CN111131135B - Data transmission method, system, computer readable storage medium and electronic device - Google Patents

Data transmission method, system, computer readable storage medium and electronic device Download PDF

Info

Publication number
CN111131135B
CN111131135B CN201811296057.5A CN201811296057A CN111131135B CN 111131135 B CN111131135 B CN 111131135B CN 201811296057 A CN201811296057 A CN 201811296057A CN 111131135 B CN111131135 B CN 111131135B
Authority
CN
China
Prior art keywords
security component
data packet
component
nsh
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811296057.5A
Other languages
Chinese (zh)
Other versions
CN111131135A (en
Inventor
翟云箭
张锋
陈晓帆
古亮
丁万夫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201811296057.5A priority Critical patent/CN111131135B/en
Publication of CN111131135A publication Critical patent/CN111131135A/en
Application granted granted Critical
Publication of CN111131135B publication Critical patent/CN111131135B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Abstract

The application discloses a data transmission method, which is applied to a service chain and comprises the steps that after a data packet is cleaned by a current security component, whether the current security component and a next security component are security components of the same device or not is judged according to configuration information of the service chain; the data packet is specifically a data packet with NSH stripped; if so, transmitting the data packet to the next security component; and if not, adding a target NSH in the data packet, and transmitting the data packet added with the target NSH to the next security component. The method can reduce the performance loss of adding and stripping NSH in the data transmission process in the service chain and improve the efficiency of data transmission. The application also discloses a data transmission system, a computer readable storage medium and an electronic device, which have the beneficial effects.

Description

Data transmission method, system, computer readable storage medium and electronic device
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a data transmission method and system, a computer-readable storage medium, and an electronic device.
Background
Under the scene of a security resource pool, a data packet can be guaranteed to be provided for a fast, safe and stable network service from an external network (public network) to an internal network (user network) or from the external network to the internal network through various service nodes. These service nodes include the well-known vIDS, vNGFW, vAC, vAD, etc. Network packets need to pass through designated network service nodes in sequence as required by a particular service logic, which is a service chain.
The service chain in the prior art is implemented as follows: the Proxy agent is used for receiving a data packet forwarded by an SFF (Service Function Forwarder), stripping the NSH, and sending the data packet to the security component SF. After the security component SF cleans the data stripped of the NSH, the cleaned data is added with the NSH by using the Proxy agent, and the data is sent back to the SFF through the Proxy agent so that the SFF forwards the data packet to the next security component. However, the above prior art requires multiple NSH additions/removals for the secured components within the same device, with a large loss of performance. And when there are multiple traffic chains passing through the security component when the security component has SNAT and DNAT, the Proxy agent cannot add a specific NSH, resulting in unsuccessful mapping based on the quintet and NSH.
Therefore, how to reduce the performance loss of adding and stripping NSH in the data transmission process in the service chain and improve the data transmission efficiency is a technical problem that needs to be solved by those skilled in the art at present.
Disclosure of Invention
The application aims to provide a data transmission method, a data transmission system, a computer readable storage medium and an electronic device, which can reduce performance loss of adding and stripping NSH in a data transmission process in a service chain and improve data transmission efficiency.
In order to solve the above technical problem, the present application provides a data transmission method, which is applied to a service chain, and the data transmission method includes:
after the data packet is cleaned by the current security component, judging whether the current security component and the next security component are security components of the same device or not according to the configuration information of the service chain; the data packet is specifically a data packet with NSH stripped;
if yes, transmitting the data packet to a next safety component;
and if not, adding the target NSH into the data packet, and transmitting the data packet added with the target NSH to the next security component.
Optionally, the step of determining, according to the configuration information of the service chain, whether the current security component and the next security component are the security component of the same device includes:
determining a first output port of a current security component and a second input port of a next security component according to configuration information of a service chain;
and judging whether the current safety assembly and the next safety assembly are the safety assembly of the same equipment or not according to the first output port and the second input port.
Optionally, transmitting the data packet to the next security component includes:
adding the classifier of the first input port of the current safety assembly to the first output port of the current safety assembly to serve as a second matching domain;
determining a local tenant flow table corresponding to the first matching domain according to the inlet flow table, and executing an action corresponding to the first matching domain in the local tenant flow table so as to send the data packet to a second input port of the next security component;
the tenant flow table is a table describing the corresponding relationship between the matching domain and the input port.
Optionally, transmitting the data packet after adding the target NSH to the next security component includes:
the classifier of the second output port of the next safety component and the second output port of the next safety component is used as a second matching domain;
and determining a far-end tenant flow table corresponding to the second matching domain according to the inlet flow table, and executing an action corresponding to the second matching domain in the far-end tenant flow table so as to transmit the data packet added with the target NSH to a next security component.
Optionally, the method further includes:
when a business chain adjusting instruction is received, determining a first target security component corresponding to the business chain adjusting instruction;
modifying the input/output port state of the first target security component in all traffic chains corresponding to the first target security component so as to create a new traffic chain according to all input/output port states; the service chain adjusting instruction is a Bypass triggering instruction or a Bypass recovery instruction.
Optionally, the method further includes:
when detecting that the second target safety component has a fault, executing a main-standby switching operation to replace the second target safety component with a standby safety component;
the input-output port of the second target security component is replaced with the input-output port of the standby security component and the traffic chain is updated.
The application also provides a data transmission system, which is applied to the service chain, and the data transmission comprises the following steps:
the judging module is used for judging whether the current security component and the next security component are security components of the same equipment or not according to the configuration information of the service chain after the data packet is cleaned by the current security component; the data packet is specifically a data packet with NSH stripped;
the local transmission module is used for transmitting the data packet to the next security component when the current security component and the next security component are security components of the same device;
the remote transmission module is configured to add the target NSH to the data packet and transmit the data packet to the next security component after the target NSH is added, when the current security component and the next security component are not security components of the same device.
Optionally, the determining module includes:
the port determination unit is used for determining a first output port of a current security component and a second input port of a next security component according to the configuration information of the service chain;
and the port judgment unit is used for judging whether the current safety assembly and the next safety assembly are the safety assembly of the same equipment or not according to the first output port and the second input port.
Optionally, the local transmission module includes:
a first matching domain determining unit, configured to add, when a current security component and a next security component are security components of the same device, a classifier of a first input port of the current security component to a first output port of the current security component as a second matching domain;
the first transmission unit is used for determining a local tenant flow table corresponding to the first matching domain according to the inlet flow table and executing an action corresponding to the first matching domain in the local tenant flow table so as to send the data packet to a second input port of the next security component;
the tenant flow table is a table describing the corresponding relationship between the matching domain and the input port.
Optionally, the remote transmission module includes:
a second matching domain determining unit, configured to, when the current security component and the next security component are not security components of the same device, add a classifier of a second output port of the next security component plus a second output port of the next security component as a second matching domain;
and the second transmission unit is used for determining a far-end tenant flow table corresponding to the second matching domain according to the inlet flow table and executing an action corresponding to the second matching domain in the far-end tenant flow table so as to transmit the data packet added with the target NSH to the next security component.
Optionally, the method further includes:
the component determining module is used for determining a first target security component corresponding to a business chain adjusting instruction when the business chain adjusting instruction is received;
the business chain adjusting module is used for modifying the input/output port state of a first target security component in all business chains corresponding to the first target security component so as to create a new business chain according to all the input/output port states; the service chain adjusting instruction is a Bypass triggering instruction or a Bypass recovery instruction.
Optionally, the method further includes:
the switching module is used for executing main-standby switching operation to replace the second target safety assembly with the standby safety assembly when detecting that the second target safety assembly has a fault;
and the service chain updating module is used for replacing the input/output port of the second target security component with the input/output port of the standby security component and updating the service chain.
The present application also provides a computer-readable storage medium, on which a computer program is stored, which, when executed, implements the steps performed by the above-described data transmission method.
The application also provides an electronic device, which comprises a memory and a processor, wherein the memory is stored with a computer program, and the processor realizes the steps executed by the data transmission method when calling the computer program in the memory.
The invention provides a data transmission method, which comprises the steps that after a data packet is cleaned by a current security component, whether the current security component and a next security component are security components of the same device or not is judged according to configuration information of a service chain; the data packet is specifically a data packet with NSH stripped; if so, transmitting the data packet to the next security component; and if not, adding a target NSH in the data packet, and transmitting the data packet added with the target NSH to the next security component.
In order to reduce the performance loss caused by repeatedly adding and stripping NSH in the prior art, the method firstly judges whether the current security component and the next security component for cleaning the data packet are security components on the same device to determine whether NSH needs to be added or not. The NSH is a packet header of the service chain, and includes information such as a service chain path ID, a number of each security component on the path, and metadata. The information such as address, number, etc. stored on the NSH only plays a role if the current security component and the next security component are not on the same device. If the current security component and the next security component are on the same device, the NSH does not function, but instead needs to repeatedly perform operations like Proxy add/strip NSH in the prior art. Therefore, the present application determines whether NSH needs to be added before sending a data packet by determining whether a current security component and a next security component are security components on the same device. If the current security component and the next security component are security components on the same device, it is not necessary to add NSH direct transmission. If the current security component and the next security component are not security components on the same device, the NSH is added and cross-tunneling is performed, since cross-tunneling requires related information within the NSH, an operation of peeling off the NSH is not required. Therefore, the method and the device can reduce performance loss of adding and stripping NSH in the data transmission process in the service chain, and improve the efficiency of data transmission. The application also provides a data transmission system, a computer readable storage medium and an electronic device, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a data transmission method according to an embodiment of the present application;
fig. 2 is a flowchart of a method for local data packet transmission according to an embodiment of the present application;
fig. 3 is a flowchart of a method for remote data packet transmission according to an embodiment of the present application;
fig. 4 is a flowchart of a preferred data transmission method provided in the embodiment of the present application;
fig. 5 is a schematic structural diagram of a data transmission system according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a data transmission method according to an embodiment of the present disclosure.
The specific steps may include:
s101: after the data packet is cleaned by the current security component, judging whether the current security component and the next security component are security components of the same device or not according to the configuration information of the service chain; if yes, entering S102; if not, the step S103 is entered;
the present embodiment is a data transmission method applied to a service chain, which is also called a Service Function Chain (SFC), and is a technology for concatenating physical/virtual function components (mainly L4-L7 layer function components, such as a firewall and a VPN) in a certain order, and allowing a specific flow to pass through the security components in a predetermined order. This embodiment is a switch of connections to various security components, which may be an Open Vswitch. The Open Vswitch is a software SDN switch with stable Open resources, and a specific Vxlan-GPE technology on the Open Vswitch can encapsulate messages such as Ip, Ethernet, MPLS, and NSH, so that the embodiment can encapsulate an NSH message by using the Vxlan-GPE technology, so as to complete data transmission between security components. The switch transmits the data packet to the current security assembly, when the current security assembly cleans the data packet, the cleaned data packet is sent back to the switch, and the switch sends the data packet cleaned by the current security assembly to the next security assembly. The NSH (network function header, a packet header of a service chain) includes information such as a service chain path ID, a number of each security component on the path, and metadata. When data source end transmission is performed, if there is no NSH encapsulation, flow needs to be classified and identified on each security component corresponding to a service chain, which not only affects performance, but also is not beneficial to expansion.
The current security component, the next security component, and the previous security component mentioned in this step all belong to the security components, and the security components are security devices for cleaning or filtering the injected data. The security component may be a physical device or a virtual device implemented by NFV (network function virtualization) technology, and is not specifically limited herein.
In this step, it is not limited whether the current security component is the first security component in the service chain, so the data packet cleaned by the current security component in this step may be a message cleaned by the previous security component, or may be a message that has not been cleaned. Since the functions implemented by the security components are different, for example, the functions may include any one or any combination of next-generation firewall services, database auditing services, SSL VPN security access services, operation and maintenance auditing services, host antivirus services, log auditing services, vulnerability scanning services, configuration checking services, load balancing services, micro-isolation services, host security detection services, and response services, the processing performed by each security component on the data packet is also different.
It should be noted that the security component is also called sf (service function) in the service chain, and is responsible for performing specific processing on the received data packet. In general, the security component does not have the NSH analysis function, and if a packet has NSH added thereto, it is necessary to add a proxy between the security component and its corresponding SFF to analyze the NSH and send the packet with the NSH stripped off to the security component. Sff (service Function forwarder) is used to implement traffic forwarding Function on the service chain. Thus, in this embodiment, the packet flushed by the current security component is a packet that does not include NSH.
It can be understood that, in this embodiment, the device corresponding to each security component may be pre-recorded, the current security component and the next security component are determined according to the configuration information of the service chain, and whether the current component and the next security component are security components of the same device is determined according to the pre-stored correspondence. Further, since the service chain is a technology that allows a specific flow to pass through each security component in a predetermined sequence, the configuration information of the service chain includes the sequence of the security components related to the service chain and the input port and the output port of each security component through which the flow passes. As a preferred embodiment, it is possible to determine whether the two security components are security components on the same device by determining the input/output ports of two security components that are sequentially adjacent on the traffic chain. Specifically, the method can comprise the following steps: determining a first output port of a current security component and a second input port of a next security component according to configuration information of a service chain; and judging whether the current safety assembly and the next safety assembly are the safety assembly of the same equipment or not according to the first output port and the second input port.
As mentioned above, the NSH includes the service chain path ID, the number of each security component on the path, and the meta information, when performing local transmission, since the current security component and the next security component are security components of the same device, address information in the NSH is not required, and therefore, the NSH may be not added to directly send the cleaned data packet to the corresponding port. If the current security component and the next security component are not security components of the same device, address information in the NSH is needed to be used when data transmission is performed, so that the NSH needs to be added to a data packet and then the data packet is sent to a corresponding port.
S102: transmitting the data packet to a next security component;
in this step, on the premise that the current security component and the next security component are security components on the same level, since the data packet cleaned by the current security component is a data packet with the NSH header stripped off, and no NSH operation is added in this step, the data packet received by the next security component is also a data packet without the NSH header, so that it is not necessary to adopt the operation of stripping the NSH by the Proxy agent in the prior art.
It should be noted that, in this embodiment, the phrase "the packet flushed by the current security component is a packet after the NSH header is stripped" refers to a packet that does not include the NSH, and does not limit whether the current security component has the operation of stripping the NSH. After the data packet is transmitted to the next security component, the next security component performs a corresponding data cleansing operation on the data packet, and may continue to transmit the cleansed data packet to other security components in the flow passing order specified by the service chain.
S103: and adding the target NSH in the data packet, and transmitting the data packet added with the target NSH to the next security component.
In this step, on the premise that the current security component and the next security component are not security components on the same device, since the data packet flushed by the current security component is a data packet with the NSH header stripped off, and the address information in the NSH needs to be used to transmit the data packet to the next security component on the same device, the operation of adding the target NSH needs to be performed first and then the data packet needs to be transmitted to the next security component. Specifically, the data packet can be transmitted to the next security component through the Vxlan-Gpe tunnel in the step. It is understood that different data transmission paths correspond to different NSHs, and thus the present embodiment defaults to operations of determining a target NSH according to the current security component and the next security component, and then adding the NSH to the data packet.
In order to reduce the performance loss caused by repeatedly adding and removing NSH in the prior art, the present embodiment first determines whether the current security component and the next security component of the cleaning packet are security components on the same device, so as to determine whether NSH needs to be added. The NSH is a packet header of the service chain, and includes information such as a service chain path ID, a number of each security component on the path, and metadata. The information such as address, number, etc. stored on the NSH only plays a role if the current security component and the next security component are not on the same device. If the current security component and the next security component are on the same device, the NSH does not function, but instead needs to repeatedly perform operations like Proxy add/strip NSH in the prior art. Therefore, the present embodiment determines whether NSH needs to be added before sending the data packet by determining whether the current security component and the next security component are security components on the same device. If the current security component and the next security component are security components on the same device, it is not necessary to add NSH direct transmission. If the current security component and the next security component are not security components on the same device, the NSH is added and cross-tunneling is performed, since cross-tunneling requires related information within the NSH, an operation of peeling off the NSH is not required. Therefore, the embodiment can reduce the performance loss of adding and stripping NSH in the data transmission process in the service chain, and improve the efficiency of data transmission.
Referring to fig. 2, fig. 2 is a flowchart of a method for local data packet transmission according to an embodiment of the present disclosure; this step is a detailed description of S102 in the embodiment corresponding to fig. 1, and a more preferred implementation manner can be obtained by combining this embodiment with the embodiment corresponding to fig. 1.
The specific steps may include:
s201: adding the classifier of the first input port of the current safety assembly to the first output port of the current safety assembly to serve as a second matching domain;
since the current security component and the next security component are security components of the same device, the first matching field is obtained by adding the first output port to the classifier of the current security component in the ingress flow table, and the classifier of the current security component is the five-tuple of the current security component.
S202: determining a local tenant flow table corresponding to the first matching domain according to the inlet flow table, and executing an action corresponding to the first matching domain in the local tenant flow table so as to send the data packet to a second input port of the next security component;
the tenant flow table is a table describing the corresponding relationship between the matching domain and the input port. The tenant flow table may include a local tenant flow table and a remote tenant flow table.
The embodiment defaults to improving the flow table inside the switch: when a tenant is allocated or created, in order to avoid the complexity caused by using a flow table by multiple tenants, in this embodiment, all tenants share an entry flow table, and a matching field in the entry flow table corresponds to an action output to a certain local tenant flow table or a remote tenant flow table. The matching field in the local tenant flow table or the remote tenant flow table corresponds to an operation of transmitting a data packet to an input port of a certain security component. The flow tables belong to concepts common in the art, and are not described herein again, in short, in this embodiment, the flow tables are divided into two categories, one is an entry flow table that records a correspondence between a local or remote tenant flow table and a matching domain, and the other is a local or remote tenant flow table that records a correspondence between an input port of a security component and a matching domain. It should be noted that, what is actually recorded in the flow table is the correspondence between the matching field and the action, and since the action in the flow table in the present application is to determine the tenant flow table or to output the packet to the input port of the security component, for convenience of understanding, this is extended to the correspondence between the matching field and the tenant flow table, and between the matching field and the input port in this step.
The above flow table partitioning procedure is illustrated: when the tenants are allocated or created, a plurality of tenants share an initial flow classification table, and each tenant has its own table for implementing its SFC function (flow table entry). Each br (switch) created by OpenvSwitch has 255 tables, wherein a table 0 table is used as an entry table; tables 10 to 220 are tenant tables to support 210 tenants, the tenant tables are used to perform specific actions (ingress into input output ports or tunnel ports); tables 220 through 255 are used to support other underlying network services.
Referring to fig. 3, fig. 3 is a flowchart of a method for remote data packet transmission according to an embodiment of the present application; this step is a detailed description of S103 in the embodiment corresponding to fig. 1, and a more preferred implementation manner can be obtained by combining this embodiment with the embodiment corresponding to fig. 1.
S301: the classifier of the second output port of the next safety component and the second output port of the next safety component is used as a second matching domain;
and since the current security component and the next security component are not security components of the same device, adding the classifier of the next security component to the first output port in the ingress flow table to obtain a second matching field, so as to execute an output action corresponding to the second matching field in the far-end tenant flow table.
S302: and determining a far-end tenant flow table corresponding to the second matching domain according to the inlet flow table, and executing an action corresponding to the second matching domain in the far-end tenant flow table so as to transmit the data packet added with the target NSH to a next security component through a Vxlan-Gpe tunnel.
The Vxlan (Virtual eXtensible Local Area Network) is an Overlay technology for encapsulating a two-layer message with a four-layer protocol. Specifically, the Vxlan expands the two-layer network in a MAC-in-UDP encapsulation mode. At present, the Vxlan technology is applied to the most extensive scenario in a data center, namely, the free migration of a virtual machine in the three-layer network range is realized. After Vxlan is used, the migration of the virtual machine originally limited to the same data center, the same physical two-layer network and the same VLAN can be free from the limitations and can be expanded to any place on the virtual two-layer network according to the requirement. The Vxlan-Gpe tunnel is one tunnel in Vxlan.
Referring to fig. 4, fig. 4 is a flowchart of a preferred data transmission method provided in an embodiment of the present application, where the embodiment is a more preferred implementation manner obtained by combining the embodiments corresponding to fig. 1, fig. 2, and fig. 3, and specific steps may include:
s401: after the data packet is cleaned by the current security component, determining a first output port of the current security component and a second input port of a next security component according to configuration information of a service chain;
s402: judging whether the current safety assembly and the next safety assembly are the safety assembly of the same equipment or not according to the first output port and the second input port; the data packet is specifically a data packet with NSH stripped; if yes, entering S403; if not, the process goes to S405;
s403: adding the classifier of the first input port of the current safety assembly to the first output port of the current safety assembly to serve as a second matching domain; entering S404;
s404: determining a local tenant flow table corresponding to the first matching domain according to the inlet flow table, and executing an action corresponding to the first matching domain in the local tenant flow table so as to send the data packet to a second input port of the next security component; ending the flow;
s405: the classifier of the second output port of the next safety component and the second output port of the next safety component is used as a second matching domain; proceed to S406
S406: determining a far-end tenant flow table corresponding to the second matching domain according to the inlet flow table, and executing an action corresponding to the second matching domain in the far-end tenant flow table so as to transmit the data packet added with the target NSH to a next security component through a Vxlan-Gpe tunnel; and ending the flow.
The embodiment provides a mode for supporting multiple tenants, multiple vlans and multiple gateways and supporting a high-performance service chain realization mode of a security resource pool in a Vrouter mode or not, aiming at the defects of the existing SFC realization scheme; the method is based on a VXLAN-GPE + NSH protocol, the method removes the phenomenon that SF is on the same SFF under a Proxy mode, and the NSH header operation is not added/stripped from a data packet from the SFF to the SF, so that the network performance and the throughput are improved. The present embodiment designs a multi-stage flow table to reduce the overhead of NSH in the main scenario and avoid the complexity of the flow table when there are multiple tenants. The invention supports the high availability and ByPass functions of NFV (SF), does not pay attention to the specific business behaviors (whether DNAT, SNAT or the like) of NFV (SF), and is detailed in the following two examples:
example 1 implementation scheme of Bypass function
Step 1: when a business chain adjusting instruction is received, determining a first target security component corresponding to the business chain adjusting instruction;
the service chain adjusting instruction can be a Bypass triggering instruction or a Bypass recovering instruction, when the service chain adjusting instruction is the Bypass triggering instruction, the virtual machine corresponding to the first security component is in a power-off state or a dead state, and when the service chain adjusting instruction is the Bypass recovering instruction, the virtual machine corresponding to the first security component is recovered to a normal state from the power-off state or the dead state, and the service chain adjusting instruction can participate in data cleaning operation.
Step 2: modifying the input/output port state of the first target security component in all traffic chains corresponding to the first target security component so as to create a new traffic chain according to all input/output port states;
byaps determines whether a business chain passes through the security component based on the state of the current virtual machine. In the process of creating the service chain, the present embodiment saves the input/output port information of the security component, which is valid (the state of NFV is UP state). When the state of the NFV changes to Down, we only need the upper layer to inform the NFV state corresponding to the input/output port to be Down, and update the service chain once. Similarly, when the ByPass recovers, the state of the input/output port is changed to update the traffic chain.
Example 2 implementation scheme of high availability of service chain
Step 1: when detecting that the second target safety component has a fault, executing a main-standby switching operation to replace the second target safety component with a standby safety component;
step 2: the input-output port of the second target security component is replaced with the input-output port of the standby security component and the traffic chain is updated.
In this embodiment, the operation is equivalent to a master-slave switching operation, the second target security component having the fault is replaced with the backup security component, and the input/output port of the second target security component in the traffic chain is replaced with the input/output port of the backup security component. Specifically, different safety assemblies may have the same function, and when the main safety assembly is used for switching between the main safety assembly and the standby safety assembly, the safety assemblies of the available standby safety assemblies are automatically switched when the main safety assembly is abnormal. When the main security component is abnormal or down, the upper layer issues a RestApi or CLI command, and issues mapping between ports related to the security component and ports of the standby security component, that is, the standby security component ports are used for replacing ports of the main security component visually, and then the business chain input/output ports related to the security component are regenerated, and the business chain flow table is updated.
The flow described in fig. 4 corresponding to the embodiment is described below by an embodiment in a practical application, which is described by data transmission among the previous security component, the current security component, and the next security component.
When a data packet accesses an internal network from an external network or an internal network accesses the external network through a security resource pool, under the condition that a vRouter (a virtual router) exists in the security resource pool, the vRouter is used as an input/output port of an in-out service chain; and when the security resource pool does not have a vRouter, the physical port is used as an input/output port of the security resource pool. When the configuration of a service chain is issued, determining a tenant table, and storing all valid (the state of NFV is the UP state) portPair information, and an ingress port of the previous portPair and an egress port of the next portPair. Traversing each saved portPair information, judging an ingress port and a rear portPair port of a front portPair, and determining whether cross-tunnel and NSH header transmission or local transmission is needed.
If the last security component and the current security component are in the same device, the matching domain of the entry flow table of the current security component is the classifier of the output port of the last security component plus the input port of the current security component, and the action is output to the tenant table, and the matching domain of the tenant table established by the current security component is the classifier of the output port of the last security component plus the input port of the current security component, and the matching domain of the tenant table established by the current security component is the input port of the input/output port (portPair) for outputting the data packet to the current security component.
If the last security component is not in the same device as the current security component, the matching field of the ingress flow table of the current security component is a classifier that adds the output port of the current security component to the output port of the current security component, the action is output to the tenant table, the matching field of the tenant table is set as a classifier that adds the output port of the current security component to the output port of the current security component, and the action is output to the tunnel portal by adding the NSH to the packet. The switch matches NSH in the received data packet by using an entry flow table stored by the switch, determines spi and si corresponding to the NSH, and outputs the spi and si to an input port of the current security component.
If the current security component and the next security component are in the same device, the matching domain of the entry flow table of the next security component is the classifier of the output port of the current security component plus the input port of the next security component, and the action is output to the tenant table, and the tenant table matching domain established by the next security component is the classifier of the output port of the current security component plus the input port of the next security component, and the matching domain acts as the input port for outputting the data packet to the input/output port (portPair) of the next security component.
If the current security component and the next security component are not in the same device, the matching field of the ingress flow table of the next security component is a classifier of the output port of the next security component plus the output port of the next security component, the action is output to the tenant table, the matching field of the tenant table is set as the classifier of the output port of the next security component plus the output port of the next security component, and the action is output to the tunnel portal by adding the NSH to the data packet. The switch matches NSH in the received data packet by using an entry flow table stored by the switch, determines spi and si corresponding to the NSH, and outputs the spi and si to an input port of the next security component.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a data transmission system according to an embodiment of the present application;
the system may include:
the determining module 100 is configured to determine, according to configuration information of a service chain, whether a next security component and a next security component are security components of the same device after a next security component completes cleaning of a data packet; the data packet is specifically a data packet with NSH stripped;
a local transmission module 200, configured to transmit a data packet to a next security component when the next security component and the next security component are security components of the same device;
the remote transmission module 300 is configured to add the target NSH to the data packet and transmit the data packet with the target NSH added to the next security component when the next security component and the next security component are not security components of the same device.
In order to reduce the performance loss caused by repeatedly adding and removing NSH in the prior art, the present embodiment first determines whether the next security component and the next security component of the cleaning packet are security components on the same device, so as to determine whether NSH needs to be added. The NSH is a packet header of the service chain, and includes information such as a service chain path ID, a number of each security component on the path, and metadata. The information such as address, number, etc. stored on the NSH only plays a role if the next security component and the next security component are not on the same device. If the next-safe component and the next-safe component are on the same device, the NSH does not function, but rather, needs to repeatedly perform operations like Proxy add/strip NSH in the prior art. Therefore, the present embodiment determines whether NSH needs to be added before sending the data packet by determining whether the next security component and the next security component are security components on the same device. If the next security component and the next security component are security components on the same device, it is not necessary to add NSH direct transmission. If the next security component and the next security component are not security components on the same device, NSH is added and cross-tunneling is performed, since cross-tunneling requires related information within NSH, it is not necessary to perform an operation of peeling off NSH.
Further, the determining module 100 includes:
the port determination unit is used for determining a first output port of a next security component and a second input port of the next security component according to the configuration information of the service chain;
and the port judgment unit is used for judging whether the next safety component and the next safety component are the safety components of the same equipment or not according to the first output port and the second input port.
Further, the local transmission module 200 includes:
a first matching domain determining unit, configured to add the classifier of the next security component to the first output port of the next security component as a second matching domain when the next security component and the next security component are security components of the same device;
the first transmission unit is used for determining a local tenant flow table corresponding to the first matching domain according to the inlet flow table and executing an action corresponding to the first matching domain in the local tenant flow table so as to send the data packet to a second input port of the next security component;
the tenant flow table is a table describing the corresponding relationship between the matching domain and the input port.
Further, the remote transmission module 300 includes:
a second matching domain determining unit, configured to add the classifier of the next security component to the first output port of the next security component as a second matching domain when the next security component and the next security component are not security components of the same device;
and the second transmission unit is used for determining a far-end tenant flow table corresponding to the second matching domain according to the inlet flow table and executing an action corresponding to the second matching domain in the far-end tenant flow table so as to transmit the data packet added with the target NSH to the next security component.
Further, the method also comprises the following steps:
the component determining module is used for determining a first target security component corresponding to a business chain adjusting instruction when the business chain adjusting instruction is received;
the business chain adjusting module is used for modifying the input/output port state of a first target security component in all business chains corresponding to the first target security component so as to create a new business chain according to all the input/output port states; the service chain adjusting instruction is a Bypass triggering instruction or a Bypass recovery instruction.
Further, the method also comprises the following steps:
the switching module is used for executing main-standby switching operation to replace the second target safety assembly with the standby safety assembly when detecting that the second target safety assembly has a fault;
and the service chain updating module is used for replacing the input/output port of the second target security component with the input/output port of the standby security component and updating the service chain.
Since the embodiment of the system part corresponds to the embodiment of the method part, the embodiment of the system part is described with reference to the embodiment of the method part, and is not repeated here.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the electronic device may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (12)

1. A data transmission method, applied to a service chain, includes:
after the data packet is cleaned by the current security component, judging whether the current security component and the next security component are security components of the same device or not according to the configuration information of the service chain; the data packet is specifically a data packet with NSH stripped;
if so, transmitting the data packet to the next security component;
if not, adding a target NSH in the data packet, and transmitting the data packet added with the target NSH to the next security component;
wherein, judging whether the current security component and the next security component are the security component of the same device according to the configuration information of the service chain comprises:
determining a first output port of the current security component and a second input port of a next security component according to the configuration information of the service chain;
and judging whether the current safety assembly and the next safety assembly are the safety assembly of the same equipment or not according to the first output port and the second input port.
2. The data transmission method of claim 1, wherein transmitting the data packet to the next security component comprises:
adding a classifier of a first output port of the current security component and a first input port of the current security component as a first matching domain;
determining a local tenant flow table corresponding to the first matching domain according to an ingress flow table, and executing an action corresponding to the first matching domain in the local tenant flow table so as to send the data packet to a second input port of the next security component;
the inlet flow table is a table describing the corresponding relation between the matching domain and the tenant flow table, and the tenant flow table is a table describing the corresponding relation between the matching domain and the input port.
3. The data transmission method of claim 1, wherein transmitting the data packet with the target NSH added thereto to the next security component comprises:
adding the classifier of the second output port of the next security component and the second output port of the next security component as a second matching domain;
and determining a far-end tenant flow table corresponding to the second matching domain according to an inlet flow table, and executing an action corresponding to the second matching domain in the far-end tenant flow table so as to transmit the data packet added with the target NSH to the next security component.
4. The data transmission method according to claim 1, further comprising:
when a service chain adjusting instruction is received, determining a first target security component corresponding to the service chain adjusting instruction;
modifying the input-output port state of the first target security component in all traffic chains corresponding to the first target security component so as to create a new traffic chain according to all input-output port states; the service chain adjusting instruction is a Bypass triggering instruction or a Bypass recovering instruction.
5. The data transmission method according to any one of claims 1 to 4, further comprising:
when detecting that a second target safety component has a fault, executing a main-standby switching operation to replace the second target safety component with a standby safety component;
and replacing the input/output port of the second target security component with the input/output port of the standby security component, and updating a traffic chain.
6. A data transmission system, for use in a service chain, comprising:
the judging module is used for judging whether the current security component and the next security component are security components of the same device or not according to the configuration information of the service chain after the current security component finishes cleaning the data packet; the data packet is specifically a data packet with NSH stripped;
a local transmission module, configured to transmit the data packet to the next security component when the current security component and the next security component are security components of the same device;
a remote transmission module, configured to add a target NSH to the data packet and transmit the data packet with the target NSH added to the next security component when the current security component and the next security component are not security components of the same device;
wherein, the judging module comprises:
a port determining unit, configured to determine, according to configuration information of the service chain, a first output port of the current security component and a second input port of a next security component;
and the port judgment unit is used for judging whether the current safety assembly and the next safety assembly are the safety assembly of the same equipment or not according to the first output port and the second input port.
7. The data transmission system of claim 6, wherein the local transmission module comprises:
a first matching domain determining unit, configured to, when the current security component and the next security component are security components of the same device, add a classifier of a first input port of the current security component to a first output port of the current security component as a first matching domain;
a first transmission unit, configured to determine a local tenant flow table corresponding to the first matching domain according to an ingress flow table, and execute an action in the local tenant flow table corresponding to the first matching domain, so as to send the data packet to a second input port of the next security component;
the inlet flow table is a table describing the corresponding relation between the matching domain and the tenant flow table, and the tenant flow table is a table describing the corresponding relation between the matching domain and the input port.
8. The data transmission system of claim 6, wherein the remote transmission module comprises:
a second matching domain determining unit, configured to add, as a second matching domain, a classifier of the second output port of the next security component to a second output port of the next security component when the current security component and the next security component are not security components of the same device;
a second transmission unit, configured to determine, according to an ingress flow table, a far-end tenant flow table corresponding to the second matching domain, and execute an action in the far-end tenant flow table corresponding to the second matching domain, so as to transmit the data packet to which the target NSH is added to the next security component.
9. The data transmission system of claim 6, further comprising:
the component determination module is used for determining a first target security component corresponding to a business chain adjusting instruction when the business chain adjusting instruction is received;
a traffic chain adjusting module, configured to modify an input/output port state of the first target security component in all traffic chains corresponding to the first target security component, so as to create a new traffic chain according to all input/output port states; the service chain adjusting instruction is a Bypass triggering instruction or a Bypass recovering instruction.
10. The data transmission system according to any one of claims 6 to 9, further comprising:
the switching module is used for executing a main-standby switching operation to change a second target safety component into a standby safety component when detecting that the second target safety component has a fault;
and the service chain updating module is used for replacing the input/output port of the second target security component with the input/output port of the standby security component and updating the service chain.
11. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the data transmission method according to any one of claims 1 to 5 when executing the computer program.
12. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the data transmission method according to one of claims 1 to 5.
CN201811296057.5A 2018-11-01 2018-11-01 Data transmission method, system, computer readable storage medium and electronic device Active CN111131135B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811296057.5A CN111131135B (en) 2018-11-01 2018-11-01 Data transmission method, system, computer readable storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811296057.5A CN111131135B (en) 2018-11-01 2018-11-01 Data transmission method, system, computer readable storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN111131135A CN111131135A (en) 2020-05-08
CN111131135B true CN111131135B (en) 2022-04-29

Family

ID=70494850

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811296057.5A Active CN111131135B (en) 2018-11-01 2018-11-01 Data transmission method, system, computer readable storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN111131135B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055433A (en) * 2021-02-02 2021-06-29 新华三信息技术有限公司 File transmission method, device, equipment and machine-readable storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640895B (en) * 2009-08-31 2012-03-21 北京邮电大学 Method and system for ensuring streaming media service quality
US10116553B1 (en) * 2015-10-15 2018-10-30 Cisco Technology, Inc. Application identifier in service function chain metadata
CN107579838A (en) * 2016-07-05 2018-01-12 中兴通讯股份有限公司 Data processing method and device
US10659283B2 (en) * 2016-07-08 2020-05-19 Cisco Technology, Inc. Reducing ARP/ND flooding in cloud environment
CN107920023B (en) * 2017-12-29 2021-01-19 深信服科技股份有限公司 Method and system for realizing security resource pool

Also Published As

Publication number Publication date
CN111131135A (en) 2020-05-08

Similar Documents

Publication Publication Date Title
US20220174042A1 (en) Network Architecture for Cloud Computing Environments
CN110166356B (en) Method and network equipment for sending message
US10191758B2 (en) Directing data traffic between intra-server virtual machines
US10452422B2 (en) Method and apparatus for deploying virtual machine instance, and device
US10911355B2 (en) Multi-site telemetry tracking for fabric traffic using in-band telemetry
US9959132B2 (en) Managing virtual computing nodes using isolation and migration techniques
US10445124B2 (en) Managing virtual computing nodes using isolation and migration techniques
CN107623663B (en) Method and device for processing network flow
US8081640B2 (en) Network system, network management server, and access filter reconfiguration method
CN102291455B (en) Distributed cluster processing system and message processing method thereof
CN108833305B (en) Virtual network device of host
CN105791072A (en) Access method and device of Ethernet virtual network
CN106549780B (en) Network configuration method, device and system
CN109639488A (en) A kind of more outer nets shunt accelerated method and system
US10778467B2 (en) Method for providing virtual CPE service by using single internet line and network function virtualization cloud
US20170228539A1 (en) Control device, control system, control method, and control program
CN106685695B (en) Fault detection method and equipment thereof
CN111131135B (en) Data transmission method, system, computer readable storage medium and electronic device
CN112953833B (en) Method, system and gateway equipment for realizing three-layer route forwarding based on network bridge
CN112511439A (en) Data forwarding method, device, equipment and computer readable storage medium
US20180198708A1 (en) Data center linking system and method therefor
CN116545665A (en) Safe drainage method, system, equipment and medium
CN115904626A (en) Method and system for deploying cloud resource pool architecture
CN112003748B (en) Fault processing method, system, device and storage medium suitable for virtual gateway
US9912575B2 (en) Routing network traffic packets through a shared inline tool

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant