CN111770070A - SDN-based security service chain aggregation deployment method - Google Patents

SDN-based security service chain aggregation deployment method Download PDF

Info

Publication number
CN111770070A
CN111770070A CN202010573027.5A CN202010573027A CN111770070A CN 111770070 A CN111770070 A CN 111770070A CN 202010573027 A CN202010573027 A CN 202010573027A CN 111770070 A CN111770070 A CN 111770070A
Authority
CN
China
Prior art keywords
service chain
network function
safety
node
deployment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010573027.5A
Other languages
Chinese (zh)
Inventor
刘蓓
葛洪武
贾哲
朱晓明
赵海强
李炳彰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 54 Research Institute
Original Assignee
CETC 54 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 54 Research Institute filed Critical CETC 54 Research Institute
Priority to CN202010573027.5A priority Critical patent/CN111770070A/en
Publication of CN111770070A publication Critical patent/CN111770070A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a security service chain aggregation deployment method based on an SDN, and relates to the technical field of network security. The method comprises the steps of firstly abstracting a bottom layer physical network topology into an undirected weighted graph, then constructing a set of secure network function types, defining binary variables, then carrying out mathematical modeling on a deployment problem of a secure service chain, finally adopting a greedy algorithm to solve the deployment problem in the deployment process of the secure service chain, and carrying out aggregation deployment on the secure service chain according to the solved result. The invention can minimize the number of the safety network function instantiations to reduce the network overhead and the number of the safety network function redeployment on the premise of meeting the safety function resource requirement and the safety service chain bandwidth and time delay requirements, thereby solving the deployment problem of the safety service chain.

Description

SDN-based security service chain aggregation deployment method
Technical Field
The invention relates to the technical field of network security, in particular to a security service chain aggregation deployment method based on an SDN.
Background
The basic idea of Software Defined Networking (SDN) is to decouple the separation of a control plane and a data plane, abstract the bottom layer as a data forwarding plane, abstract the upper layer as a control plane, manage and monitor Network resources in a centralized management manner, provide a northbound interface with programmable capacity and a global Network topology view function, flexibly control devices on a data forwarding layer through a southbound standard protocol OpenFlow protocol, and further effectively improve the overall performance and forwarding efficiency of a Network.
Network Functions Virtualization (NFV) is proposed and facilitated mainly by telecommunication operators, using standard x86 servers, storage or switches to carry various Network software Functions through virtualization technologies. The NFV decouples the software function from the hardware, and realizes flexible loading, deployment and configuration of the software function at the data center, the network node and other positions, thereby improving the application deployment speed, the equipment utilization rate and the like.
Software Defined Security (SDS) means that, in view of the technical idea of separation of control and forwarding of SDN, a conventional hardware Security device is decoupled into standard general hardware and Security Software functions, a programmable interface is opened on an upper layer, and automatic and flexible arrangement and management are realized; the bottom abstraction is a centralized management security resource pool composed of virtualization security devices, and uniform registration, pooling management and flexible deployment of security resources are achieved.
A Security Service Chain (SSC) is a Service Function Chain (SFC), which defines an ordered set of abstract Service Functions (SFs) and defines Security policies that must be applied to packets/streams selected by classification results, and mainly completes stream scheduling between SFs.
For a service chain generated according to the security requirements of a user, a path meeting the security service capability and the resource requirements needs to be selected. However, an efficient secure service chain deployment method is still lacking in the prior art.
Disclosure of Invention
In view of this, the present invention provides a security service chain aggregation deployment method based on SDN, which can minimize the number of instantiations of security network functions to reduce network overhead, and minimize the number of redeployed security network functions to improve the deployment efficiency of security service chains on the premise of satisfying the security function resource requirements and the security service chain bandwidth and delay requirements.
In order to achieve the purpose, the invention adopts the technical scheme that:
a SDN-based security service chain aggregation deployment method comprises the following steps:
(1) abstracting an underlying physical network topology into an undirected weighted graph G ═ V, E, where V is a set of nodes in the underlying physical network, E is a set of links in the underlying physical network, and a resource capacity of each node m in V is represented as wmThe maximum bandwidth capacity of each link (m, n) in E is denoted as wmnThe delay of the link (m, n) is denoted as lmn
(2) The amount of resource consumption required to construct a set of secure network function types F, each of which instantiates a secure network function of type F, is df(ii) a Constructing a set C of security service chains, wherein the maximum time delay that each security service chain C in the set C can tolerate is qcLength of lcThe k-th safety network function in the safety service chain c is ckThe k +1 th security network function is ck+1,ckThe required amount of resources is
Figure BDA0002550327180000021
ckAnd ck+1The link bandwidth between is
Figure BDA0002550327180000022
(3) Defining binary variables
Figure BDA0002550327180000023
And
Figure BDA0002550327180000024
for the
Figure BDA0002550327180000025
If secure network function ckIf the type of f is f, the value is 1, otherwise the value is 0; for the
Figure BDA0002550327180000026
If secure network function ckIf the node is deployed on the node v, the value is 1, otherwise, the value is 0;
Figure BDA0002550327180000027
indicating a secure network function ckA deployment state before aggregation; for the
Figure BDA0002550327180000028
If in the secure service chain c (c)k,ck+1) The path between them passes through the link (m, n), its value is 1, otherwise its value is 0; for the
Figure BDA0002550327180000029
If the safety network function with the type f is deployed on the node v, the value is 1, otherwise, the value is 0;
(4) the deployment problem of the security service chain is mathematically modeled, and the constraint conditions are as follows:
Figure BDA00025503271800000210
Figure BDA0002550327180000031
Figure BDA0002550327180000032
Figure BDA0002550327180000033
Figure BDA0002550327180000034
the optimization goals are:
1) minimizing the number of secure network function instantiations, namely:
Figure BDA0002550327180000035
2) minimizing the number of re-deployed secure network functions, namely:
Figure BDA0002550327180000036
wherein the content of the first and second substances,
Figure BDA0002550327180000037
representing a collection of other physical nodes, loads, in one-hop links with physical node mmnRepresenting the actual traffic bandwidth of the link (m, n);
(5) and (4) solving the deployment problem in the step (4) by adopting a greedy algorithm in the deployment process of the safety service chain, and performing aggregation deployment on the safety service chain according to the solved result.
Further, in the step (5), a greedy algorithm is adopted, and a specific manner for solving the deployment problem in the step (4) is as follows:
(501) for each security network function, its maximum candidate set is found on node v separately, i.e. in the set candSet during the iteration processfThe medium real-time storage meets the required safety network function requirements, and simultaneously, the set candSet is storedfCounting, calculating the residual resource capacity which can be provided for f on the node v, and deducting the resources required by instantiation f if the node v does not have the instantiated secure network function f;
(502) for each security network function type, the largest candidate set is found, i.e. for the set candSetfThe function requirements of the medium-safety network are screened and eliminated,make the screened set candSetfEach secure network function requirement in (1) meets the resource capacity requirements of the node and the link simultaneously; after the resource capacity of the node is exhausted or all safety network function requirements of the type f are calculated, a set candSet after screening is obtainedf
(503) When all types of safety network functions are finished in an iteration mode, the screened set candSet with the largest element number is selectedfThe set is the solution result of the deployment problem.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a security service chain aggregation deployment method based on an SDN (software defined network) from the perspective of security function combination aiming at different security service requirements of users, reasonably maps a plurality of security service chains, and simultaneously considers the number of instantiations of security network functions and the number of redeployed security network functions under the condition of meeting the function requirements, the node capacity requirements and the link bandwidth requirements.
Drawings
FIG. 1 is a schematic diagram of a security service chain;
FIG. 2 is a schematic deployment diagram of a security service chain;
FIG. 3 is a schematic diagram of a security service chain deployment algorithm;
FIG. 4 is a diagram of a maximum candidate set selection algorithm;
FIG. 5 is a diagram of an example deployment of a security service chain after security function consolidation.
Detailed Description
The technical solution of the present invention is further explained with reference to the accompanying drawings.
An SDN-based security service chain aggregation deployment method, the general form of which is shown in fig. 1, wherein a security function is responsible for a specific process of receiving a data packet, and can be implemented as a superset element or a physical element. The method reasonably maps a plurality of safety service chains, and minimizes the number of instantiated safety network functions, namely reduces the cost of the network and reduces the number of re-deployed safety network functions under the condition of meeting the function requirements, the node capacity requirements and the link bandwidth requirements. The method comprises the following steps:
first, as shown in fig. 2, the underlying physical network topology is abstracted as an undirected weighted graph G ═ V, E, where the set V is a node in the network, using wvRepresenting the resource capacity of node V ∈ V, and set E is the link in the network, denoted by wmnIndicates the bandwidth capacity, l, of link (m, n) ∈ EmnRepresenting the latency of link (m, n) ∈ E.
Secondly, the set of classes of security network functions is denoted by F, dfRepresenting the amount of resource consumption required to instantiate a security function of type f. The set of the safety service chain is represented by C, and the maximum time delay that the safety service chain C can tolerate is qcLength of lcThe kth safety function in chain c is ck,ckThe required amount of resources is
Figure BDA0002550327180000051
ckAnd ck+1The link bandwidth between is
Figure BDA0002550327180000052
This step divides the resources required by a secure network function in the secure service chain into system resources d instantiating the secure network functionfAnd the resources required by the function bearer service of the secure network
Figure BDA0002550327180000053
At the same time, binary variables are defined
Figure BDA0002550327180000054
For the
Figure BDA0002550327180000055
If the safety function ckIs f, the value is 1, otherwise, is 0; for theIf the safety function ckDeployed on node v with a value of1, otherwise, 0;
Figure BDA0002550327180000057
indicating a security function ckThe pre-aggregation deployment state, as shown in FIG. 2; for the
Figure BDA0002550327180000058
If in the secure service chain c (c)k,ck+1) The path between the two links is 1 when passing through the link (m, n), otherwise, the path is 0; for the
Figure BDA0002550327180000059
If a security function of type f is deployed on the node v, its value is 1, that is:
Figure BDA00025503271800000510
therefore, the deployment problem of the security service chain is the mapping problem of all security functions and traffic between security functions at the underlying network G ═ V, E), which is mathematically modeled.
Each security function in any one security service chain must be mapped to only one physical node:
Figure BDA00025503271800000511
for any physical node in the network, the sum of the resource amounts required by the network functions deployed on the physical node must be less than or equal to the maximum resource amount that the node can provide, and the resource amount required by the security function includes not only the processing resources required by the network function itself but also the resources required to instantiate the network function on the node:
Figure BDA00025503271800000512
the meaning of this formula is that each physical node can carry resources that cannot exceed dfAnd
Figure BDA00025503271800000513
the sum of these two categories of resources.
For any link in the network, the sum of the bandwidths of all service function chains passing through the link cannot exceed the maximum bandwidth limit of the link, then:
Figure BDA0002550327180000061
considering the restrictions of flow conservation in the network, there are constraints for each segment of link in each security service chain:
Figure BDA0002550327180000062
meanwhile, we need to guarantee the end-to-end delay requirement of each security service chain:
Figure BDA0002550327180000063
the optimization goals are:
1) minimizing the number of secure network function instantiations
Figure BDA0002550327180000064
2) Minimizing the number of re-deployed secure network functions
Figure BDA0002550327180000065
And finally, in the deployment process of the safety service chain, solving the mathematical problem described in the third step by using a greedy algorithm as shown in fig. 3, and if a solution meeting the requirement can be obtained, deploying the safety service chain according to the solved result, wherein the deployment result is shown in fig. 5.
The input of the algorithm is the underlying physical network topology, the generic set of secure network functions and the current deployment mechanism, and the output is the network topology deployed after merging.
Firstly, the nodes in the network are arranged in descending order according to the capacity, then a feasible safety function set is initially established for each node v, and a safety network function demand set S is established for each safety network function ffAnd the elements in the set are arranged in ascending order according to the size of the requirement of the security network function on the node resources.
In the main loop of the algorithm, each iteration finds out a safe network function, and the maximum safe network function demand candidate set S which can be borne by the node with the maximum current residual capacityfmax, then instantiate secure network function f on the node and Sfmax is required to be configured on the node and to update the aggregation parameters in the algorithm. If node v does not have a selectable set of network function requirements, it is culled.
The maximum Candidate Set Selection (lcs) algorithm is specifically shown in fig. 4. First, for each security network function, the maximum candidate set is found at node v, i.e. in an iterative process, candSet is usedfStore the appropriate Security function requirement, with countfCount it, avaCapfIndicating the remaining resource capacity available at node v for f, and if there is no instantiated secure network function f at node v, the resources required to instantiate f need to be deducted first. Next, a respective largest candidate set is found for each type of security network function. For each one added to candSetfAll of the elements (c) need to meet the resource capacity requirements of both the node and the link. In order to reduce the algorithm complexity, the invention well calculates the alternative path set meeting the delay requirement for each safety service chain budget. The node resource capacity is exhausted or all safety network function requirements of the type f are calculated to obtain the final candSetf. When the functions of all types of safety networks are iterated, the count is selectedfMaximum candSetfI.e. the set of final calculations.
For the safety service chain, the paths meeting the end-to-end delay requirement are limited, and the method can calculate the path set meeting the delay requirement in advance for each safety service chain (or an initial end system and a terminating end system), thereby greatly reducing the search space of the algorithm.
In summary, the invention provides a security service chain aggregation deployment method based on an SDN from the perspective of security function merging for different security service requirements of users, reasonably maps a plurality of security service chains, and considers the number of instantiations of security network functions and the number of redeployed security network functions under the condition of meeting the function requirements, the node capacity requirements and the link bandwidth requirements.

Claims (2)

1. A SDN-based security service chain aggregation deployment method is characterized by comprising the following steps:
(1) abstracting an underlying physical network topology into an undirected weighted graph G ═ V, E, where V is a set of nodes in the underlying physical network, E is a set of links in the underlying physical network, and a resource capacity of each node m in V is represented as wmThe maximum bandwidth capacity of each link (m, n) in E is denoted as wmnThe delay of the link (m, n) is denoted as lmn
(2) The amount of resource consumption required to construct a set of secure network function types F, each of which instantiates a secure network function of type F, is df(ii) a Constructing a set C of security service chains, wherein the maximum time delay that each security service chain C in the set C can tolerate is qcLength of lcThe k-th safety network function in the safety service chain c is ckThe k +1 th security network function is ck+1,ckThe required amount of resources is
Figure FDA0002550327170000011
ckAnd ck+1The link bandwidth between is
Figure FDA0002550327170000012
(3) Defining binary variables
Figure FDA0002550327170000013
And
Figure FDA0002550327170000014
for the
Figure FDA0002550327170000015
If secure network function ckIf the type of f is f, the value is 1, otherwise the value is 0; for the
Figure FDA0002550327170000016
If secure network function ckIf the node is deployed on the node v, the value is 1, otherwise, the value is 0;
Figure FDA0002550327170000017
indicating a secure network function ckA deployment state before aggregation; for the
Figure FDA0002550327170000018
If in the secure service chain c (c)k,ck+1) The path between them passes through the link (m, n), its value is 1, otherwise its value is 0; for the
Figure FDA0002550327170000019
If the safety network function with the type f is deployed on the node v, the value is 1, otherwise, the value is 0;
(4) the deployment problem of the security service chain is mathematically modeled, and the constraint conditions are as follows:
Figure FDA00025503271700000110
Figure FDA00025503271700000111
Figure FDA00025503271700000112
Figure FDA0002550327170000021
Figure FDA0002550327170000022
the optimization goals are:
1) minimizing the number of secure network function instantiations, namely:
Figure FDA0002550327170000023
2) minimizing the number of re-deployed secure network functions, namely:
Figure FDA0002550327170000024
wherein the content of the first and second substances,
Figure FDA0002550327170000025
representing a collection of other physical nodes, loads, in one-hop links with physical node mmnRepresenting the actual traffic bandwidth of the link (m, n);
(5) and (4) solving the deployment problem in the step (4) by adopting a greedy algorithm in the deployment process of the safety service chain, and performing aggregation deployment on the safety service chain according to the solved result.
2. The SDN-based security service chain aggregation deployment method according to claim 1, wherein in the step (5), a greedy algorithm is adopted, and a specific manner for solving the deployment problem in the step (4) is as follows:
(501) for each security network function, its maximum candidate set is found on node v separately, i.e. in the set candSet during the iteration processfThe medium real-time storage meets the required safety network function requirements, and simultaneously, the set candSet is storedfCounting, calculating the residual resource capacity which can be provided for f on the node v, and deducting the resources required by instantiation f if the node v does not have the instantiated secure network function f;
(502) for each security network function type, the largest candidate set is found, i.e. for the set candSetfThe functional requirements of the safety network in the process are screened and removed, so that the screened candSet is integratedfEach secure network function requirement in (1) meets the resource capacity requirements of the node and the link simultaneously; after the resource capacity of the node is exhausted or all safety network function requirements of the type f are calculated, a set candSet after screening is obtainedf
(503) When all types of safety network functions are finished in an iteration mode, the screened set candSet with the largest element number is selectedfThe set is the solution result of the deployment problem.
CN202010573027.5A 2020-06-22 2020-06-22 SDN-based security service chain aggregation deployment method Pending CN111770070A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010573027.5A CN111770070A (en) 2020-06-22 2020-06-22 SDN-based security service chain aggregation deployment method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010573027.5A CN111770070A (en) 2020-06-22 2020-06-22 SDN-based security service chain aggregation deployment method

Publications (1)

Publication Number Publication Date
CN111770070A true CN111770070A (en) 2020-10-13

Family

ID=72721518

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010573027.5A Pending CN111770070A (en) 2020-06-22 2020-06-22 SDN-based security service chain aggregation deployment method

Country Status (1)

Country Link
CN (1) CN111770070A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113507411A (en) * 2021-06-10 2021-10-15 中国联合网络通信集团有限公司 Path selection method, device, equipment and storage medium
CN114124818A (en) * 2021-11-11 2022-03-01 广东工业大学 Newly-added function node deployment optimization method for multicast transmission in SDN network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018000240A1 (en) * 2016-06-29 2018-01-04 Orange Method and system for the optimisation of deployment of virtual network functions in a communications network that uses software defined networking
CN107682203A (en) * 2017-10-30 2018-02-09 北京计算机技术及应用研究所 A kind of security function dispositions method based on service chaining
CN110505082A (en) * 2019-07-26 2019-11-26 国家电网有限公司 A kind of NFV service chaining mapping method towards cost and QoS
CN111245735A (en) * 2020-01-20 2020-06-05 中国电子科技集团公司第五十四研究所 Flow scheduling method for ensuring service quality in SDN environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018000240A1 (en) * 2016-06-29 2018-01-04 Orange Method and system for the optimisation of deployment of virtual network functions in a communications network that uses software defined networking
CN107682203A (en) * 2017-10-30 2018-02-09 北京计算机技术及应用研究所 A kind of security function dispositions method based on service chaining
CN110505082A (en) * 2019-07-26 2019-11-26 国家电网有限公司 A kind of NFV service chaining mapping method towards cost and QoS
CN111245735A (en) * 2020-01-20 2020-06-05 中国电子科技集团公司第五十四研究所 Flow scheduling method for ensuring service quality in SDN environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘蓓: "基于NFV的网络中虚拟服务功能链的部署和迁移", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113507411A (en) * 2021-06-10 2021-10-15 中国联合网络通信集团有限公司 Path selection method, device, equipment and storage medium
CN114124818A (en) * 2021-11-11 2022-03-01 广东工业大学 Newly-added function node deployment optimization method for multicast transmission in SDN network
CN114124818B (en) * 2021-11-11 2023-07-04 广东工业大学 Newly-added functional node deployment optimization method for multicast transmission in SDN network

Similar Documents

Publication Publication Date Title
CN108521375B (en) SDN-based network multi-service flow QoS transmission and scheduling method
CN108260169B (en) QoS guarantee-based dynamic service function chain deployment method
CN109981438B (en) Satellite network load balancing method oriented to SDN and NFV collaborative deployment framework
CN107666412B (en) The virtual network function dispositions method of service function chain
Hong et al. Achieving high utilization with software-driven WAN
CN107682203B (en) Security function deployment method based on service chain
US7969886B1 (en) Bandwidth allocation for hierarchical telecommunications networks
CN112738820A (en) Dynamic deployment method and device of service function chain and computer equipment
CN100356757C (en) Service quality controlling method for light Internet network
Lombardo et al. An analytical tool for performance evaluation of software defined networking services
CN111245735B (en) Flow scheduling method for ensuring service quality in SDN environment
CN109412963B (en) Service function chain deployment method based on stream splitting
CN110275437B (en) SDN network flow dominance monitoring node dynamic selection system and method thereof
CN111770070A (en) SDN-based security service chain aggregation deployment method
CN113490279B (en) Network slice configuration method and device
CN103746852A (en) Service routing configuration method and network management equipment
CN108092895A (en) A kind of software defined network joint route selection and network function dispositions method
CN105847146B (en) A method of it improving level distribution SDN and controls plane router efficiency
CN110266593A (en) A kind of adaptive routing switching cloud network system based on traffic monitoring
Kamboj et al. A qos-aware routing based on bandwidth management in software-defined iot network
CN108243066A (en) The network service request dispositions method of low latency
Ren et al. An end-to-end qos routing on software defined network based on hierarchical token bucket queuing discipline
Pang et al. Research on SDN-based data center network traffic management and optimization
CN114258074A (en) VNF deployment method based on coupling bandwidth allocation and having time delay QoS guarantee
CN110417576B (en) Deployment method, device, equipment and storage medium of hybrid software custom network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201013