CN107113280A - A kind of network control method and virtual switch - Google Patents
A kind of network control method and virtual switch Download PDFInfo
- Publication number
- CN107113280A CN107113280A CN201480084433.8A CN201480084433A CN107113280A CN 107113280 A CN107113280 A CN 107113280A CN 201480084433 A CN201480084433 A CN 201480084433A CN 107113280 A CN107113280 A CN 107113280A
- Authority
- CN
- China
- Prior art keywords
- message
- virtual switch
- validity
- identification information
- stream identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiments of the invention provide a kind of network control method, server CPU resource can be saved, reduction server CPU power consumption shortens Time Delay of Systems, lifts the efficiency of Message processing.The first virtual switch that network control method provided in an embodiment of the present invention includes purpose VM receives the first message that source virtual machine VM is sent;First virtual switch is configured with secure group rule, and the first virtual switch obtains the stream identification information of the first message, and the validity of first message is judged according to the stream identification information of secure group rule and the first message;If it is determined that first message is invalid, the second message is sent to the second virtual switch of the source VM, the second message is used to represent that the first message is invalid.The invention also provides related virtual switch and server.
Description
The present invention relates to the communications field more particularly to a kind of network control methods and virtual switch.
Distributed denial of service (DDoS, Distributed Denial of Service) attack is a kind of to be attacked in a manner of the hacker of appointed website by dispersing attack source, the attack technology joins together multiple computers as Attack Platform, attack message is sent to one or more targets, to double up the power of Denial of Service attack, server overload is caused, can not be normal request service.
To solve the above-mentioned problems, administrator is arranged virtual switch (Vswitch) in the server in the prior art, and is configured with secure group rule for virtual switch.Secure group rule be it is a kind of judge message whether An Quan rule, the virtual switch of server often receives a message, the safety of message will be determined according to secure group rule, the message of secure group rule judgement is only passed through, virtual machine (the VM that can be just transmitted to by virtual switch in server, Vritual Machine), the message not determined by secure group rule is directly dropped.Ensure that the VM in server without handling attack message, reduces the probability of server overload in this way.
But there is a large amount of attack messages under DDoS scene, secure group rule needs determine all attack messages, consume a large amount of processor (CPU, Central Processing Unit) resource, lead to normal message probably due to cpu resource exhausts and is unable to get processing.
Summary of the invention
The embodiment of the invention provides a kind of network control method, virtual switch and servers, can save the resource of server CPU, reduce the power consumption of server CPU, shorten Time Delay of Systems, promote the efficiency of Message processing.
First aspect of the embodiment of the present invention provides a kind of network control method, comprising:
The first virtual switch of purpose virtual machine VM receives the first message that source VM is sent;
First virtual switch obtains the stream identification information of first message configured with secure group rule, first virtual switch, and according to the stream identification information of the secure group rule and first message,
The validity of first message is judged;
If first virtual switch determines that first message is invalid according to the stream identification information of the secure group rule and first message, then first virtual switch sends the second message to the second virtual switch of the source VM, and second message is for indicating that first message is invalid.
In conjunction with the first aspect of the embodiment of the present invention, in the first implementation of the first aspect of the embodiment of the present invention, first virtual switch is also configured with flow table, the flow table has recorded the secure group rule to the judging result of the validity of different messages, the stream identification information according to the secure group rule and first message, before judging the validity of first message further include:
First virtual switch, according to the stream identification information of first message, searches the validity of first message from the flow table;
If first virtual switch does not find the validity of first message in the flow table, the stream identification information according to the secure group rule and first message is triggered, the step of judgement the validity of first message;
If first virtual switch finds the validity of first message in the flow table, and the validity of first message be it is effective, then first message is sent to the purpose VM by first virtual switch.
In conjunction with the first implementation of the first aspect of the embodiment of the present invention, in second of implementation of the first aspect of the embodiment of the present invention, the method also includes:
If first virtual switch determines that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table first virtual switch, and first message is sent to the purpose VM;
First virtual switch sends third message to the second virtual switch of the source VM, and the third message is for indicating that first message is effective.
In conjunction with any one of the first or second of the implementation of the first aspect of the embodiment of the present invention, first aspect, in the third implementation of the first aspect of the embodiment of the present invention, the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
In conjunction with the third implementation of the first aspect of the embodiment of the present invention, in the 4th kind of implementation of the first aspect of the embodiment of the present invention, the stream identification information further includes at least one of: the source VM's
Cluster identity, data center's mark and user name.
In conjunction with the 4th kind of implementation of the first aspect of the embodiment of the present invention, in 5th kind of implementation of the first aspect of the embodiment of the present invention, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
The second aspect of the embodiment of the present invention provides a kind of virtual switch, the virtual switch is suitable for server, the virtual switch is used to manage the message of the purpose VM transmitting-receiving in the server, and the virtual switch includes: configured with secure group rule, the virtual switch
Receiving module, for receiving the first message of source virtual machine VM transmission;
Judgment module judges the validity of first message for obtaining the stream identification information of first message, and according to the stream identification information of the secure group rule and first message;
First sending module, for when the judgment module determines that first message is invalid according to the stream identification information of the secure group rule and first message, the second message is sent to the virtual switch of the source VM, second message is for indicating that first message is invalid.
In conjunction with the second aspect of the embodiment of the present invention, in the first implementation of the second aspect of the embodiment of the present invention, the virtual switch is also configured with flow table, and the flow table has recorded the secure group rule to the judging result of the validity of different messages, the virtual switch further include:
Searching module, for the stream identification information in the judgment module according to the secure group rule and first message, before judging the validity of first message, from the flow table, according to the stream identification information of first message, search the validity of first message, if the searching module does not find the validity of first message in the flow table, the judgment module is then triggered according to the stream identification information of the secure group rule and first message, the step of judgement the validity of first message;
The virtual switch further include:
First message is sent to the purpose VM for finding the validity of first message in the flow table when the searching module, and when the validity of first message is effective by the second sending module.
In conjunction with the first implementation of the second aspect of the embodiment of the present invention, in two kinds of implementations of the second aspect of the embodiment of the present invention, the virtual switch further include:
Logging modle, for when the judgment module determines that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and triggers the operation that first message is sent to the purpose VM by second sending module;
First sending module is also used to: when the judgment module determines that first message is effective according to the secure group rule, the virtual switch of the source Xiang Suoshu VM sends third message, and the third message is for indicating that first message is effective.
In conjunction with any one of the first or second of the implementation of the second aspect of the embodiment of the present invention, second aspect, in the third implementation of the second aspect of the embodiment of the present invention, the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
In conjunction with the third implementation of the second aspect of the embodiment of the present invention, in 4th kind of implementation of the second aspect of the embodiment of the present invention, the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
In conjunction with the 4th kind of implementation of the second aspect of the embodiment of the present invention, in 5th kind of implementation of the second aspect of the embodiment of the present invention, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
The third aspect of the embodiment of the present invention provides a kind of server, it include: input unit, output device, processor and memory, the processor and the memory receive the information outside the server by the input unit, and the processor and the memory will send information to the outside of the server by the output device;
Wherein, the first program code is stored in the memory, first program code is for realizing virtual switch function;
By calling first program code of the memory storage, the processor is for executing following steps:
Receive the first message that source virtual machine VM is sent;
The stream identification information of first message is obtained, and according to the stream identification information of the secure group rule and first message, the validity of first message is judged;
If determining first message according to the stream identification information of the secure group rule and first message
In vain, then the second message is sent to the second virtual switch of the source VM, second message is for indicating that first message is invalid.
In conjunction with the third aspect of the embodiment of the present invention, in the first implementation of the third aspect of the embodiment of the present invention, it include flow table in first program code, the flow table has recorded the secure group rule to the judging result of the validity of different messages, the second program code is also stored in the memory, second program code is for realizing purpose VM function, by calling the first program code of the memory storage, the processor is also used to execute following steps:
From the flow table, according to the stream identification information of first message, the validity of first message is searched;
If not finding the validity of first message in the flow table, the stream identification information according to the secure group rule and first message is triggered, the step of judgement the validity of first message;
If the validity of first message is found in the flow table, and the validity of first message be it is effective, then first message is sent to the purpose VM.
In conjunction with the first implementation of the third aspect of the embodiment of the present invention, in second of implementation of the third aspect of the embodiment of the present invention, pass through the first program code for calling the memory storage, the processor is also used to execute following steps:
If determining that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and first message is sent to the purpose VM;
Third message is sent to the second virtual switch of the source VM, the third message is for indicating that first message is effective.
In conjunction with any one of the first or second of the implementation of the third aspect of the embodiment of the present invention, the third aspect, in the third implementation of the third aspect of the embodiment of the present invention, the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
In conjunction with the third implementation of the third aspect of the embodiment of the present invention, in 4th kind of implementation of the third aspect of the embodiment of the present invention, the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
In conjunction with the 4th kind of implementation of the third aspect of the embodiment of the present invention, the third party of the embodiment of the present invention
In the 5th kind of implementation in face, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
The embodiment of the invention provides a kind of network control methods, and the first virtual switch including purpose VM receives the first message that source VM is sent;First virtual switch obtains the stream identification information of the first message configured with secure group rule, the first virtual switch, and is judged according to secure group rule and the stream identification information of the first message the validity of first message;If it is determined that first message is invalid, the second virtual switch of the source Xiang Suoshu VM sends the second message, and the second message is invalid for indicating the first message.By such method, second virtual switch is known and records the validity of the first message, if the validity of the first message is invalid, the then subsequent message that will not be sent with the first message stream identification information having the same of the second virtual machine, the message data amount that the first virtual switch carries out secure group judgement can be thus reduced, the cpu resource of server has been saved.Therefore, method provided by the embodiment of the present invention can save the resource of server CPU, reduce the power consumption of server CPU, shorten Time Delay of Systems, promote the efficiency of Message processing.
Fig. 1 is the schematic diagram of network-control principle in technology at this stage;
Fig. 2 is the schematic diagram of network-control principle in the embodiment of the present invention;
Fig. 3 is network control method one embodiment flow chart in the embodiment of the present invention;
Fig. 4 is another embodiment flow chart of network control method in the embodiment of the present invention;
Fig. 5 is virtual switch one embodiment structure chart in the embodiment of the present invention;
Fig. 6 is another example structure figure of virtual switch in the embodiment of the present invention;
Fig. 7 is server one embodiment structure chart in the embodiment of the present invention.
The embodiment of the invention provides a kind of network control methods, can save the resource of server CPU, reduce the power consumption of server CPU, shorten Time Delay of Systems, promote the efficiency of Message processing.The present invention also mentions
Relevant virtual switch and server are gone out, will be illustrated respectively below.
VM be it is a kind of by software simulation, the computer system with complete hardware system function in server, one or more VM can be disposed on a server.Virtual switch is a kind of functional software between hardware and operating system marked off on server, for managing the packet sending and receiving between the packet sending and receiving between the VM in same server or the VM of different server.It should be understood that multiple VM in the same server can share a virtual switch.
The principle that technology at this stage carries out network-control please refers to Fig. 1.Either malice VM or user VM, the message sent to purpose VM are required to the availability deciding of the virtual switch by purpose VM.Specifically, configured with secure group rule in the virtual switch of purpose VM, and availability deciding is carried out to the message received according to secure group rule.For the normal message that user VM is sent, the virtual switch of purpose VM determines that the message is effective according to secure group rule, and forwards the packet to purpose VM.For the attack message that malice VM is sent, the virtual switch of purpose VM determines that the message is invalid according to secure group rule, will not forward the packet to purpose VM.This method needs the virtual switch of purpose VM to carry out safe sex determination to all messages received.In order to reduce the number that the virtual switch of purpose VM carries out safe sex determination, the cpu resource of destination server is saved, the embodiment of the present invention is made that improvement to the principle of the prior art, please refers to Fig. 2:
In schematic diagram shown in Fig. 2, reporting for the first time when the virtual switch of purpose VM receives attack message (indicates the first envelope message with " reporting for the first time " in the embodiment of the present invention, first message is reported for the first time i.e. the first envelope attack message) when, according to secure group rule determine validity that the attack message is reported for the first time be it is invalid, then notify the virtual switch for sending the malice VM of attack message: the validity that the attack message is reported for the first time is invalid.The virtual switch of malice VM has known that attack message is reported for the first time as that subsequent attack message would not be sent to purpose VM after invalid packet.
The virtual switch of explained later malice VM can intercept the principle of subsequent attack message.Message in network often carries stream identification information, specifically, stream identification information may include the address source IP (Internet Protocol), it is purpose IP address, IP protocol type, source port number, one or more in destination slogan.Stream identification information is used to judge as secure group rule the judgment basis of the validity of message.Generally, the message of the same stream is belonged to, stream identification information is identical, therefore virtual switch carries out availability deciding according to message of the secure group rule to the same stream, determines that result is also identical.If virtual switch is recorded according to availability deciding result of the secure group rule to message, available flow table.Known with flowing
Other information is for source IP address, purpose IP address, IP protocol type, source port number and destination slogan, the structure of flow table please refers to table 1, wherein table 1 is only an image explanation of flow table structure, is not necessarily the real structure that flow table is stored in virtual switch:
Table 1
In the structure of flow table shown in table 1, one list item of each behavior has recorded secure group rule to the judging result of the validity of the message with different stream identification informations in different list items.For example, the list item of the first row indicates: stream identification information includes the message of source IP address A, purpose IP address A, IP protocol type A, source port number A and destination slogan A, and secure group rule is effective to the judging result of its validity.
The virtual switch of VM in network can be configured with flow table.In this way, after the virtual switch of malice VM has known that attack message is reported for the first time as invalid packet the stream identification information that attack message is reported for the first time can be recorded in the flow table of itself, and it is invalid for recording the corresponding validity of the stream identification information.In this way, when malice VM generates follow-on attack message, since follow-on attack message and attack message report for the first time and belong to the same stream, stream identification information is identical, therefore malice VM virtual switch can know follow-on attack message be it is invalid, subsequent attack message will not be sent to purpose VM.The safe sex determination of virtual switch progress that a large amount of attack message is just intercepted at malice VM, without purpose VM is allowed in this way.
Optionally, flow table can also be configured in the virtual switch of purpose VM, for record security group rule to the judgement result of the validity of different messages.When the virtual switch of purpose VM receives message, the validity of the message received can be first searched from the flow table of configuration, determined if searching less than further according to secure group rule.Since the operation for searching flow table is more simple and easy than determine according to secure group rule, the cpu resource of destination server can be further saved.
On the basis of principle shown in Fig. 2, network control method provided in an embodiment of the present invention can be represented as following basic procedure, as shown in Figure 3:
301, the first virtual switch of purpose VM receives the first message that source VM is sent;
In the present embodiment, the first virtual switch is the virtual switch of purpose VM, and the first virtual switch and purpose VM are respectively positioned in destination server, and the first virtual switch receives the first message that source VM is sent.
302, the first virtual switch obtains the stream identification information of the first message, and according to the stream identification information of secure group rule and the first message, judges the validity of the first message;
If 303, the first virtual switch determines that the first message is invalid according to secure group rule, then the first virtual switch sends the second message to the second virtual switch of source VM, wherein the second virtual switch is the virtual switch of source VM, wherein the second message is invalid for indicating the first message.
Network control method provided in this embodiment, second virtual switch is known and records the validity of the first message, if the validity of the first message is invalid, the then subsequent message that will not be sent with the first message stream identification information having the same of the second virtual machine, the message data amount that the first virtual switch carries out secure group judgement can be thus reduced, the cpu resource of destination server has been saved.Therefore, method provided by the embodiment of the present invention can save the resource of destination server CPU, reduce the power consumption of destination server CPU, shorten Time Delay of Systems, promote the efficiency of Message processing.
Optionally, as another embodiment of the invention, if the first virtual switch is also configured with flow table, network control method provided by the invention also be can be extended as process shown in Fig. 4:
401, the first virtual switch of purpose VM receives the first message that source VM is sent;
402, the first virtual switch obtains the stream identification information of the first message, and from flow table, according to the stream identification information of the first message, searches the validity of first message;
In the present embodiment, the first virtual switch is configured with flow table.First virtual switch obtains the stream identification information of the first message, and from the flow table of itself, according to the stream identification information of the first message, searches the validity of first message.Wherein, if the first virtual switch found in the flow table of itself the first message validity be it is effective, then follow the steps 403;If not finding the validity of the first message, 404 are thened follow the steps.
403, the first message is sent to purpose VM by the first virtual switch;
404, the first virtual switch judges the validity of the first message according to the stream identification information of secure group rule and the first message;
If the first virtual switch determines that the first message is invalid according to the stream identification information of secure group rule and the first message, 405 are thened follow the steps;If the first virtual switch is according to the stream of secure group rule and the first message
Identification information determines that the first message is effective, thens follow the steps 406.
405, the first virtual switch sends the second message to the second virtual switch of source VM;
If the first virtual switch determines that the first message is invalid according to the stream identification information of secure group rule and the first message, the first virtual switch sends the second message to the second virtual switch of source VM, and the second message is invalid for indicating the first message.Second virtual switch according to the second message, can know the validity of the first message be it is invalid, do not retransmit with the first message have identical stream identification information message.Wherein, the second virtual switch is the virtual switch of source VM.
406, the validity of the first message is recorded in flow table the first virtual switch, and the first message is sent to purpose VM;
If the first virtual switch determines that the first message is effective according to the stream identification information of secure group rule and the first message, the validity of the first message is recorded in the flow table of itself the first virtual switch, and the first message is sent to purpose VM.
Wherein, the validity of the first message is recorded in flow table the first virtual machine, and the autonomous update of the flow table configured in the first virtual switch may be implemented.But the first virtual machine by the validity of the first message be recorded in flow table for can selection operation, the first virtual switch can not also execute record operation in the present embodiment.
407, the first virtual switch sends third message to the second virtual switch of source VM.
First virtual switch sends third message to the second virtual switch of source VM, and third message is for indicating that first message is effective.Wherein, step 407 be can selection operation, the first virtual switch can not also execute the operation of step 407 in the present embodiment.Wherein, the successive execution sequence of step 407 and step 406 without limitation, if the first virtual switch determines that the first message is effective according to the stream identification information of secure group rule and the first message, can also first carry out step 407, then execute step 406, herein without limitation.
In method provided in this embodiment, after the first virtual switch receives the first message, the validity of the first message is first searched in the flow table of itself, carries out safe sex determination less than further according to secure group rule if searching.Method provided in this embodiment allows the first virtual switch to substitute the safety decision of part with flow table operation is searched.Since the operation for searching flow table is more simple and easy than determine according to secure group rule, method provided in this embodiment can further save the cpu resource of destination server.
Particularly, in stream identification information in addition to include source IP address, purpose IP address, IP protocol type, source port number and destination slogan in it is one or more other than, it can also include one or more, the judgment basis of the extension as secure group rule in the cluster identity, data center's mark and user name of source VM.
It should be understood that the structure of flow table should be also extended with stream identification information.For example, the structure of flow table after extension please refers to table 2 if including source IP address, purpose IP address, IP protocol type, source port number, destination slogan, cluster identity and user name in stream identification information after extension:
Table 2
It is general, first message can be virtual extended local area network (VXLAN, Virtual eXtensible Local Area Network) message, which is carried one or more in the cluster identity of source VM, data center's mark and user name by the head VXLAN.
Above embodiment explains the basic procedure of network control method provided by the invention, will be described by taking a specific application scenarios as an example below.
There are user VM and malice VM, user VM and malice VM to send message to the virtual switch of purpose VM simultaneously in network.The virtual switch of purpose VM receives the message 2 that the message 1 that malice VM is sent and user VM are sent.
Flow table A is preserved in the virtual switch of purpose VM.The virtual switch of purpose VM obtains the stream identification information of message 1, specifically includes: source IP address 1, purpose IP address 1, IP protocol type 1, source port number 1, destination slogan 1, cluster identity 1, data center identify 1, user name 1.The corresponding validity of stream identification information that the virtual switch of purpose VM finds message 1 from flow table A is invalid, therefore sends message to the virtual switch of malice VM, informs that message 1 is invalid.Flow table B is preserved in the virtual switch of malice VM, the virtual switch of malice the VM stream identification information of recorded message 1 and its validity in flow table B are invalid.When malice VM attempts to send subsequent message to purpose VM, the virtual switch chance of malice VM searches the validity of these subsequent messages in flow table B.If the stream identification information of these subsequent messages is identical as the stream identification information of message 1, the virtual switch of malice VM determines that subsequent message is invalid, intercepts subsequent message at the end malice VM, is not sent to purpose VM.
The virtual switch of purpose VM obtains the stream identification information of message 2, specifically includes: source IP address 2, purpose IP address 2, IP protocol type 2, source port number 2, destination slogan 2, cluster identity 2, data center identify 2, user name 2.The virtual switch of purpose VM does not find report from flow table A
The corresponding validity of stream identification information of text 2 judges 2 validity of message thus according to the stream identification information of secure group rule and message 2.Judging result is that message 2 is effective, and then message 2 is sent to purpose VM by the virtual switch of purpose VM, and the stream identification information of recorded message 2 and its validity are effective in flow table A.The virtual switch of purpose VM also sends message to the virtual switch of user VM, informs that message 2 is invalid.Flow table C is preserved in the virtual switch of user VM, the virtual switch of user the VM stream identification information of recorded message 2 and its validity in flow table C are effective.When user VM needs to send subsequent message to purpose VM, the virtual switch chance of user VM searches the validity of these subsequent messages in flow table C.If the stream identification information of these subsequent messages is identical as the stream identification information of message 2, the virtual switch of user VM determines that subsequent message is effective, and is sent to purpose VM.
The embodiment of the invention also provides relevant virtual switch, which is suitable for server, and configured with secure group rule, for realizing Fig. 3 or the process of embodiment shown in Fig. 4.Wherein, the server where the virtual switch is known as destination server, and the message which can be received and dispatched with the purpose VM in management server, basic structure 500 is referring to Fig. 5, include:
Receiving module 501, for receiving the first message of source virtual machine VM transmission;
Judgment module 502 judges the validity of the first message for obtaining the stream identification information of the first message, and according to the stream identification information of secure group rule and the first message;
First sending module 503, for when judgment module 502 determines that the first message is invalid according to the stream identification information of secure group rule and the first message, the virtual switch of Xiang Yuan VM to send the second message, and it is invalid which is used for the first message of expression.
In virtual switch provided in this embodiment, receiving module 501 receives the first message that source VM is sent, judgment module 502 obtains the stream identification information of the first message, and according to the stream identification information of secure group rule and the first message, the validity of first message is judged, if judgment module 502 determines that the first message is invalid, the first sending module 503, the second message is sent to the virtual switch of source VM, second message is invalid for indicating the first message.The virtual switch for allowing for source VM in this way can be known and record the validity of the first message, if the validity of the first message is invalid, the then subsequent message that will not be sent with the first message stream identification information having the same of the virtual machine of source VM, the virtual switch that purpose VM can thus be reduced carries out the message data amount of secure group judgement, has saved the cpu resource of destination server.Therefore, virtual switch provided by the embodiment of the present invention can save the resource of destination server CPU, reduce purpose
The power consumption of server CPU shortens Time Delay of Systems, promotes the efficiency of Message processing.
Optionally, virtual switch provided in an embodiment of the present invention can be configured with flow table, and secure group rule is had recorded in the flow table to the judging result of the validity of different messages.The structure of virtual switch 600 configured with flow table is as shown in Figure 6:
Receiving module 601, for receiving the first message of source virtual machine VM transmission;
Judgment module 602 judges the validity of the first message for obtaining the stream identification information of the first message, and according to the stream identification information of secure group rule and the first message;
Searching module 603 before judging the validity of the first message, from flow table, according to the stream identification information of the first message, searches the validity of the first message for the stream identification information in judgment module according to the secure group rule and first message.If searching module 603 does not find the validity of the first message in flow table, judgment module 602 is triggered according to the stream identification information of secure group rule and the first message, the step of judgement the validity of the first message;
First sending module 604, for when judgment module 602 determines that the first message is invalid according to the stream identification information of secure group rule and the first message, the virtual switch of Xiang Yuan VM to send the second message, and it is invalid which is used for the first message of expression.The virtual switch of source VM according to the second message, can know the validity of the first message be it is invalid, do not retransmit with the first message have identical stream identification information message.
First message is sent to purpose VM for finding the validity of the first message in flow table when searching module 603, and when the validity of the first message is effective by the second sending module 605.
Optionally, in the present embodiment, virtual switch can also include logging modle 606, for when judgment module 602 determines that the first message is effective according to secure group rule, the validity of first message is recorded in flow table, it realizes the autonomous update of the flow table configured in virtual switch, and triggers the operation that the first message is sent to purpose VM by the second sending module 605;
Optionally, in the present embodiment, the first sending module 604 is also used to: when judgment module 602 determines that the first message is effective according to secure group rule, the virtual switch of Xiang Yuan VM sends third message, and the third message is for indicating that first message is effective.The virtual switch of source VM according to third message, can know that the validity of the first message is effective, the subsequent message that can be sent with the first message with identical stream identification information.
Particularly, in stream identification information in addition to include source IP address, purpose IP address, IP protocol type, source port number and destination slogan in it is one or more other than, can also include cluster identity, data center
One or more, the judgment basis of the extension as secure group rule in mark and user name.It should be understood that the structure of flow table should be also extended with stream identification information.
It is general, first message can be virtual extended local area network (VXLAN, Virtual eXtensible Local Area Network) message, the cluster identity, data center's mark, and/or user name which passes through the head VXLAN carrying source VM.
Above embodiment explains the basic structure of virtual switch provided by the invention, will be described by taking a specific application scenarios as an example below.
There are user VM and malice VM, user VM and malice VM to send message to the virtual switch of purpose VM simultaneously in network.The receiving module 601 of the virtual switch of purpose VM receives the message 2 that the message 1 that malice VM is sent and user VM are sent.
Flow table A is preserved in the virtual switch of purpose VM.Judgment module 602 obtains the stream identification information of message 1, specifically includes: source IP address 1, purpose IP address 1, IP protocol type 1, source port number 1, destination slogan 1, cluster identity 1, data center identify 1, user name 1.The corresponding validity of stream identification information that searching module 603 finds message 1 from flow table A is invalid, therefore the first sending module 604 sends message to the virtual switch of malice VM, informs that message 1 is invalid.Flow table B is preserved in the virtual switch of malice VM, the virtual switch of malice the VM stream identification information of recorded message 1 and its validity in flow table B are invalid.When malice VM attempts to send subsequent message to purpose VM, the virtual switch chance of malice VM searches the validity of these subsequent messages in flow table B.If the stream identification information of these subsequent messages is identical as the stream identification information of message 1, the virtual switch of malice VM determines that subsequent message is invalid, intercepts subsequent message at the end malice VM, is not sent to purpose VM.
The virtual switch judgment module 602 of purpose VM obtains the stream identification information of message 2, specifically includes: source IP address 2, purpose IP address 2, IP protocol type 2, source port number 2, destination slogan 2, cluster identity 2, data center identify 2, user name 2.Searching module 603 does not find the corresponding validity of stream identification information of message 2 from flow table A, and then judgment module 602 judges 2 validity of message according to the stream identification information of secure group rule and message 2.Judging result is that message 2 is effective, and then message 2 is sent to purpose VM by the second sending module 605, and logging modle 606 stream identification information of recorded message 2 and its validity in flow table A are effective.First sending module 604 also sends message to the virtual switch of user VM, informs that message 2 is effective.Flow table C is preserved in the virtual switch of user VM, the virtual switch of user the VM stream identification information of recorded message 2 and its validity in flow table C are
Effectively.When user VM needs to send subsequent message to purpose VM, the virtual switch chance of user VM searches the validity of these subsequent messages in flow table C.If the stream identification information of these subsequent messages is identical as the stream identification information of message 2, the virtual switch of user VM determines that subsequent message is effective, and is sent to purpose VM.
The virtual switch in the embodiment of the present invention is described from the angle of blocking functional entity above, the server where virtual switch in the embodiment of the present invention is described from the angle of hardware handles below, referring to Fig. 7, another embodiment of server 700 in the embodiment of the present invention includes:
Input unit 701, output device 702, processor 703 and memory 704 (wherein the quantity of the processor 703 in server 700 can be one or more, in Fig. 7 by taking a processor 703 as an example).Processor 703 and memory 704 receive the information outside server by input unit 701, and processor 703 and memory 704 will send information to outside server by output device 702.In some embodiments of the invention, input unit 701, output device 702, processor 703 and memory 704 can be connected by bus or other means, wherein in Fig. 7 for being connected by bus.
Wherein, the first program code and the second program code are stored in the memory 704, first program code is for realizing virtual switch function, second program code is for realizing purpose virtual machine VM function, by the first program code for calling memory 704 to store, processor 703 is for executing following steps:
Receive the first message that source virtual machine VM is sent;
The stream identification information of first message is obtained, and according to the stream identification information of the secure group rule and first message, the validity of first message is judged;
If determining that first message is invalid according to the stream identification information of the secure group rule and first message, the second message is sent to the second virtual switch of the source VM, second message is for indicating that first message is invalid.
In some embodiments of the present invention, flow table is also configured in the first program code, the flow table has recorded the secure group rule to the judging result of the validity of different messages, and processor 703 also executes the following steps:
From the flow table, according to the stream identification information of first message, the validity of first message is searched;
If not finding the validity of first message in the flow table, trigger described according to
The stream identification information of secure group rule and first message, the step of judgement the validity of first message;
If the validity of first message is found in the flow table, and the validity of first message be it is effective, then first message is sent to the server.
In some embodiments of the present invention, processor 703 is also executed the following steps:
If determining that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and first message is sent to the server;
Third message is sent to the second virtual switch of the source VM, the third message is for indicating that first message is effective.
In some embodiments of the present invention, the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
In some embodiments of the present invention, the stream identification information further includes at least one of: cluster identity, data center's mark and user name.
In some embodiments of the present invention, first message is virtual extended local area network VXLAN message, and first message is carried one or more in the cluster identity of the source VM, data center's mark and user name by the head VXLAN.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, the specific work process of module and unit can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system and method may be implemented in other ways.Such as, system embodiment described above is only schematical, such as, the division of the unit, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed mutual coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of module or unit, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, and component shown as a unit may or may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can select according to the actual needs therein some or all of
Unit achieves the purpose of the solution of this embodiment.
In addition, the functional units in various embodiments of the present invention may be integrated into one processing unit, it is also possible to each unit and physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent product, can store in a computer readable storage medium.Based on this understanding, substantially all or part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products technical solution of the present invention in other words, the computer software product is stored in a storage medium, it uses including some instructions so that a computer equipment (can be personal computer, server or the network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), the various media that can store program code such as magnetic or disk.
Claims (18)
- A kind of network control method characterized by comprisingThe first virtual switch of purpose virtual machine VM receives the first message that source VM is sent;For first virtual switch configured with secure group rule, first virtual switch obtains the stream identification information of first message, and according to the stream identification information of the secure group rule and first message, judges the validity of first message;If first virtual switch determines that first message is invalid according to the stream identification information of the secure group rule and first message, then first virtual switch sends the second message to the second virtual switch of the source VM, and second message is for indicating that first message is invalid.
- Network control method according to claim 1, it is characterized in that, first virtual switch is also configured with flow table, the flow table has recorded the secure group rule to the judging result of the validity of different messages, the stream identification information according to the secure group rule and first message, before judging the validity of first message further include:First virtual switch, according to the stream identification information of first message, searches the validity of first message from the flow table;If first virtual switch does not find the validity of first message in the flow table, the stream identification information according to the secure group rule and first message is triggered, the step of judgement the validity of first message;If first virtual switch finds the validity of first message in the flow table, and the validity of first message be it is effective, then first message is sent to the purpose VM by first virtual switch.
- Network control method according to claim 2, which is characterized in that the method also includes:If first virtual switch determines that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table first virtual switch, and first message is sent to the purpose VM;First virtual switch sends third message to the second virtual switch of the source VM, and the third message is for indicating that first message is effective.
- Network control method according to any one of claim 1 to 3, which is characterized in that the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source Port numbers and destination slogan.
- Network control method according to claim 4, which is characterized in that the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
- Network control method according to claim 5, it is characterized in that, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
- A kind of virtual switch, the virtual switch are suitable for server, and the virtual switch is used to manage the message of the purpose VM transmitting-receiving in the server, and the virtual switch is configured with secure group rule, which is characterized in that the virtual switch includes:Receiving module, for receiving the first message of source virtual machine VM transmission;Judgment module judges the validity of first message for obtaining the stream identification information of first message, and according to the stream identification information of the secure group rule and first message;First sending module, for when the judgment module determines that first message is invalid according to the stream identification information of the secure group rule and first message, the second message is sent to the virtual switch of the source VM, second message is for indicating that first message is invalid.
- Virtual switch according to claim 7, which is characterized in that the virtual switch is also configured with flow table, and the flow table has recorded the secure group rule to the judging result of the validity of different messages, the virtual switch further include:Searching module, for the stream identification information in the judgment module according to the secure group rule and first message, before judging the validity of first message, from the flow table, according to the stream identification information of first message, search the validity of first message, if the searching module does not find the validity of first message in the flow table, the judgment module is then triggered according to the stream identification information of the secure group rule and first message, the step of judgement the validity of first message;The virtual switch further include:First message is sent to the purpose VM for finding the validity of first message in the flow table when the searching module, and when the validity of first message is effective by the second sending module.
- Virtual switch according to claim 8, which is characterized in that the virtual switch is also Include:Logging modle, for when the judgment module determines that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and triggers the operation that first message is sent to the purpose VM by second sending module;First sending module is also used to: when the judgment module determines that first message is effective according to the secure group rule, the virtual switch of the source Xiang Suoshu VM sends third message, and the third message is for indicating that first message is effective.
- Virtual switch according to any one of claims 7 to 9, which is characterized in that the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
- Virtual switch according to claim 10, which is characterized in that the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
- Virtual switch according to claim 11, it is characterized in that, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
- A kind of server, it is characterized in that, it include: input unit, output device, processor and memory, the processor and the memory receive the information outside the server by the input unit, and the processor and the memory will send information to the outside of the server by the output device;Wherein, the first program code is stored in the memory, first program code is for realizing virtual switch function;By calling first program code of the memory storage, the processor is for executing following steps:Receive the first message that source virtual machine VM is sent;The stream identification information of first message is obtained, and according to the stream identification information of the secure group rule and first message, the validity of first message is judged;If determining that first message is invalid according to the stream identification information of the secure group rule and first message, the second message is sent to the second virtual switch of the source VM, second message is for indicating that first message is invalid.
- Server according to claim 13, it is characterized in that, it include flow table in first program code, the flow table has recorded the secure group rule to the judging result of the validity of different messages, the second program code is also stored in the memory, second program code is for realizing purpose VM function, by calling the first program code of the memory storage, the processor is also used to execute following steps:From the flow table, according to the stream identification information of first message, the validity of first message is searched;If not finding the validity of first message in the flow table, the stream identification information according to the secure group rule and first message is triggered, the step of judgement the validity of first message;If the validity of first message is found in the flow table, and the validity of first message be it is effective, then first message is sent to the purpose VM.
- Server according to claim 14, which is characterized in that pass through the first program code for calling the memory storage, the processor is also used to execute following steps:If determining that first message is effective according to the secure group rule, the validity of first message is recorded in the flow table, and first message is sent to the purpose VM;Third message is sent to the second virtual switch of the source VM, the third message is for indicating that first message is effective.
- Server described in any one of 3 to 15 according to claim 1, which is characterized in that the stream identification information includes at least one of: source IP address, purpose IP address, IP protocol type, source port number and destination slogan.
- Server according to claim 16, which is characterized in that the stream identification information further includes at least one of: cluster identity, data center's mark and the user name of the source VM.
- Server according to claim 17, it is characterized in that, first message is virtual extended local area network VXLAN message, and first message carries at least one of: cluster identity, data center's mark and the user name of the source VM by the head VXLAN.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2014/095988 WO2016106718A1 (en) | 2014-12-31 | 2014-12-31 | Network control method and virtual switch |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107113280A true CN107113280A (en) | 2017-08-29 |
Family
ID=56283990
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201480084433.8A Pending CN107113280A (en) | 2014-12-31 | 2014-12-31 | A kind of network control method and virtual switch |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107113280A (en) |
WO (1) | WO2016106718A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112822262A (en) * | 2021-01-04 | 2021-05-18 | 北京知道创宇信息技术股份有限公司 | Message processing method and device, message processing equipment and storage medium |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111698167B (en) * | 2020-04-01 | 2023-04-07 | 新华三大数据技术有限公司 | Message processing method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101202742A (en) * | 2006-12-13 | 2008-06-18 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
CN101494639A (en) * | 2008-01-25 | 2009-07-29 | 华为技术有限公司 | Method and apparatus for preventing aggression in packet communication system |
CN103237039A (en) * | 2013-05-10 | 2013-08-07 | 汉柏科技有限公司 | Message forwarding method and message forwarding device |
CN103581183A (en) * | 2013-10-30 | 2014-02-12 | 华为技术有限公司 | Virtualization security isolation method and device |
CN104007997A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Virtual machine security group configuration method and device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080052691A1 (en) * | 2006-06-29 | 2008-02-28 | Naveen Neelakantam | Communicating with and recovering state information from a dynamic translator |
US9276953B2 (en) * | 2011-05-13 | 2016-03-01 | International Business Machines Corporation | Method and apparatus to detect and block unauthorized MAC address by virtual machine aware network switches |
CN102801729B (en) * | 2012-08-13 | 2015-06-17 | 福建星网锐捷网络有限公司 | Virtual machine message forwarding method, network switching equipment and communication system |
-
2014
- 2014-12-31 WO PCT/CN2014/095988 patent/WO2016106718A1/en active Application Filing
- 2014-12-31 CN CN201480084433.8A patent/CN107113280A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101202742A (en) * | 2006-12-13 | 2008-06-18 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
CN101494639A (en) * | 2008-01-25 | 2009-07-29 | 华为技术有限公司 | Method and apparatus for preventing aggression in packet communication system |
CN104007997A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Virtual machine security group configuration method and device |
CN103237039A (en) * | 2013-05-10 | 2013-08-07 | 汉柏科技有限公司 | Message forwarding method and message forwarding device |
CN103581183A (en) * | 2013-10-30 | 2014-02-12 | 华为技术有限公司 | Virtualization security isolation method and device |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112822262A (en) * | 2021-01-04 | 2021-05-18 | 北京知道创宇信息技术股份有限公司 | Message processing method and device, message processing equipment and storage medium |
CN112822262B (en) * | 2021-01-04 | 2022-11-22 | 北京知道创宇信息技术股份有限公司 | Message processing method and device, message processing equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2016106718A1 (en) | 2016-07-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9124621B2 (en) | Security alert prioritization | |
CN109194680B (en) | Network attack identification method, device and equipment | |
CN114145004B (en) | System and method for using DNS messages to selectively collect computer forensic data | |
CN113228583B (en) | Session maturity model with trusted sources | |
WO2019237813A1 (en) | Method and device for scheduling service resource | |
EP3667532A1 (en) | Methods for detecting and mitigating malicious network activity based on dynamic application context and devices thereof | |
KR102155262B1 (en) | Elastic honeynet system and method for managing the same | |
EP3252647B1 (en) | System and method of detecting malicious files on a virtual machine in a distributed network | |
EP3117334A1 (en) | A method and system for generating durable host identifiers using network artifacts | |
US20180322410A1 (en) | System and Method for Vendor Agnostic Automatic Supplementary Intelligence Propagation | |
US20180124084A1 (en) | Network monitoring device and method | |
CN104509059A (en) | Use of primary and secondary connection tables | |
WO2020187295A1 (en) | Monitoring of abnormal host | |
CN107113280A (en) | A kind of network control method and virtual switch | |
JP6501924B2 (en) | Method and server for canceling alert | |
US20190036949A1 (en) | Malicious content detection with retrospective reporting | |
CN107888624B (en) | Method and device for protecting network security | |
US11057415B1 (en) | Systems and methods for dynamic zone protection of networks | |
EP4113336A1 (en) | Detecting and blocking a malicious file early in transit on a network | |
US20230164149A1 (en) | Causing or preventing an update to a network address translation table | |
US10277467B2 (en) | Locating a network cable connector | |
US20230042816A1 (en) | Method and system for blockchain-based cyber security management | |
US11960943B2 (en) | Event log management | |
EP4198726A1 (en) | Event log management | |
CN117155645A (en) | Network sharing permission judging method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170829 |
|
RJ01 | Rejection of invention patent application after publication |