CN111770070A - SDN-based security service chain aggregation deployment method - Google Patents
SDN-based security service chain aggregation deployment method Download PDFInfo
- Publication number
- CN111770070A CN111770070A CN202010573027.5A CN202010573027A CN111770070A CN 111770070 A CN111770070 A CN 111770070A CN 202010573027 A CN202010573027 A CN 202010573027A CN 111770070 A CN111770070 A CN 111770070A
- Authority
- CN
- China
- Prior art keywords
- service chain
- network function
- safety
- node
- deployment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a security service chain aggregation deployment method based on an SDN, and relates to the technical field of network security. The method comprises the steps of firstly abstracting a bottom layer physical network topology into an undirected weighted graph, then constructing a set of secure network function types, defining binary variables, then carrying out mathematical modeling on a deployment problem of a secure service chain, finally adopting a greedy algorithm to solve the deployment problem in the deployment process of the secure service chain, and carrying out aggregation deployment on the secure service chain according to the solved result. The invention can minimize the number of the safety network function instantiations to reduce the network overhead and the number of the safety network function redeployment on the premise of meeting the safety function resource requirement and the safety service chain bandwidth and time delay requirements, thereby solving the deployment problem of the safety service chain.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a security service chain aggregation deployment method based on an SDN.
Background
The basic idea of Software Defined Networking (SDN) is to decouple the separation of a control plane and a data plane, abstract the bottom layer as a data forwarding plane, abstract the upper layer as a control plane, manage and monitor Network resources in a centralized management manner, provide a northbound interface with programmable capacity and a global Network topology view function, flexibly control devices on a data forwarding layer through a southbound standard protocol OpenFlow protocol, and further effectively improve the overall performance and forwarding efficiency of a Network.
Network Functions Virtualization (NFV) is proposed and facilitated mainly by telecommunication operators, using standard x86 servers, storage or switches to carry various Network software Functions through virtualization technologies. The NFV decouples the software function from the hardware, and realizes flexible loading, deployment and configuration of the software function at the data center, the network node and other positions, thereby improving the application deployment speed, the equipment utilization rate and the like.
Software Defined Security (SDS) means that, in view of the technical idea of separation of control and forwarding of SDN, a conventional hardware Security device is decoupled into standard general hardware and Security Software functions, a programmable interface is opened on an upper layer, and automatic and flexible arrangement and management are realized; the bottom abstraction is a centralized management security resource pool composed of virtualization security devices, and uniform registration, pooling management and flexible deployment of security resources are achieved.
A Security Service Chain (SSC) is a Service Function Chain (SFC), which defines an ordered set of abstract Service Functions (SFs) and defines Security policies that must be applied to packets/streams selected by classification results, and mainly completes stream scheduling between SFs.
For a service chain generated according to the security requirements of a user, a path meeting the security service capability and the resource requirements needs to be selected. However, an efficient secure service chain deployment method is still lacking in the prior art.
Disclosure of Invention
In view of this, the present invention provides a security service chain aggregation deployment method based on SDN, which can minimize the number of instantiations of security network functions to reduce network overhead, and minimize the number of redeployed security network functions to improve the deployment efficiency of security service chains on the premise of satisfying the security function resource requirements and the security service chain bandwidth and delay requirements.
In order to achieve the purpose, the invention adopts the technical scheme that:
a SDN-based security service chain aggregation deployment method comprises the following steps:
(1) abstracting an underlying physical network topology into an undirected weighted graph G ═ V, E, where V is a set of nodes in the underlying physical network, E is a set of links in the underlying physical network, and a resource capacity of each node m in V is represented as wmThe maximum bandwidth capacity of each link (m, n) in E is denoted as wmnThe delay of the link (m, n) is denoted as lmn;
(2) The amount of resource consumption required to construct a set of secure network function types F, each of which instantiates a secure network function of type F, is df(ii) a Constructing a set C of security service chains, wherein the maximum time delay that each security service chain C in the set C can tolerate is qcLength of lcThe k-th safety network function in the safety service chain c is ckThe k +1 th security network function is ck+1,ckThe required amount of resources isckAnd ck+1The link bandwidth between is
(3) Defining binary variablesAndfor theIf secure network function ckIf the type of f is f, the value is 1, otherwise the value is 0; for theIf secure network function ckIf the node is deployed on the node v, the value is 1, otherwise, the value is 0;indicating a secure network function ckA deployment state before aggregation; for theIf in the secure service chain c (c)k,ck+1) The path between them passes through the link (m, n), its value is 1, otherwise its value is 0; for theIf the safety network function with the type f is deployed on the node v, the value is 1, otherwise, the value is 0;
(4) the deployment problem of the security service chain is mathematically modeled, and the constraint conditions are as follows:
the optimization goals are:
1) minimizing the number of secure network function instantiations, namely:
2) minimizing the number of re-deployed secure network functions, namely:
wherein the content of the first and second substances,representing a collection of other physical nodes, loads, in one-hop links with physical node mmnRepresenting the actual traffic bandwidth of the link (m, n);
(5) and (4) solving the deployment problem in the step (4) by adopting a greedy algorithm in the deployment process of the safety service chain, and performing aggregation deployment on the safety service chain according to the solved result.
Further, in the step (5), a greedy algorithm is adopted, and a specific manner for solving the deployment problem in the step (4) is as follows:
(501) for each security network function, its maximum candidate set is found on node v separately, i.e. in the set candSet during the iteration processfThe medium real-time storage meets the required safety network function requirements, and simultaneously, the set candSet is storedfCounting, calculating the residual resource capacity which can be provided for f on the node v, and deducting the resources required by instantiation f if the node v does not have the instantiated secure network function f;
(502) for each security network function type, the largest candidate set is found, i.e. for the set candSetfThe function requirements of the medium-safety network are screened and eliminated,make the screened set candSetfEach secure network function requirement in (1) meets the resource capacity requirements of the node and the link simultaneously; after the resource capacity of the node is exhausted or all safety network function requirements of the type f are calculated, a set candSet after screening is obtainedf;
(503) When all types of safety network functions are finished in an iteration mode, the screened set candSet with the largest element number is selectedfThe set is the solution result of the deployment problem.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a security service chain aggregation deployment method based on an SDN (software defined network) from the perspective of security function combination aiming at different security service requirements of users, reasonably maps a plurality of security service chains, and simultaneously considers the number of instantiations of security network functions and the number of redeployed security network functions under the condition of meeting the function requirements, the node capacity requirements and the link bandwidth requirements.
Drawings
FIG. 1 is a schematic diagram of a security service chain;
FIG. 2 is a schematic deployment diagram of a security service chain;
FIG. 3 is a schematic diagram of a security service chain deployment algorithm;
FIG. 4 is a diagram of a maximum candidate set selection algorithm;
FIG. 5 is a diagram of an example deployment of a security service chain after security function consolidation.
Detailed Description
The technical solution of the present invention is further explained with reference to the accompanying drawings.
An SDN-based security service chain aggregation deployment method, the general form of which is shown in fig. 1, wherein a security function is responsible for a specific process of receiving a data packet, and can be implemented as a superset element or a physical element. The method reasonably maps a plurality of safety service chains, and minimizes the number of instantiated safety network functions, namely reduces the cost of the network and reduces the number of re-deployed safety network functions under the condition of meeting the function requirements, the node capacity requirements and the link bandwidth requirements. The method comprises the following steps:
first, as shown in fig. 2, the underlying physical network topology is abstracted as an undirected weighted graph G ═ V, E, where the set V is a node in the network, using wvRepresenting the resource capacity of node V ∈ V, and set E is the link in the network, denoted by wmnIndicates the bandwidth capacity, l, of link (m, n) ∈ EmnRepresenting the latency of link (m, n) ∈ E.
Secondly, the set of classes of security network functions is denoted by F, dfRepresenting the amount of resource consumption required to instantiate a security function of type f. The set of the safety service chain is represented by C, and the maximum time delay that the safety service chain C can tolerate is qcLength of lcThe kth safety function in chain c is ck,ckThe required amount of resources isckAnd ck+1The link bandwidth between isThis step divides the resources required by a secure network function in the secure service chain into system resources d instantiating the secure network functionfAnd the resources required by the function bearer service of the secure network
At the same time, binary variables are definedFor theIf the safety function ckIs f, the value is 1, otherwise, is 0; for theIf the safety function ckDeployed on node v with a value of1, otherwise, 0;indicating a security function ckThe pre-aggregation deployment state, as shown in FIG. 2; for theIf in the secure service chain c (c)k,ck+1) The path between the two links is 1 when passing through the link (m, n), otherwise, the path is 0; for theIf a security function of type f is deployed on the node v, its value is 1, that is:
therefore, the deployment problem of the security service chain is the mapping problem of all security functions and traffic between security functions at the underlying network G ═ V, E), which is mathematically modeled.
Each security function in any one security service chain must be mapped to only one physical node:
for any physical node in the network, the sum of the resource amounts required by the network functions deployed on the physical node must be less than or equal to the maximum resource amount that the node can provide, and the resource amount required by the security function includes not only the processing resources required by the network function itself but also the resources required to instantiate the network function on the node:
the meaning of this formula is that each physical node can carry resources that cannot exceed dfAndthe sum of these two categories of resources.
For any link in the network, the sum of the bandwidths of all service function chains passing through the link cannot exceed the maximum bandwidth limit of the link, then:
considering the restrictions of flow conservation in the network, there are constraints for each segment of link in each security service chain:
meanwhile, we need to guarantee the end-to-end delay requirement of each security service chain:
the optimization goals are:
1) minimizing the number of secure network function instantiations
2) Minimizing the number of re-deployed secure network functions
And finally, in the deployment process of the safety service chain, solving the mathematical problem described in the third step by using a greedy algorithm as shown in fig. 3, and if a solution meeting the requirement can be obtained, deploying the safety service chain according to the solved result, wherein the deployment result is shown in fig. 5.
The input of the algorithm is the underlying physical network topology, the generic set of secure network functions and the current deployment mechanism, and the output is the network topology deployed after merging.
Firstly, the nodes in the network are arranged in descending order according to the capacity, then a feasible safety function set is initially established for each node v, and a safety network function demand set S is established for each safety network function ffAnd the elements in the set are arranged in ascending order according to the size of the requirement of the security network function on the node resources.
In the main loop of the algorithm, each iteration finds out a safe network function, and the maximum safe network function demand candidate set S which can be borne by the node with the maximum current residual capacityfmax, then instantiate secure network function f on the node and Sfmax is required to be configured on the node and to update the aggregation parameters in the algorithm. If node v does not have a selectable set of network function requirements, it is culled.
The maximum Candidate Set Selection (lcs) algorithm is specifically shown in fig. 4. First, for each security network function, the maximum candidate set is found at node v, i.e. in an iterative process, candSet is usedfStore the appropriate Security function requirement, with countfCount it, avaCapfIndicating the remaining resource capacity available at node v for f, and if there is no instantiated secure network function f at node v, the resources required to instantiate f need to be deducted first. Next, a respective largest candidate set is found for each type of security network function. For each one added to candSetfAll of the elements (c) need to meet the resource capacity requirements of both the node and the link. In order to reduce the algorithm complexity, the invention well calculates the alternative path set meeting the delay requirement for each safety service chain budget. The node resource capacity is exhausted or all safety network function requirements of the type f are calculated to obtain the final candSetf. When the functions of all types of safety networks are iterated, the count is selectedfMaximum candSetfI.e. the set of final calculations.
For the safety service chain, the paths meeting the end-to-end delay requirement are limited, and the method can calculate the path set meeting the delay requirement in advance for each safety service chain (or an initial end system and a terminating end system), thereby greatly reducing the search space of the algorithm.
In summary, the invention provides a security service chain aggregation deployment method based on an SDN from the perspective of security function merging for different security service requirements of users, reasonably maps a plurality of security service chains, and considers the number of instantiations of security network functions and the number of redeployed security network functions under the condition of meeting the function requirements, the node capacity requirements and the link bandwidth requirements.
Claims (2)
1. A SDN-based security service chain aggregation deployment method is characterized by comprising the following steps:
(1) abstracting an underlying physical network topology into an undirected weighted graph G ═ V, E, where V is a set of nodes in the underlying physical network, E is a set of links in the underlying physical network, and a resource capacity of each node m in V is represented as wmThe maximum bandwidth capacity of each link (m, n) in E is denoted as wmnThe delay of the link (m, n) is denoted as lmn;
(2) The amount of resource consumption required to construct a set of secure network function types F, each of which instantiates a secure network function of type F, is df(ii) a Constructing a set C of security service chains, wherein the maximum time delay that each security service chain C in the set C can tolerate is qcLength of lcThe k-th safety network function in the safety service chain c is ckThe k +1 th security network function is ck+1,ckThe required amount of resources isckAnd ck+1The link bandwidth between is
(3) Defining binary variablesAndfor theIf secure network function ckIf the type of f is f, the value is 1, otherwise the value is 0; for theIf secure network function ckIf the node is deployed on the node v, the value is 1, otherwise, the value is 0;indicating a secure network function ckA deployment state before aggregation; for theIf in the secure service chain c (c)k,ck+1) The path between them passes through the link (m, n), its value is 1, otherwise its value is 0; for theIf the safety network function with the type f is deployed on the node v, the value is 1, otherwise, the value is 0;
(4) the deployment problem of the security service chain is mathematically modeled, and the constraint conditions are as follows:
the optimization goals are:
1) minimizing the number of secure network function instantiations, namely:
2) minimizing the number of re-deployed secure network functions, namely:
wherein the content of the first and second substances,representing a collection of other physical nodes, loads, in one-hop links with physical node mmnRepresenting the actual traffic bandwidth of the link (m, n);
(5) and (4) solving the deployment problem in the step (4) by adopting a greedy algorithm in the deployment process of the safety service chain, and performing aggregation deployment on the safety service chain according to the solved result.
2. The SDN-based security service chain aggregation deployment method according to claim 1, wherein in the step (5), a greedy algorithm is adopted, and a specific manner for solving the deployment problem in the step (4) is as follows:
(501) for each security network function, its maximum candidate set is found on node v separately, i.e. in the set candSet during the iteration processfThe medium real-time storage meets the required safety network function requirements, and simultaneously, the set candSet is storedfCounting, calculating the residual resource capacity which can be provided for f on the node v, and deducting the resources required by instantiation f if the node v does not have the instantiated secure network function f;
(502) for each security network function type, the largest candidate set is found, i.e. for the set candSetfThe functional requirements of the safety network in the process are screened and removed, so that the screened candSet is integratedfEach secure network function requirement in (1) meets the resource capacity requirements of the node and the link simultaneously; after the resource capacity of the node is exhausted or all safety network function requirements of the type f are calculated, a set candSet after screening is obtainedf;
(503) When all types of safety network functions are finished in an iteration mode, the screened set candSet with the largest element number is selectedfThe set is the solution result of the deployment problem.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010573027.5A CN111770070A (en) | 2020-06-22 | 2020-06-22 | SDN-based security service chain aggregation deployment method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010573027.5A CN111770070A (en) | 2020-06-22 | 2020-06-22 | SDN-based security service chain aggregation deployment method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111770070A true CN111770070A (en) | 2020-10-13 |
Family
ID=72721518
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010573027.5A Pending CN111770070A (en) | 2020-06-22 | 2020-06-22 | SDN-based security service chain aggregation deployment method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111770070A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113507411A (en) * | 2021-06-10 | 2021-10-15 | 中国联合网络通信集团有限公司 | Path selection method, device, equipment and storage medium |
CN114124818A (en) * | 2021-11-11 | 2022-03-01 | 广东工业大学 | Newly-added function node deployment optimization method for multicast transmission in SDN network |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018000240A1 (en) * | 2016-06-29 | 2018-01-04 | Orange | Method and system for the optimisation of deployment of virtual network functions in a communications network that uses software defined networking |
CN107682203A (en) * | 2017-10-30 | 2018-02-09 | 北京计算机技术及应用研究所 | A kind of security function dispositions method based on service chaining |
CN110505082A (en) * | 2019-07-26 | 2019-11-26 | 国家电网有限公司 | A kind of NFV service chaining mapping method towards cost and QoS |
CN111245735A (en) * | 2020-01-20 | 2020-06-05 | 中国电子科技集团公司第五十四研究所 | Flow scheduling method for ensuring service quality in SDN environment |
-
2020
- 2020-06-22 CN CN202010573027.5A patent/CN111770070A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018000240A1 (en) * | 2016-06-29 | 2018-01-04 | Orange | Method and system for the optimisation of deployment of virtual network functions in a communications network that uses software defined networking |
CN107682203A (en) * | 2017-10-30 | 2018-02-09 | 北京计算机技术及应用研究所 | A kind of security function dispositions method based on service chaining |
CN110505082A (en) * | 2019-07-26 | 2019-11-26 | 国家电网有限公司 | A kind of NFV service chaining mapping method towards cost and QoS |
CN111245735A (en) * | 2020-01-20 | 2020-06-05 | 中国电子科技集团公司第五十四研究所 | Flow scheduling method for ensuring service quality in SDN environment |
Non-Patent Citations (1)
Title |
---|
刘蓓: "基于NFV的网络中虚拟服务功能链的部署和迁移", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113507411A (en) * | 2021-06-10 | 2021-10-15 | 中国联合网络通信集团有限公司 | Path selection method, device, equipment and storage medium |
CN114124818A (en) * | 2021-11-11 | 2022-03-01 | 广东工业大学 | Newly-added function node deployment optimization method for multicast transmission in SDN network |
CN114124818B (en) * | 2021-11-11 | 2023-07-04 | 广东工业大学 | Newly-added functional node deployment optimization method for multicast transmission in SDN network |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108521375B (en) | SDN-based network multi-service flow QoS transmission and scheduling method | |
CN108260169B (en) | QoS guarantee-based dynamic service function chain deployment method | |
CN109981438B (en) | Satellite network load balancing method oriented to SDN and NFV collaborative deployment framework | |
CN107666412B (en) | The virtual network function dispositions method of service function chain | |
Hong et al. | Achieving high utilization with software-driven WAN | |
CN107682203B (en) | Security function deployment method based on service chain | |
US7969886B1 (en) | Bandwidth allocation for hierarchical telecommunications networks | |
CN112738820A (en) | Dynamic deployment method and device of service function chain and computer equipment | |
CN100356757C (en) | Service quality controlling method for light Internet network | |
Lombardo et al. | An analytical tool for performance evaluation of software defined networking services | |
CN111245735B (en) | Flow scheduling method for ensuring service quality in SDN environment | |
CN109412963B (en) | Service function chain deployment method based on stream splitting | |
CN110275437B (en) | SDN network flow dominance monitoring node dynamic selection system and method thereof | |
CN111770070A (en) | SDN-based security service chain aggregation deployment method | |
CN113490279B (en) | Network slice configuration method and device | |
CN103746852A (en) | Service routing configuration method and network management equipment | |
CN108092895A (en) | A kind of software defined network joint route selection and network function dispositions method | |
CN105847146B (en) | A method of it improving level distribution SDN and controls plane router efficiency | |
CN110266593A (en) | A kind of adaptive routing switching cloud network system based on traffic monitoring | |
Kamboj et al. | A qos-aware routing based on bandwidth management in software-defined iot network | |
CN108243066A (en) | The network service request dispositions method of low latency | |
Ren et al. | An end-to-end qos routing on software defined network based on hierarchical token bucket queuing discipline | |
Pang et al. | Research on SDN-based data center network traffic management and optimization | |
CN114258074A (en) | VNF deployment method based on coupling bandwidth allocation and having time delay QoS guarantee | |
CN110417576B (en) | Deployment method, device, equipment and storage medium of hybrid software custom network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201013 |