtual switch Technical field
The present invention relates to the communications field more particularly to a kind of network control methods and virtual switch.
Background technique
Distributed denial of service (DDoS, Distributed Denial of Service) attack is a kind of to be attacked in a manner of the hacker of appointed website by dispersing attack source, the attack technology joins together multiple computers as Attack Platform, attack message is sent to one or more targets, to double up the power of Denial of Service attack, server overload is caused, can not be normal request service.
To solve the above-mentioned problems, administrator is arranged virtual switch (Vswitch) in the server in the prior art, and is configured with secure group rule for virtual switch.Secure group rule be it is a kind of judge message whether An Quan rule, the virtual switch of server often receives a message, the safety of message will be determined according to secure group rule, the message of secure group rule judgement is only passed through, virtual machine (the VM that can be just transmitted to by virtual switch in server, Vritual Machine), the message not determined by secure group rule is directly dropped.Ensure that the VM in server without handling attack message, reduces the probability of server overload in this way.
But there is a large amount of attack messages under DDoS scene, secure group rule needs determine all attack messages, consume a large amount of processor (CPU, Central Processing Unit) resource, lead to normal message probably due to cpu resource exhausts and is unable to get processing.
Summary of the invention
The embodiment of the invention provides a kind of network control method, virtual switch and servers, can save the resource of server CPU, reduce the power consumption of server CPU, shorten Time Delay of Systems, promote the efficiency of Message processing.
First aspect of the embodiment of the present invention provides a kind of network control method, comprising:
The first virtual switch of purpose virtual machine VM receives the first message that source VM is sent;
First virtual switch obtains the stream identification information of first message configured with secure group rule, first virtual switch, and according to the stream identification information of the secure group rule and first message, The validity of first message is judged;
If first virtual switch determines that first message is invalid according to the stream identification information of the secure group rule and first message, then first virtual switch sends the second message to the second virtual switch of the source VM, and second message is for indicating that first message is invalid.
In conjunction with the first aspect of the embodiment of the present invention, in the first implementation of the first aspect of the embodiment of the present invention, first virtual switch is also configured with flow table, the flow table has recorded the secure group rule to the judging result of the validity of different messages, the stream identification information according to the secure group rule and first message, before judging the validity of first message further include:
First virtual switch, according to the stream identification information of first message, searches the validity of first message from the flow table;
If first virtual switch does not find the validity of first message in the flow table, the stream identification information according to the secure group rule and first message is triggered, the step of judgement the validity of first message;
If first virtual switch finds the validity of first message in the flow table, and the validity of first message be it is effective, then first message is sent to the purpose VM by first virtual switch.
In conjunction with the first implementation of the first aspect of the embodiment of the present invention, in second of implementation of the first aspect of the embodiment of the present invention, the method also includes:
If first virtual switch determines that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table first virtual switch, and first message is sent to the purpose VM;
First virtual switch sends third message to the second virtual switch of the source VM, and the third message is for indicating that first message is effective.
In conjunction with any one of the first or second of the implementation of the first aspect of the embodiment of the present invention, first aspect, in the third implementation of the first aspect of the embodiment of the present invention, the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
In conjunction with the third implementation of the first aspect of the embodiment of the present invention, in the 4th kind of implementation of the first aspect of the embodiment of the present invention, the stream identification information further includes at least one of: the source VM's Cluster identity, data center's mark and user name.
In conjunction with the 4th kind of implementation of the first aspect of the embodiment of the present invention, in 5th kind of implementation of the first aspect of the embodiment of the present invention, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
The second aspect of the embodiment of the present invention provides a kind of virtual switch, the virtual switch is suitable for server, the virtual switch is used to manage the message of the purpose VM transmitting-receiving in the server, and the virtual switch includes: configured with secure group rule, the virtual switch
Receiving module, for receiving the first message of source virtual machine VM transmission;
Judgment module judges the validity of first message for obtaining the stream identification information of first message, and according to the stream identification information of the secure group rule and first message;
First sending module, for when the judgment module determines that first message is invalid according to the stream identification information of the secure group rule and first message, the second message is sent to the virtual switch of the source VM, second message is for indicating that first message is invalid.
In conjunction with the second aspect of the embodiment of the present invention, in the first implementation of the second aspect of the embodiment of the present invention, the virtual switch is also configured with flow table, and the flow table has recorded the secure group rule to the judging result of the validity of different messages, the virtual switch further include:
Searching module, for the stream identification information in the judgment module according to the secure group rule and first message, before judging the validity of first message, from the flow table, according to the stream identification information of first message, search the validity of first message, if the searching module does not find the validity of first message in the flow table, the judgment module is then triggered according to the stream identification information of the secure group rule and first message, the step of judgement the validity of first message;
The virtual switch further include:
First message is sent to the purpose VM for finding the validity of first message in the flow table when the searching module, and when the validity of first message is effective by the second sending module.
In conjunction with the first implementation of the second aspect of the embodiment of the present invention, in two kinds of implementations of the second aspect of the embodiment of the present invention, the virtual switch further include:
Logging modle, for when the judgment module determines that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and triggers the operation that first message is sent to the purpose VM by second sending module;
First sending module is also used to: when the judgment module determines that first message is effective according to the secure group rule, the virtual switch of the source Xiang Suoshu VM sends third message, and the third message is for indicating that first message is effective.
In conjunction with any one of the first or second of the implementation of the second aspect of the embodiment of the present invention, second aspect, in the third implementation of the second aspect of the embodiment of the present invention, the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
In conjunction with the third implementation of the second aspect of the embodiment of the present invention, in 4th kind of implementation of the second aspect of the embodiment of the present invention, the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
In conjunction with the 4th kind of implementation of the second aspect of the embodiment of the present invention, in 5th kind of implementation of the second aspect of the embodiment of the present invention, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
The third aspect of the embodiment of the present invention provides a kind of server, it include: input unit, output device, processor and memory, the processor and the memory receive the information outside the server by the input unit, and the processor and the memory will send information to the outside of the server by the output device;
Wherein, the first program code is stored in the memory, first program code is for realizing virtual switch function;
By calling first program code of the memory storage, the processor is for executing following steps:
Receive the first message that source virtual machine VM is sent;
The stream identification information of first message is obtained, and according to the stream identification information of the secure group rule and first message, the validity of first message is judged;
If determining first message according to the stream identification information of the secure group rule and first message In vain, then the second message is sent to the second virtual switch of the source VM, second message is for indicating that first message is invalid.
In conjunction with the third aspect of the embodiment of the present invention, in the first implementation of the third aspect of the embodiment of the present invention, it include flow table in first program code, the flow table has recorded the secure group rule to the judging result of the validity of different messages, the second program code is also stored in the memory, second program code is for realizing purpose VM function, by calling the first program code of the memory storage, the processor is also used to execute following steps:
From the flow table, according to the stream identification information of first message, the validity of first message is searched;
If not finding the validity of first message in the flow table, the stream identification information according to the secure group rule and first message is triggered, the step of judgement the validity of first message;
If the validity of first message is found in the flow table, and the validity of first message be it is effective, then first message is sent to the purpose VM.
In conjunction with the first implementation of the third aspect of the embodiment of the present invention, in second of implementation of the third aspect of the embodiment of the present invention, pass through the first program code for calling the memory storage, the processor is also used to execute following steps:
If determining that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and first message is sent to the purpose VM;
Third message is sent to the second virtual switch of the source VM, the third message is for indicating that first message is effective.
In conjunction with any one of the first or second of the implementation of the third aspect of the embodiment of the present invention, the third aspect, in the third implementation of the third aspect of the embodiment of the present invention, the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
In conjunction with the third implementation of the third aspect of the embodiment of the present invention, in 4th kind of implementation of the third aspect of the embodiment of the present invention, the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
In conjunction with the 4th kind of implementation of the third aspect of the embodiment of the present invention, the third party of the embodiment of the present invention In the 5th kind of implementation in face, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
The embodiment of the invention provides a kind of network control methods, and the first virtual switch including purpose VM receives the first message that source VM is sent;First virtual switch obtains the stream identification information of the first message configured with secure group rule, the first virtual switch, and is judged according to secure group rule and the stream identification information of the first message the validity of first message;If it is determined that first message is invalid, the second virtual switch of the source Xiang Suoshu VM sends the second message, and the second message is invalid for indicating the first message.By such method, second virtual switch is known and records the validity of the first message, if the validity of the first message is invalid, the then subsequent message that will not be sent with the first message stream identification information having the same of the second virtual machine, the message data amount that the first virtual switch carries out secure group judgement can be thus reduced, the cpu resource of server has been saved.Therefore, method provided by the embodiment of the present invention can save the resource of server CPU, reduce the power consumption of server CPU, shorten Time Delay of Systems, promote the efficiency of Message processing.
Detailed description of the invention
Fig. 1 is the schematic diagram of network-control principle in technology at this stage;
Fig. 2 is the schematic diagram of network-control principle in the embodiment of the present invention;
Fig. 3 is network control method one embodiment flow chart in the embodiment of the present invention;
Fig. 4 is another embodiment flow chart of network control method in the embodiment of the present invention;
Fig. 5 is virtual switch one embodiment structure chart in the embodiment of the present invention;
Fig. 6 is another example structure figure of virtual switch in the embodiment of the present invention;
Fig. 7 is server one embodiment structure chart in the embodiment of the present invention.
Specific embodiment
The embodiment of the invention provides a kind of network control methods, can save the resource of server CPU, reduce the power consumption of server CPU, shorten Time Delay of Systems, promote the efficiency of Message processing.The present invention also mentions Relevant virtual switch and server are gone out, will be illustrated respectively below.
VM be it is a kind of by software simulation, the computer system with complete hardware system function in server, one or more VM can be disposed on a server.Virtual switch is a kind of functional software between hardware and operating system marked off on server, for managing the packet sending and receiving between the packet sending and receiving between the VM in same server or the VM of different server.It should be understood that multiple VM in the same server can share a virtual switch.
The principle that technology at this stage carries out network-control please refers to Fig. 1.Either malice VM or user VM, the message sent to purpose VM are required to the availability deciding of the virtual switch by purpose VM.Specifically, configured with secure group rule in the virtual switch of purpose VM, and availability deciding is carried out to the message received according to secure group rule.For the normal message that user VM is sent, the virtual switch of purpose VM determines that the message is effective according to secure group rule, and forwards the packet to purpose VM.For the attack message that malice VM is sent, the virtual switch of purpose VM determines that the message is invalid according to secure group rule, will not forward the packet to purpose VM.This method needs the virtual switch of purpose VM to carry out safe sex determination to all messages received.In order to reduce the number that the virtual switch of purpose VM carries out safe sex determination, the cpu resource of destination server is saved, the embodiment of the present invention is made that improvement to the principle of the prior art, please refers to Fig. 2:
In schematic diagram shown in Fig. 2, reporting for the first time when the virtual switch of purpose VM receives attack message (indicates the first envelope message with " reporting for the first time " in the embodiment of the present invention, first message is reported for the first time i.e. the first envelope attack message) when, according to secure group rule determine validity that the attack message is reported for the first time be it is invalid, then notify the virtual switch for sending the malice VM of attack message: the validity that the attack message is reported for the first time is invalid.The virtual switch of malice VM has known that attack message is reported for the first time as that subsequent attack message would not be sent to purpose VM after invalid packet.
The virtual switch of explained later malice VM can intercept the principle of subsequent attack message.Message in network often carries stream identification information, specifically, stream identification information may include the address source IP (Internet Protocol), it is purpose IP address, IP protocol type, source port number, one or more in destination slogan.Stream identification information is used to judge as secure group rule the judgment basis of the validity of message.Generally, the message of the same stream is belonged to, stream identification information is identical, therefore virtual switch carries out availability deciding according to message of the secure group rule to the same stream, determines that result is also identical.If virtual switch is recorded according to availability deciding result of the secure group rule to message, available flow table.Known with flowing Other information is for source IP address, purpose IP address, IP protocol type, source port number and destination slogan, the structure of flow table please refers to table 1, wherein table 1 is only an image explanation of flow table structure, is not necessarily the real structure that flow table is stored in virtual switch:
Table 1
In the structure of flow table shown in table 1, one list item of each behavior has recorded secure group rule to the judging result of the validity of the message with different stream identification informations in different list items.For example, the list item of the first row indicates: stream identification information includes the message of source IP address A, purpose IP address A, IP protocol type A, source port number A and destination slogan A, and secure group rule is effective to the judging result of its validity.
The virtual switch of VM in network can be configured with flow table.In this way, after the virtual switch of malice VM has known that attack message is reported for the first time as invalid packet the stream identification information that attack message is reported for the first time can be recorded in the flow table of itself, and it is invalid for recording the corresponding validity of the stream identification information.In this way, when malice VM generates follow-on attack message, since follow-on attack message and attack message report for the first time and belong to the same stream, stream identification information is identical, therefore malice VM virtual switch can know follow-on attack message be it is invalid, subsequent attack message will not be sent to purpose VM.The safe sex determination of virtual switch progress that a large amount of attack message is just intercepted at malice VM, without purpose VM is allowed in this way.
Optionally, flow table can also be configured in the virtual switch of purpose VM, for record security group rule to the judgement result of the validity of different messages.When the virtual switch of purpose VM receives message, the validity of the message received can be first searched from the flow table of configuration, determined if searching less than further according to secure group rule.Since the operation for searching flow table is more simple and easy than determine according to secure group rule, the cpu resource of destination server can be further saved.
On the basis of principle shown in Fig. 2, network control method provided in an embodiment of the present invention can be represented as following basic procedure, as shown in Figure 3:
301, the first virtual switch of purpose VM receives the first message that source VM is sent;
In the present embodiment, the first virtual switch is the virtual switch of purpose VM, and the first virtual switch and purpose VM are respectively positioned in destination server, and the first virtual switch receives the first message that source VM is sent.
302, the first virtual switch obtains the stream identification information of the first message, and according to the stream identification information of secure group rule and the first message, judges the validity of the first message;
If 303, the first virtual switch determines that the first message is invalid according to secure group rule, then the first virtual switch sends the second message to the second virtual switch of source VM, wherein the second virtual switch is the virtual switch of source VM, wherein the second message is invalid for indicating the first message.
Network control method provided in this embodiment, second virtual switch is known and records the validity of the first message, if the validity of the first message is invalid, the then subsequent message that will not be sent with the first message stream identification information having the same of the second virtual machine, the message data amount that the first virtual switch carries out secure group judgement can be thus reduced, the cpu resource of destination server has been saved.Therefore, method provided by the embodiment of the present invention can save the resource of destination server CPU, reduce the power consumption of destination server CPU, shorten Time Delay of Systems, promote the efficiency of Message processing.
Optionally, as another embodiment of the invention, if the first virtual switch is also configured with flow table, network control method provided by the invention also be can be extended as process shown in Fig. 4:
401, the first virtual switch of purpose VM receives the first message that source VM is sent;
402, the first virtual switch obtains the stream identification information of the first message, and from flow table, according to the stream identification information of the first message, searches the validity of first message;
In the present embodiment, the first virtual switch is configured with flow table.First virtual switch obtains the stream identification information of the first message, and from the flow table of itself, according to the stream identification information of the first message, searches the validity of first message.Wherein, if the first virtual switch found in the flow table of itself the first message validity be it is effective, then follow the steps 403;If not finding the validity of the first message, 404 are thened follow the steps.
403, the first message is sent to purpose VM by the first virtual switch;
404, the first virtual switch judges the validity of the first message according to the stream identification information of secure group rule and the first message;
If the first virtual switch determines that the first message is invalid according to the stream identification information of secure group rule and the first message, 405 are thened follow the steps;If the first virtual switch is according to the stream of secure group rule and the first message Identification information determines that the first message is effective, thens follow the steps 406.
405, the first virtual switch sends the second message to the second virtual switch of source VM;
If the first virtual switch determines that the first message is invalid according to the stream identification information of secure group rule and the first message, the first virtual switch sends the second message to the second virtual switch of source VM, and the second message is invalid for indicating the first message.Second virtual switch according to the second message, can know the validity of the first message be it is invalid, do not retransmit with the first message have identical stream identification information message.Wherein, the second virtual switch is the virtual switch of source VM.
406, the validity of the first message is recorded in flow table the first virtual switch, and the first message is sent to purpose VM;
If the first virtual switch determines that the first message is effective according to the stream identification information of secure group rule and the first message, the validity of the first message is recorded in the flow table of itself the first virtual switch, and the first message is sent to purpose VM.
Wherein, the validity of the first message is recorded in flow table the first virtual machine, and the autonomous update of the flow table configured in the first virtual switch may be implemented.But the first virtual machine by the validity of the first message be recorded in flow table for can selection operation, the first virtual switch can not also execute record operation in the present embodiment.
407, the first virtual switch sends third message to the second virtual switch of source VM.
First virtual switch sends third message to the second virtual switch of source VM, and third message is for indicating that first message is effective.Wherein, step 407 be can selection operation, the first virtual switch can not also execute the operation of step 407 in the present embodiment.Wherein, the successive execution sequence of step 407 and step 406 without limitation, if the first virtual switch determines that the first message is effective according to the stream identification information of secure group rule and the first message, can also first carry out step 407, then execute step 406, herein without limitation.
In method provided in this embodiment, after the first virtual switch receives the first message, the validity of the first message is first searched in the flow table of itself, carries out safe sex determination less than further according to secure group rule if searching.Method provided in this embodiment allows the first virtual switch to substitute the safety decision of part with flow table operation is searched.Since the operation for searching flow table is more simple and easy than determine according to secure group rule, method provided in this embodiment can further save the cpu resource of destination server.
Particularly, in stream identification information in addition to include source IP address, purpose IP address, IP protocol type, source port number and destination slogan in it is one or more other than, it can also include one or more, the judgment basis of the extension as secure group rule in the cluster identity, data center's mark and user name of source VM. It should be understood that the structure of flow table should be also extended with stream identification information.For example, the structure of flow table after extension please refers to table 2 if including source IP address, purpose IP address, IP protocol type, source port number, destination slogan, cluster identity and user name in stream identification information after extension:
Table 2
It is general, first message can be virtual extended local area network (VXLAN, Virtual eXtensible Local Area Network) message, which is carried one or more in the cluster identity of source VM, data center's mark and user name by the head VXLAN.
Above embodiment explains the basic procedure of network control method provided by the invention, will be described by taking a specific application scenarios as an example below.
There are user VM and malice VM, user VM and malice VM to send message to the virtual switch of purpose VM simultaneously in network.The virtual switch of purpose VM receives the message 2 that the message 1 that malice VM is sent and user VM are sent.
Flow table A is preserved in the virtual switch of purpose VM.The virtual switch of purpose VM obtains the stream identification information of message 1, specifically includes: source IP address 1, purpose IP address 1, IP protocol type 1, source port number 1, destination slogan 1, cluster identity 1, data center identify 1, user name 1.The corresponding validity of stream identification information that the virtual switch of purpose VM finds message 1 from flow table A is invalid, therefore sends message to the virtual switch of malice VM, informs that message 1 is invalid.Flow table B is preserved in the virtual switch of malice VM, the virtual switch of malice the VM stream identification information of recorded message 1 and its validity in flow table B are invalid.When malice VM attempts to send subsequent message to purpose VM, the virtual switch chance of malice VM searches the validity of these subsequent messages in flow table B.If the stream identification information of these subsequent messages is identical as the stream identification information of message 1, the virtual switch of malice VM determines that subsequent message is invalid, intercepts subsequent message at the end malice VM, is not sent to purpose VM.
The virtual switch of purpose VM obtains the stream identification information of message 2, specifically includes: source IP address 2, purpose IP address 2, IP protocol type 2, source port number 2, destination slogan 2, cluster identity 2, data center identify 2, user name 2.The virtual switch of purpose VM does not find report from flow table A The corresponding validity of stream identification information of text 2 judges 2 validity of message thus according to the stream identification information of secure group rule and message 2.Judging result is that message 2 is effective, and then message 2 is sent to purpose VM by the virtual switch of purpose VM, and the stream identification information of recorded message 2 and its validity are effective in flow table A.The virtual switch of purpose VM also sends message to the virtual switch of user VM, informs that message 2 is invalid.Flow table C is preserved in the virtual switch of user VM, the virtual switch of user the VM stream identification information of recorded message 2 and its validity in flow table C are effective.When user VM needs to send subsequent message to purpose VM, the virtual switch chance of user VM searches the validity of these subsequent messages in flow table C.If the stream identification information of these subsequent messages is identical as the stream identification information of message 2, the virtual switch of user VM determines that subsequent message is effective, and is sent to purpose VM.
The embodiment of the invention also provides relevant virtual switch, which is suitable for server, and configured with secure group rule, for realizing Fig. 3 or the process of embodiment shown in Fig. 4.Wherein, the server where the virtual switch is known as destination server, and the message which can be received and dispatched with the purpose VM in management server, basic structure 500 is referring to Fig. 5, include:
Receiving module 501, for receiving the first message of source virtual machine VM transmission;
Judgment module 502 judges the validity of the first message for obtaining the stream identification information of the first message, and according to the stream identification information of secure group rule and the first message;
First sending module 503, for when judgment module 502 determines that the first message is invalid according to the stream identification information of secure group rule and the first message, the virtual switch of Xiang Yuan VM to send the second message, and it is invalid which is used for the first message of expression.
In virtual switch provided in this embodiment, receiving module 501 receives the first message that source VM is sent, judgment module 502 obtains the stream identification information of the first message, and according to the stream identification information of secure group rule and the first message, the validity of first message is judged, if judgment module 502 determines that the first message is invalid, the first sending module 503, the second message is sent to the virtual switch of source VM, second message is invalid for indicating the first message.The virtual switch for allowing for source VM in this way can be known and record the validity of the first message, if the validity of the first message is invalid, the then subsequent message that will not be sent with the first message stream identification information having the same of the virtual machine of source VM, the virtual switch that purpose VM can thus be reduced carries out the message data amount of secure group judgement, has saved the cpu resource of destination server.Therefore, virtual switch provided by the embodiment of the present invention can save the resource of destination server CPU, reduce purpose The power consumption of server CPU shortens Time Delay of Systems, promotes the efficiency of Message processing.
Optionally, virtual switch provided in an embodiment of the present invention can be configured with flow table, and secure group rule is had recorded in the flow table to the judging result of the validity of different messages.The structure of virtual switch 600 configured with flow table is as shown in Figure 6:
Receiving module 601, for receiving the first message of source virtual machine VM transmission;
Judgment module 602 judges the validity of the first message for obtaining the stream identification information of the first message, and according to the stream identification information of secure group rule and the first message;
Searching module 603 before judging the validity of the first message, from flow table, according to the stream identification information of the first message, searches the validity of the first message for the stream identification information in judgment module according to the secure group rule and first message.If searching module 603 does not find the validity of the first message in flow table, judgment module 602 is triggered according to the stream identification information of secure group rule and the first message, the step of judgement the validity of the first message;
First sending module 604, for when judgment module 602 determines that the first message is invalid according to the stream identification information of secure group rule and the first message, the virtual switch of Xiang Yuan VM to send the second message, and it is invalid which is used for the first message of expression.The virtual switch of source VM according to the second message, can know the validity of the first message be it is invalid, do not retransmit with the first message have identical stream identification information message.
First message is sent to purpose VM for finding the validity of the first message in flow table when searching module 603, and when the validity of the first message is effective by the second sending module 605.
Optionally, in the present embodiment, virtual switch can also include logging modle 606, for when judgment module 602 determines that the first message is effective according to secure group rule, the validity of first message is recorded in flow table, it realizes the autonomous update of the flow table configured in virtual switch, and triggers the operation that the first message is sent to purpose VM by the second sending module 605;
Optionally, in the present embodiment, the first sending module 604 is also used to: when judgment module 602 determines that the first message is effective according to secure group rule, the virtual switch of Xiang Yuan VM sends third message, and the third message is for indicating that first message is effective.The virtual switch of source VM according to third message, can know that the validity of the first message is effective, the subsequent message that can be sent with the first message with identical stream identification information.
Particularly, in stream identification information in addition to include source IP address, purpose IP address, IP protocol type, source port number and destination slogan in it is one or more other than, can also include cluster identity, data center One or more, the judgment basis of the extension as secure group rule in mark and user name.It should be understood that the structure of flow table should be also extended with stream identification information.
It is general, first message can be virtual extended local area network (VXLAN, Virtual eXtensible Local Area Network) message, the cluster identity, data center's mark, and/or user name which passes through the head VXLAN carrying source VM.
Above embodiment explains the basic structure of virtual switch provided by the invention, will be described by taking a specific application scenarios as an example below.
There are user VM and malice VM, user VM and malice VM to send message to the virtual switch of purpose VM simultaneously in network.The receiving module 601 of the virtual switch of purpose VM receives the message 2 that the message 1 that malice VM is sent and user VM are sent.
Flow table A is preserved in the virtual switch of purpose VM.Judgment module 602 obtains the stream identification information of message 1, specifically includes: source IP address 1, purpose IP address 1, IP protocol type 1, source port number 1, destination slogan 1, cluster identity 1, data center identify 1, user name 1.The corresponding validity of stream identification information that searching module 603 finds message 1 from flow table A is invalid, therefore the first sending module 604 sends message to the virtual switch of malice VM, informs that message 1 is invalid.Flow table B is preserved in the virtual switch of malice VM, the virtual switch of malice the VM stream identification information of recorded message 1 and its validity in flow table B are invalid.When malice VM attempts to send subsequent message to purpose VM, the virtual switch chance of malice VM searches the validity of these subsequent messages in flow table B.If the stream identification information of these subsequent messages is identical as the stream identification information of message 1, the virtual switch of malice VM determines that subsequent message is invalid, intercepts subsequent message at the end malice VM, is not sent to purpose VM.
The virtual switch judgment module 602 of purpose VM obtains the stream identification information of message 2, specifically includes: source IP address 2, purpose IP address 2, IP protocol type 2, source port number 2, destination slogan 2, cluster identity 2, data center identify 2, user name 2.Searching module 603 does not find the corresponding validity of stream identification information of message 2 from flow table A, and then judgment module 602 judges 2 validity of message according to the stream identification information of secure group rule and message 2.Judging result is that message 2 is effective, and then message 2 is sent to purpose VM by the second sending module 605, and logging modle 606 stream identification information of recorded message 2 and its validity in flow table A are effective.First sending module 604 also sends message to the virtual switch of user VM, informs that message 2 is effective.Flow table C is preserved in the virtual switch of user VM, the virtual switch of user the VM stream identification information of recorded message 2 and its validity in flow table C are Effectively.When user VM needs to send subsequent message to purpose VM, the virtual switch chance of user VM searches the validity of these subsequent messages in flow table C.If the stream identification information of these subsequent messages is identical as the stream identification information of message 2, the virtual switch of user VM determines that subsequent message is effective, and is sent to purpose VM.
The virtual switch in the embodiment of the present invention is described from the angle of blocking functional entity above, the server where virtual switch in the embodiment of the present invention is described from the angle of hardware handles below, referring to Fig. 7, another embodiment of server 700 in the embodiment of the present invention includes:
Input unit 701, output device 702, processor 703 and memory 704 (wherein the quantity of the processor 703 in server 700 can be one or more, in Fig. 7 by taking a processor 703 as an example).Processor 703 and memory 704 receive the information outside server by input unit 701, and processor 703 and memory 704 will send information to outside server by output device 702.In some embodiments of the invention, input unit 701, output device 702, processor 703 and memory 704 can be connected by bus or other means, wherein in Fig. 7 for being connected by bus.
Wherein, the first program code and the second program code are stored in the memory 704, first program code is for realizing virtual switch function, second program code is for realizing purpose virtual machine VM function, by the first program code for calling memory 704 to store, processor 703 is for executing following steps:
Receive the first message that source virtual machine VM is sent;
The stream identification information of first message is obtained, and according to the stream identification information of the secure group rule and first message, the validity of first message is judged;
If determining that first message is invalid according to the stream identification information of the secure group rule and first message, the second message is sent to the second virtual switch of the source VM, second message is for indicating that first message is invalid.
In some embodiments of the present invention, flow table is also configured in the first program code, the flow table has recorded the secure group rule to the judging result of the validity of different messages, and processor 703 also executes the following steps:
From the flow table, according to the stream identification information of first message, the validity of first message is searched;
If not finding the validity of first message in the flow table, trigger described according to The stream identification information of secure group rule and first message, the step of judgement the validity of first message;
If the validity of first message is found in the flow table, and the validity of first message be it is effective, then first message is sent to the server.
In some embodiments of the present invention, processor 703 is also executed the following steps:
If determining that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and first message is sent to the server;
Third message is sent to the second virtual switch of the source VM, the third message is for indicating that first message is effective.
In some embodiments of the present invention, the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
In some embodiments of the present invention, the stream identification information further includes at least one of: cluster identity, data center's mark and user name.
In some embodiments of the present invention, first message is virtual extended local area network VXLAN message, and first message is carried one or more in the cluster identity of the source VM, data center's mark and user name by the head VXLAN.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, the specific work process of module and unit can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system and method may be implemented in other ways.Such as, system embodiment described above is only schematical, such as, the division of the unit, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed mutual coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of module or unit, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, and component shown as a unit may or may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can select according to the actual needs therein some or all of Unit achieves the purpose of the solution of this embodiment.
In addition, the functional units in various embodiments of the present invention may be integrated into one processing unit, it is also possible to each unit and physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent product, can store in a computer readable storage medium.Based on this understanding, substantially all or part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products technical solution of the present invention in other words, the computer software product is stored in a storage medium, it uses including some instructions so that a computer equipment (can be personal computer, server or the network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), the various media that can store program code such as magnetic or disk.

Claims (18)

  1. A kind of network control method characterized by comprising
    The first virtual switch of purpose virtual machine VM receives the first message that source VM is sent;
    For first virtual switch configured with secure group rule, first virtual switch obtains the stream identification information of first message, and according to the stream identification information of the secure group rule and first message, judges the validity of first message;
    If first virtual switch determines that first message is invalid according to the stream identification information of the secure group rule and first message, then first virtual switch sends the second message to the second virtual switch of the source VM, and second message is for indicating that first message is invalid.
  2. Network control method according to claim 1, it is characterized in that, first virtual switch is also configured with flow table, the flow table has recorded the secure group rule to the judging result of the validity of different messages, the stream identification information according to the secure group rule and first message, before judging the validity of first message further include:
    First virtual switch, according to the stream identification information of first message, searches the validity of first message from the flow table;
    If first virtual switch does not find the validity of first message in the flow table, the stream identification information according to the secure group rule and first message is triggered, the step of judgement the validity of first message;
    If first virtual switch finds the validity of first message in the flow table, and the validity of first message be it is effective, then first message is sent to the purpose VM by first virtual switch.
  3. Network control method according to claim 2, which is characterized in that the method also includes:
    If first virtual switch determines that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table first virtual switch, and first message is sent to the purpose VM;
    First virtual switch sends third message to the second virtual switch of the source VM, and the third message is for indicating that first message is effective.
  4. Network control method according to any one of claim 1 to 3, which is characterized in that the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source Port numbers and destination slogan.
  5. Network control method according to claim 4, which is characterized in that the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
  6. Network control method according to claim 5, it is characterized in that, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
  7. A kind of virtual switch, the virtual switch are suitable for server, and the virtual switch is used to manage the message of the purpose VM transmitting-receiving in the server, and the virtual switch is configured with secure group rule, which is characterized in that the virtual switch includes:
    Receiving module, for receiving the first message of source virtual machine VM transmission;
    Judgment module judges the validity of first message for obtaining the stream identification information of first message, and according to the stream identification information of the secure group rule and first message;
    First sending module, for when the judgment module determines that first message is invalid according to the stream identification information of the secure group rule and first message, the second message is sent to the virtual switch of the source VM, second message is for indicating that first message is invalid.
  8. Virtual switch according to claim 7, which is characterized in that the virtual switch is also configured with flow table, and the flow table has recorded the secure group rule to the judging result of the validity of different messages, the virtual switch further include:
    Searching module, for the stream identification information in the judgment module according to the secure group rule and first message, before judging the validity of first message, from the flow table, according to the stream identification information of first message, search the validity of first message, if the searching module does not find the validity of first message in the flow table, the judgment module is then triggered according to the stream identification information of the secure group rule and first message, the step of judgement the validity of first message;
    The virtual switch further include:
    First message is sent to the purpose VM for finding the validity of first message in the flow table when the searching module, and when the validity of first message is effective by the second sending module.
  9. Virtual switch according to claim 8, which is characterized in that the virtual switch is also Include:
    Logging modle, for when the judgment module determines that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and triggers the operation that first message is sent to the purpose VM by second sending module;
    First sending module is also used to: when the judgment module determines that first message is effective according to the secure group rule, the virtual switch of the source Xiang Suoshu VM sends third message, and the third message is for indicating that first message is effective.
  10. Virtual switch according to any one of claims 7 to 9, which is characterized in that the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
  11. Virtual switch according to claim 10, which is characterized in that the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
  12. Virtual switch according to claim 11, it is characterized in that, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
  13. A kind of server, it is characterized in that, it include: input unit, output device, processor and memory, the processor and the memory receive the information outside the server by the input unit, and the processor and the memory will send information to the outside of the server by the output device;
    Wherein, the first program code is stored in the memory, first program code is for realizing virtual switch function;
    By calling first program code of the memory storage, the processor is for executing following steps:
    Receive the first message that source virtual machine VM is sent;
    The stream identification information of first message is obtained, and according to the stream identification information of the secure group rule and first message, the validity of first message is judged;
    If determining that first message is invalid according to the stream identification information of the secure group rule and first message, the second message is sent to the second virtual switch of the source VM, second message is for indicating that first message is invalid.
  14. Server according to claim 13, it is characterized in that, it include flow table in first program code, the flow table has recorded the secure group rule to the judging result of the validity of different messages, the second program code is also stored in the memory, second program code is for realizing purpose VM function, by calling the first program code of the memory storage, the processor is also used to execute following steps:
    From the flow table, according to the stream identification information of first message, the validity of first message is searched;
    If not finding the validity of first message in the flow table, the stream identification information according to the secure group rule and first message is triggered, the step of judgement the validity of first message;
    If the validity of first message is found in the flow table, and the validity of first message be it is effective, then first message is sent to the purpose VM.
  15. Server according to claim 14, which is characterized in that pass through the first program code for calling the memory storage, the processor is also used to execute following steps:
    If determining that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and first message is sent to the purpose VM;
    Third message is sent to the second virtual switch of the source VM, the third message is for indicating that first message is effective.
  16. Server described in any one of 3 to 15 according to claim 1, which is characterized in that the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
  17. Server according to claim 16, which is characterized in that the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
  18. Server according to claim 17, it is characterized in that, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
CN201480084433.8A 2014-12-31 2014-12-31 A kind of network control method and virtual switch Pending CN107113280A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/095988 WO2016106718A1 (en) 2014-12-31 2014-12-31 Network control method and virtual switch

Publications (1)

Publication Number Publication Date
CN107113280A true CN107113280A (en) 2017-08-29

Family

ID=56283990

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480084433.8A Pending CN107113280A (en) 2014-12-31 2014-12-31 A kind of network control method and virtual switch

Country Status (2)

Country Link
CN (1) CN107113280A (en)
WO (1) WO2016106718A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822262A (en) * 2021-01-04 2021-05-18 北京知道创宇信息技术股份有限公司 Message processing method and device, message processing equipment and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111698167B (en) * 2020-04-01 2023-04-07 新华三大数据技术有限公司 Message processing method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101202742A (en) * 2006-12-13 2008-06-18 中兴通讯股份有限公司 Method and system for preventing refusal service attack
CN101494639A (en) * 2008-01-25 2009-07-29 华为技术有限公司 Method and apparatus for preventing aggression in packet communication system
CN103237039A (en) * 2013-05-10 2013-08-07 汉柏科技有限公司 Message forwarding method and message forwarding device
CN103581183A (en) * 2013-10-30 2014-02-12 华为技术有限公司 Virtualization security isolation method and device
CN104007997A (en) * 2013-02-22 2014-08-27 中兴通讯股份有限公司 Virtual machine security group configuration method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080052691A1 (en) * 2006-06-29 2008-02-28 Naveen Neelakantam Communicating with and recovering state information from a dynamic translator
US9276953B2 (en) * 2011-05-13 2016-03-01 International Business Machines Corporation Method and apparatus to detect and block unauthorized MAC address by virtual machine aware network switches
CN102801729B (en) * 2012-08-13 2015-06-17 福建星网锐捷网络有限公司 Virtual machine message forwarding method, network switching equipment and communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101202742A (en) * 2006-12-13 2008-06-18 中兴通讯股份有限公司 Method and system for preventing refusal service attack
CN101494639A (en) * 2008-01-25 2009-07-29 华为技术有限公司 Method and apparatus for preventing aggression in packet communication system
CN104007997A (en) * 2013-02-22 2014-08-27 中兴通讯股份有限公司 Virtual machine security group configuration method and device
CN103237039A (en) * 2013-05-10 2013-08-07 汉柏科技有限公司 Message forwarding method and message forwarding device
CN103581183A (en) * 2013-10-30 2014-02-12 华为技术有限公司 Virtualization security isolation method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822262A (en) * 2021-01-04 2021-05-18 北京知道创宇信息技术股份有限公司 Message processing method and device, message processing equipment and storage medium
CN112822262B (en) * 2021-01-04 2022-11-22 北京知道创宇信息技术股份有限公司 Message processing method and device, message processing equipment and storage medium

Also Published As

Publication number Publication date
WO2016106718A1 (en) 2016-07-07

Similar Documents

Publication Publication Date Title
US9124621B2 (en) Security alert prioritization
CN109194680B (en) Network attack identification method, device and equipment
CN114145004B (en) System and method for using DNS messages to selectively collect computer forensic data
CN113228583B (en) Session maturity model with trusted sources
WO2019237813A1 (en) Method and device for scheduling service resource
EP3667532A1 (en) Methods for detecting and mitigating malicious network activity based on dynamic application context and devices thereof
KR102155262B1 (en) Elastic honeynet system and method for managing the same
EP3252647B1 (en) System and method of detecting malicious files on a virtual machine in a distributed network
EP3117334A1 (en) A method and system for generating durable host identifiers using network artifacts
US20180322410A1 (en) System and Method for Vendor Agnostic Automatic Supplementary Intelligence Propagation
US20180124084A1 (en) Network monitoring device and method
CN104509059A (en) Use of primary and secondary connection tables
WO2020187295A1 (en) Monitoring of abnormal host
CN107113280A (en) A kind of network control method and virtual switch
JP6501924B2 (en) Method and server for canceling alert
US20190036949A1 (en) Malicious content detection with retrospective reporting
CN107888624B (en) Method and device for protecting network security
US11057415B1 (en) Systems and methods for dynamic zone protection of networks
EP4113336A1 (en) Detecting and blocking a malicious file early in transit on a network
US20230164149A1 (en) Causing or preventing an update to a network address translation table
US10277467B2 (en) Locating a network cable connector
US20230042816A1 (en) Method and system for blockchain-based cyber security management
US11960943B2 (en) Event log management
EP4198726A1 (en) Event log management
CN117155645A (en) Network sharing permission judging method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170829

RJ01 Rejection of invention patent application after publication