CN111163060A - Application group-based forwarding method, device and system - Google Patents
Application group-based forwarding method, device and system Download PDFInfo
- Publication number
- CN111163060A CN111163060A CN201911264239.9A CN201911264239A CN111163060A CN 111163060 A CN111163060 A CN 111163060A CN 201911264239 A CN201911264239 A CN 201911264239A CN 111163060 A CN111163060 A CN 111163060A
- Authority
- CN
- China
- Prior art keywords
- application
- group
- application group
- forwarding
- security policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a forwarding method based on an application group, a forwarding system based on the application group, computer equipment and a computer readable storage medium, and relates to the technical field of data processing. The method comprises the following steps: dividing the application and the host with the same attribute into the same group, and distributing a unique identity; acquiring a security policy application, determining a host group and an application group corresponding to the security policy application, and converting the security policy application into access relationship information of the host group and the application group; and decomposing the access relation information of the application group into a multi-stage flow table so as to realize forwarding based on the application group. The invention realizes the flow table forwarding based on the application group, reduces the entries of openflow, improves the forwarding performance, and particularly only needs to change the flow table related to the host machine and does not need to operate the flow table related to the strategy when the virtual machine is migrated, thereby reducing the change of the entries.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to an isolation technology for a virtual machine, and more particularly, to an application group-based forwarding method, an application group-based forwarding system, a computer device, and a computer-readable storage medium.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
There are thousands of virtual machines in a data center. With the increase of east-west traffic, the inter-access between virtual machines is more and more complicated. In order to prevent the horizontal spread of the virtual machine attack, the virtual machines need to be isolated through a security policy, and only the virtual machines needing to be accessed are allowed to communicate with each other. The Openflow flow table item based on the IP address enables all strategies related to the service to be adjusted along with the expansion of the host, namely the table item is multiplied; meanwhile, as the virtual machine migrates, the original policy needs to be adjusted, which may affect one or more policies.
Therefore, how to provide a new solution, which can solve the above technical defects, is a technical problem to be solved in the art.
Disclosure of Invention
In view of the above, the present invention provides an application group-based forwarding method, an application group-based forwarding system, a computer device, and a computer-readable storage medium, where unique identifiers are allocated to an application group and a host group having the same attribute according to actual applications, a security policy to be applied is mapped into application group relationship information formed by identifiers according to the host group to which a source address belongs and the application group to which a destination address and a port belong in a security policy, then an application access relationship is decomposed into different flow tables according to the mapping relationship between the security policy application and the identifiers, and each level of flow tables are connected in series through the access relationship information, thereby implementing application group-based forwarding.
In order to achieve the above object, the present invention provides an application group-based forwarding method, including:
acquiring a security policy application;
determining application group access relation information corresponding to the security policy application;
and decomposing the application group access relation information into a multi-stage flow table to realize forwarding based on the application group.
In a preferred embodiment of the present invention, the method further comprises:
the application and the host with the same attribute are divided into the same group, and are assigned with unique identification.
In a preferred embodiment of the present invention, determining the application group access relationship information corresponding to the security policy application includes:
determining a source address corresponding to the security policy application, a host group identifier to which the source address belongs, and an identity identifier related to a destination application group to which the source address needs to be accessed;
and mapping the security policy application to application group access relationship information formed by the identity according to the identity.
In a preferred embodiment of the present invention, decomposing the application group access relationship information into multiple stages of flow tables to implement application group based forwarding comprises:
decomposing the access relation information of the application group according to the mapping relation between the security policy application and the identity to obtain a multi-level flow table;
and serially connecting the flow tables of each stage through the access relation information of the application group to realize forwarding based on the application group.
In a preferred embodiment of the present invention, the method further comprises:
the flow table is issued to a corresponding switch;
and realizing the forwarding of the message according to the forwarding behavior defined by the controller.
One of the objects of the present invention is to provide an application group-based forwarding system, which includes:
the policy application acquisition module is used for acquiring a security policy application;
the relation information determining module is used for determining the application group access relation information corresponding to the security policy application;
and the relationship information decomposition module is used for decomposing the application group access relationship information into a multi-stage flow table so as to realize forwarding based on the application group.
In a preferred embodiment of the present invention, the system further comprises:
and the security policy management module is used for dividing the application and the host with the same attribute into the same group and distributing a unique identity.
In a preferred embodiment of the present invention, the relationship information determination module includes:
an identity identification determining module, configured to determine a source address corresponding to the security policy application, a host group identity to which the source address belongs, and an identity associated with a destination application group to which the source address needs to be accessed;
and the policy relationship mapping module is used for mapping the security policy application into application group access relationship information formed by the identity identifiers according to the identity identifiers.
In a preferred embodiment of the present invention, the relationship information decomposition module includes:
decomposing the application access relation information according to the mapping relation between the security policy application and the identity to obtain a multi-level flow table;
and the multi-stage flow table serial module is used for serially connecting each stage of flow table through the application access relation information so as to realize forwarding based on the application group.
In a preferred embodiment of the present invention, the system further comprises:
the flow table issuing module is used for issuing the flow table to a corresponding switch;
and the flow table forwarding module is used for forwarding the message according to the forwarding behavior defined by the controller.
One of the objects of the present invention is to provide a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing an application group based forwarding method when executing the computer program.
It is an object of the present invention to provide a computer-readable storage medium storing a program for executing an application group-based forwarding method.
The invention has the advantages that the application group-based forwarding method, the application group-based forwarding device, the service system, the computer device and the computer readable storage medium are provided, unique identifiers are allocated for the application group and the host group with the same attribute according to actual application, the security policy to be applied is mapped into metadata information formed by the identifiers according to the host group to which a source address belongs and the application group to which a destination address and a port belong in the security policy, then the policy is decomposed into different flow tables according to the mapping relation between the policy and the identifiers, and the flow tables at each level are connected in series through the metadata, so that the application group-based forwarding is realized, openflow table items are reduced, and the forwarding performance is improved.
In order to make the aforementioned and other objects, features and advantages of the invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a forwarding system based on an application group according to an embodiment of the present invention;
fig. 2 is a flowchart of a forwarding method based on an application group according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a host group and an application group according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating an application group-based forwarding method in an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, method or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
In order to prevent the horizontal spread of virtual machine attacks, the virtual machines need to be isolated through a security policy, and only the virtual machines needing to be accessed are allowed to communicate with each other. The Openflow flow table item based on the IP address enables all strategies related to the service to be adjusted along with the expansion of the host, namely the table item is multiplied; meanwhile, as the virtual machine migrates, the original policy needs to be adjusted, which may affect one or more policies.
Based on this, the present invention provides an application group-based forwarding system, fig. 1 is a schematic structural diagram of an application group-based forwarding system provided in an embodiment of the present invention, please refer to fig. 1, where the system includes:
a policy application obtaining module 100, configured to obtain a security policy application.
In an embodiment of the present invention, when the host group webx needs to access the application group dbx, the security policy application needs to be opened. At this time, the source address in the security policy application is the address of the host group webx, and the destination application group to which the source address needs to access is the application group dbx.
In one embodiment of the invention, the system further comprises:
and the security policy management module is used for dividing the application and the host with the same attribute into the same group and distributing a unique identity, such as 32 bits.
In one embodiment of the present invention, as shown in FIG. 3, the webx is comprised of three hosts 192.168.10.1-3 assigned a unique identifier of 0x0001, the Dbx is comprised of hosts 192.168.20.1-5, the port is 3306 and the assigned unique identifier of 0x 0002.
As shown in fig. 1, the system further includes:
and a relationship information determining module 200, configured to determine the application group access relationship information corresponding to the security policy application.
In one embodiment of the present invention, the relationship information determination module 200 includes:
an identity identification determining module, configured to determine a source address corresponding to the security policy application, a host group identity to which the source address belongs, and an identity associated with a destination application group to which the source address needs to be accessed;
and the mapping module is used for mapping the security policy application into application group access relationship information formed by the identity identifiers according to the identity identifiers.
In an embodiment of the present invention, as shown in fig. 3, when the host group webx needs to access the application group dbx, a security policy application needs to be opened. At this time, the source address in the security policy application is the address of the host group webx, and the destination application group to which the source address needs to access is the application group dbx. And the identity identification determining module finds the related identity identification in the security policy management module according to the source address in the security policy application and the destination application group which the source address needs to access. The strategy relation mapping module maps the security strategy into strategy relation information (metadata information) formed by the identifiers according to the identifiers of the host group and the application group, and the identifiers of the source end host group and the destination end application group are distributed to form low 32 bits and high 32 bits of the metadata.
As shown in fig. 1, the system further includes:
and a relation information decomposition module 300, configured to decompose the application group access relation information into a multi-stage flow table, so as to implement forwarding based on the application group.
In one embodiment of the present invention, the relationship information decomposition module includes:
the multi-level flow table generating module is used for decomposing the access relation information of the application group according to the access relation information of the application group and the mapping relation between the host address and the identity identifier to obtain a multi-level flow table;
and the multi-stage flow table serial module is used for serially connecting each stage of flow table through the application group access relation information so as to realize forwarding based on the application group.
In an embodiment of the present invention, as shown in fig. 3, when the host group webx needs to access the application group dbx, the mapping module maps the security policy application into the application group access relationship metadata information formed by the identifiers according to the identifiers of the host group and the application group, and the identifiers of the source end host group and the destination end application group are distributed to form the low-order 32 bits and the high-order 32 bits of the metadata. And then, the multi-stage flow table generating module decomposes the application access relationship information according to the mapping relationship between the application access relationship information and the identity identifier to obtain a multi-stage flow table, specifically, a host address in a source address is used as a match field, action is set metadata, and goto table10, that is, metadata is set to be equal to 0x0001, and value is an identifier of a host group to which the source address belongs, and the multi-stage flow table generating module issues the identifier to a flow table0 shown in table 1.
TABLE1
The destination address and port in the security policy application are used as match fields, action is update metadata and goto table20, value of the metadata is the concatenation of the identifier of the destination application group and the original metadata, the identifier of the destination application group occupies 32 bits, and the identifier is issued to table10 shown in table 2.
TABLE2
And (3) the metadata formed by splicing the applied security policy according to the application group identifier is taken as a match field and is sent to table20 shown in table 3, and action is an output interface. And finally, after a message enters the switch, the step-by-step matching is started from the table0 until the message is forwarded out.
TABLE 3
| match | action |
| metadata=0x00020001 | outport |
| metadata=0x00020001 | outport |
| metadata=0x00020001 | outport |
In other embodiments of the present invention, the system further comprises:
the flow table issuing module is used for issuing the flow table to a corresponding switch;
and the flow table forwarding module is used for forwarding the message according to the forwarding behavior defined by the controller.
The forwarding system based on the application group, provided by the invention, allocates unique identifiers for the application group and the host group with the same attribute according to actual application, maps the security policy to be applied into metadata information formed by the identifiers according to the host group to which a source address belongs and the application group to which a destination address and a port belong in the security policy, decomposes the policy into different flow tables according to the mapping relation between the policy and the identifiers, and serially connects each level of flow tables through the metadata, thereby realizing the forwarding based on the application group. The invention realizes the flow table forwarding based on the application group, greatly reduces the items of openflow and improves the forwarding performance. Particularly, when the virtual machine is migrated, only the flow table related to the host needs to be changed, and the flow table related to the operation strategy is not needed, so that the change of the table entry is reduced.
Furthermore, although in the above detailed description several unit modules of the system are mentioned, this division is not mandatory only. Indeed, the features and functions of two or more of the units described above may be embodied in one unit, according to embodiments of the invention. Also, the features and functions of one unit described above may be further divided into embodiments by a plurality of units. The terms "module" and "unit" used above may be software and/or hardware that realizes a predetermined function. While the modules described in the following embodiments are preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
Having described the system for application group based forwarding of exemplary embodiments of the present invention, a method of exemplary embodiments of the present invention is described next with reference to the accompanying drawings. The implementation of the method can be referred to the above overall implementation, and repeated details are not repeated.
Specifically, fig. 2 is a schematic flowchart of a forwarding method based on an application group according to an embodiment of the present invention, please refer to fig. 2, where the method includes:
s101: the method comprises the steps of obtaining a security policy application, wherein the security policy application comprises a source address, a host group to which the source address belongs and a target application group to which the source address needs to access.
In an embodiment of the present invention, when the host group webx needs to access the application group dbx, the security policy application needs to be opened. At this time, the source address in the security policy application is the address of the host group webx, and the destination application group to which the source address needs to access is the application group dbx.
In one embodiment of the invention, the method further comprises:
applications and hosts having the same attributes are divided into the same group and assigned a unique identity, such as 32 bits.
In one embodiment of the present invention, as shown in FIG. 3, the webx is comprised of three hosts 192.168.10.1-3 assigned a unique identifier of 0x0001, the Dbx is comprised of hosts 192.168.20.1-5, the port is 3306 and the assigned unique identifier of 0x 0002.
As shown in fig. 2, the method further comprises:
s102: and determining the access relation information of the application group corresponding to the security policy application.
In one embodiment of the present invention, step S102 includes:
determining a source address corresponding to the security policy application, a host group identifier to which the source address belongs, and an identity identifier related to a destination application group to which the source address needs to be accessed;
and mapping the security policy application to application group access relationship information formed by the identity according to the identity.
In an embodiment of the present invention, as shown in fig. 3, when the host group webx needs to access the application group dbx, a security policy application needs to be opened. At this time, the source address in the security policy application is the address of the host group webx, and the destination application group to which the source address needs to access is the application group dbx. And the identity identification determining module finds the related identity identification in the security policy management module according to the source address in the security policy application and the destination application group which the source address needs to access. According to the host group and the application group identification, the security policy is mapped into the policy relationship information formed by the identification, namely metadata information, and the source end host group and the destination end application group identification are distributed to form the low 32 bits and the high 32 bits of the metadata.
As shown in fig. 2, the method further comprises:
s103: and decomposing the application group access relation information into a multi-stage flow table to realize forwarding based on the application group.
In one embodiment of the present invention, step S103 includes:
decomposing the application group access relation information according to the mapping relation between the application access relation information and the identity identifier to obtain a multi-level flow table;
and serially connecting the flow tables of each stage through the access relation information of the application group to realize forwarding based on the application group.
In an embodiment of the present invention, as shown in fig. 3, when the host group webx needs to access the application group dbx, the policy relationship mapping module maps the security policy into policy relationship metadata information formed by identifiers according to the identifiers of the host group and the application group, and the identifiers of the source host group and the destination application group are distributed to form low-order 32 bits and high-order 32 bits of the metadata. And then, the multi-stage flow table generating module decomposes the policy relationship information according to the mapping relationship between the policy relationship information and the identity identifier to obtain a multi-stage flow table, specifically, a host address in a source address is used as a match field, action is set metadata, goto table10, that is, metadata is set to be equal to 0x0001, and value is an identifier of a host group to which the source address belongs, and the multi-stage flow table generating module issues the identifier to a flow table0 shown in table 1. The destination address and port in the security policy application are used as match fields, action is update metadata and goto table20, value of the metadata is the concatenation of the identifier of the destination application group and the original metadata, the identifier of the destination application group occupies 32 bits, and the identifier is issued to table10 shown in table 2. And (3) the metadata formed by splicing the applied security policy according to the application group identifier is taken as a match field and is sent to table20 shown in table 3, and action is an output interface. And finally, after a message enters the switch, the step-by-step matching is started from the table0 until the message is forwarded out.
In other embodiments of the invention, the method further comprises:
the flow table is issued to a corresponding switch;
and realizing the forwarding of the message according to the forwarding behavior defined by the controller.
The application group-based forwarding method provided by the invention allocates unique identifiers for the application group and the host group with the same attribute according to actual application, maps the security policy to be applied into metadata information formed by the identifiers according to the host group to which a source address belongs and the application group to which a destination address and a port belong in the security policy, decomposes the policy into different flow tables according to the mapping relationship between the application group access relationship information and the identifiers, and serially connects each level of flow tables through the metadata, thereby realizing the forwarding based on the application group. The invention realizes the flow table forwarding based on the application group, greatly reduces the items of openflow and improves the forwarding performance. Particularly, when the virtual machine is migrated, only the flow table related to the host needs to be changed, and the flow table related to the operation strategy is not needed, so that the change of the table entry is reduced.
The invention also provides a computer device comprising a memory, a processor and a computer program stored on the memory and operable on the processor, wherein the processor implements an application group-based forwarding method when executing the computer program.
The present invention also provides a computer-readable storage medium storing a program for executing an application group-based forwarding method.
It should be noted that while the operations of the method of the present invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions. Having described exemplary embodiments of the present invention, a system of exemplary embodiments of the present invention will now be described with reference to the accompanying drawings. The implementation of the system can be referred to the above overall implementation, and repeated details are not repeated.
The technical solution of the present invention will be described in detail with reference to specific examples.
Fig. 4 is a schematic flowchart of a forwarding method based on an application group in an embodiment of the present invention, please refer to fig. 4, in which:
firstly, unique 32-bit identifiers are allocated to a host group and an application group, that is, hosts or applications with the same attribute are divided into one group, and unique 32 identifiers are allocated, as shown in fig. 3, a webx is composed of three hosts 192.168.10.1-3, and the identifiers are 0x 0001; the Dbx is formed by host 192.168.20.1-5, port 3306, which is identified as 0x 0002.
Secondly, finding out corresponding identification according to the source address, the destination address and the port in the security policy.
When the host group webx needs to access the application group dbx, the security policy needs to be opened. The system finds out the relevant identification in the application group management unit according to the source address in the security policy application, the host group to which the source address belongs and the destination application group to which the source address needs to access.
Then, the security policy is decomposed into three flow tables consisting of a source address, a destination address, and metadata. Specifically, according to the identifiers of the address group and the application group, the security policy is mapped into metadata information formed by the identifiers, the host in the source address is used as a match field, the action is set metadata, that is, the metadata is set to be 0x0001, and the metadata is the identifier of the host group to which the source address belongs; jump to table 0; the flow table is issued to a table0 of the switch, see table 1; taking a target application group as a match field, taking action as update metadata, skipping to table20, and taking value of the metadata as the splicing of the identifier of the target application group and the original metadata; the identification of the destination application group occupies 32 bits high; i.e., metadata is equal to 0x00020001 and is issued to table10, see table 2. The security policy is spliced into metadata according to the application group identifier, that is, 0x00020001, and the metadata is sent to table20 as the match field, and the action is the outgoing interface. See table 3.
And finally, issuing the three flow tables to the equipment, and associating the three flow tables through metadata. After a message enters the switch, the table0 starts to match step by step until the message is forwarded out.
In summary, the present invention provides an application group-based forwarding method, an application group-based forwarding system, a computer device, and a computer-readable storage medium, which do not require to adjust a policy due to a change of a virtual machine, but only need to adjust a table entry related to the virtual machine; meanwhile, original strategy table entries related to the source address, the destination address and the port are split, so that the table entries are greatly reduced, and the forwarding performance is improved.
Requirement 1: the method is suitable for scenes such as cloud computing, virtual machine capacity expansion and migration.
Requirement 2: flow entries of openflow are reduced, and forwarding performance is improved.
Requirement 3: when the virtual machine is changed, only the related table entry of the virtual machine needs to be adjusted, and the policy table is not affected.
Improvements to a technology can clearly be distinguished between hardware improvements (e.g. improvements to the circuit structure of diodes, transistors, switches, etc.) and software improvements (improvements to the process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit.
Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Language Description Language), traffic, pl (core unified Programming Language), HDCal, JHDL (Java Hardware Description Language), langue, Lola, HDL, laspam, hardsradware (Hardware Description Language), vhjhd (Hardware Description Language), and vhigh-Language, which are currently used in most popular applications.
It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory.
Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be essentially or partially implemented in the form of software products, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer system (which may be a personal computer, a server, or a network system, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable systems, tablet-type systems, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics systems, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or systems, and the like.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing systems that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage systems.
While the present application has been described with examples, those skilled in the art will appreciate that there are numerous variations and permutations of the present application without departing from the spirit of the application, and it is intended that the appended claims encompass such variations and modifications as fall within the true spirit of the application.
Claims (12)
1. An application group-based forwarding method, the method comprising:
acquiring a security policy application;
determining application group access relation information corresponding to the security policy application;
and decomposing the application group access relation information into a multi-stage flow table to realize forwarding based on the application group.
2. The method of claim 1, further comprising:
the application and the host with the same attribute are divided into the same group, and are assigned with unique identification.
3. The method of claim 2, wherein determining application group access relationship information corresponding to the security policy application comprises:
determining a source address corresponding to the security policy application, a host group identifier to which the source address belongs, and an identity identifier related to a destination application group to which the source address needs to be accessed;
and mapping the security policy application to application group access relationship information formed by the identity according to the identity.
4. The method of claim 3, wherein decomposing the application group access relationship information into multiple levels of flow tables to implement application group based forwarding comprises:
decomposing the application group access relation information according to the mapping relation between the application access relation information and the identity identifier to obtain a multi-level flow table;
and serially connecting the flow tables of each stage through the access relation information of the application group to realize forwarding based on the application group.
5. The method of claim 4, further comprising:
the flow table is issued to a corresponding switch;
and realizing the forwarding of the message according to the forwarding behavior defined by the controller.
6. An application group based forwarding system, the system comprising:
the policy application acquisition module is used for acquiring a security policy application;
the relation information determining module is used for determining the application group access relation information corresponding to the security policy application;
and the relationship information decomposition module is used for decomposing the application group access relationship information into a multi-stage flow table so as to realize forwarding based on the application group.
7. The system of claim 6, further comprising:
and the security policy management module is used for dividing the application and the host with the same attribute into the same group and distributing a unique identity.
8. The system of claim 7, wherein the relationship information determination module comprises:
an identity identification determining module, configured to determine a source address corresponding to the security policy application, a host group identity to which the source address belongs, and an identity associated with a destination application group to which the source address needs to be accessed;
and the mapping module is used for mapping the security policy application into application group access relationship information formed by the identity identifiers according to the identity identifiers.
9. The system of claim 8, wherein the relationship information decomposition module comprises:
the multi-stage flow table generating module is used for decomposing the application access relation information according to the mapping relation between the application access relation information and the identity identifier to obtain a multi-stage flow table;
and the multi-stage flow table serial module is used for serially connecting each stage of flow table through the application access relation information so as to realize forwarding based on the application group.
10. The system of claim 9, further comprising:
the flow table issuing module is used for issuing the flow table to a corresponding switch;
and the flow table forwarding module is used for forwarding the message according to the forwarding behavior defined by the controller.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the application group based forwarding method of any one of claims 1 to 5 when executing the computer program.
12. A computer-readable storage medium storing a program for executing the application group-based forwarding method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911264239.9A CN111163060B (en) | 2019-12-11 | 2019-12-11 | Application group-based forwarding method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911264239.9A CN111163060B (en) | 2019-12-11 | 2019-12-11 | Application group-based forwarding method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111163060A true CN111163060A (en) | 2020-05-15 |
| CN111163060B CN111163060B (en) | 2021-12-24 |
Family
ID=70556714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911264239.9A Active CN111163060B (en) | 2019-12-11 | 2019-12-11 | Application group-based forwarding method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111163060B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111901317A (en) * | 2020-07-15 | 2020-11-06 | 中盈优创资讯科技有限公司 | Access control policy processing method, device and equipment |
| CN112688818A (en) * | 2020-12-30 | 2021-04-20 | 北京天融信网络安全技术有限公司 | Data transmission method and device, electronic equipment and readable storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103259718A (en) * | 2013-04-18 | 2013-08-21 | 华为技术有限公司 | Flow table conversion method and device |
| US20130246334A1 (en) * | 2011-12-27 | 2013-09-19 | Mcafee, Inc. | System and method for providing data protection workflows in a network environment |
| US20140282823A1 (en) * | 2013-03-15 | 2014-09-18 | Enterasys Networks, Inc. | Device and related method for establishing network policy based on applications |
| CN105812164A (en) * | 2014-12-31 | 2016-07-27 | 北京东土科技股份有限公司 | Rule index management implementation method and device based on TCAM multistage flow table |
| CN106663023A (en) * | 2014-05-27 | 2017-05-10 | 威睿公司 | Grouping virtual machines in a cloud application |
| CN106936777A (en) * | 2015-12-29 | 2017-07-07 | 中移(苏州)软件技术有限公司 | Cloud computing distributed network implementation method based on OpenFlow, system |
| CN107769938A (en) * | 2016-08-16 | 2018-03-06 | 北京金山云网络技术有限公司 | The system and method that a kind of Openstack platforms support Multi net voting region |
| CN108092810A (en) * | 2017-12-13 | 2018-05-29 | 锐捷网络股份有限公司 | A kind of virtual machine management method, VTEP equipment and management equipment |
| CN110378103A (en) * | 2019-07-22 | 2019-10-25 | 电子科技大学 | A kind of micro- isolating and protecting method and system based on OpenFlow agreement |
-
2019
- 2019-12-11 CN CN201911264239.9A patent/CN111163060B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130246334A1 (en) * | 2011-12-27 | 2013-09-19 | Mcafee, Inc. | System and method for providing data protection workflows in a network environment |
| US20140282823A1 (en) * | 2013-03-15 | 2014-09-18 | Enterasys Networks, Inc. | Device and related method for establishing network policy based on applications |
| CN103259718A (en) * | 2013-04-18 | 2013-08-21 | 华为技术有限公司 | Flow table conversion method and device |
| CN106663023A (en) * | 2014-05-27 | 2017-05-10 | 威睿公司 | Grouping virtual machines in a cloud application |
| CN105812164A (en) * | 2014-12-31 | 2016-07-27 | 北京东土科技股份有限公司 | Rule index management implementation method and device based on TCAM multistage flow table |
| CN106936777A (en) * | 2015-12-29 | 2017-07-07 | 中移(苏州)软件技术有限公司 | Cloud computing distributed network implementation method based on OpenFlow, system |
| CN107769938A (en) * | 2016-08-16 | 2018-03-06 | 北京金山云网络技术有限公司 | The system and method that a kind of Openstack platforms support Multi net voting region |
| CN108092810A (en) * | 2017-12-13 | 2018-05-29 | 锐捷网络股份有限公司 | A kind of virtual machine management method, VTEP equipment and management equipment |
| CN110378103A (en) * | 2019-07-22 | 2019-10-25 | 电子科技大学 | A kind of micro- isolating and protecting method and system based on OpenFlow agreement |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111901317A (en) * | 2020-07-15 | 2020-11-06 | 中盈优创资讯科技有限公司 | Access control policy processing method, device and equipment |
| CN111901317B (en) * | 2020-07-15 | 2022-05-17 | 中盈优创资讯科技有限公司 | Access control policy processing method, system and equipment |
| CN112688818A (en) * | 2020-12-30 | 2021-04-20 | 北京天融信网络安全技术有限公司 | Data transmission method and device, electronic equipment and readable storage medium |
| CN112688818B (en) * | 2020-12-30 | 2023-01-10 | 北京天融信网络安全技术有限公司 | Data transmission method and device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111163060B (en) | 2021-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP2021513694A (en) | Dark Roch Realization Method, Equipment, Computational Nodes and Systems | |
| JP7047228B2 (en) | Data query methods, devices, electronic devices, readable storage media, and computer programs | |
| CN111163060B (en) | Application group-based forwarding method, device and system | |
| WO2017050064A1 (en) | Memory management method and device for shared memory database | |
| CN108037977B (en) | Virtual computer resource management method, device, computer medium, and system | |
| US10083125B2 (en) | Method to efficiently implement synchronization using software managed address translation | |
| CN107391622B (en) | Data access method and equipment | |
| US10769153B2 (en) | Computer system and method for setting a stream data processing system | |
| CN109033456B (en) | Condition query method and device, electronic equipment and storage medium | |
| CN107491700B (en) | Data access method and equipment | |
| US10884982B2 (en) | Hash-based mount point lookup in virtual file systems | |
| CN106484375B (en) | Instruction block loading method, soft switch equipment and system | |
| CN110008382B (en) | Method, system and equipment for determining TopN data | |
| US10620968B2 (en) | Parameter determination device, parameter determination method, and medium | |
| US11435926B2 (en) | Method, device, and computer program product for managing storage system | |
| CN116701248A (en) | Page table management method, unit, SOC, electronic device and readable storage medium | |
| CN113934767A (en) | Data processing method and device, computer equipment and storage medium | |
| CN109460296B (en) | Resource allocation method and device of processor and storage medium | |
| CN113127430A (en) | Mirror image information processing method and device, computer readable medium and electronic equipment | |
| US20140046971A1 (en) | Translation of universal plug and play search criteria | |
| CN116561106B (en) | Configuration item data management method and system | |
| US11954510B2 (en) | Native-image in-memory cache for containerized ahead-of-time applications | |
| CN113076178B (en) | Message storage method, device and equipment | |
| CN112860668B (en) | Method for realizing Store disabling and enabling functions | |
| US20240086225A1 (en) | Container group scheduling methods and apparatuses |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: Room 702-2, No. 4811, Cao'an Highway, Jiading District, Shanghai Patentee after: CHINA UNITECHS Address before: 100872 5th floor, Renmin culture building, 59 Zhongguancun Street, Haidian District, Beijing Patentee before: CHINA UNITECHS |