SDN network state consistency verification method in cloud environment

Abstract

The invention discloses an SDN (Software Defined Network) network state consistency verification method in a cloud environment, which carries out verification from two aspects of network update request and response, including request verification, security rule verification and forwarding layer path verification. In a network update request phase, a constraint space is formed by analyzing networkstate metadata. A security policy is analyzed to form a security space. The network updating request is analyzed. Rapid verification is performed with the constraint space and the security space in sequence. A malicious request is detected in real time to ensure that a controller maintains a correct global network view, and meanwhile ensuring that a flow rule issued to a forwarding layer by the controller is consistent with the security policy. The SDN controller actively sends the detection data packet verification flow forwarding path, and a label is added to the head of the detection data packet in an OpenFlow group table mode to mark the actual forwarding path of the data packet on a forwarding layer, so that lightweight data packet forwarding path verification and abnormal path positioning are realized.

Description

technical field [0001] The invention relates to the technical field of virtual network security in a cloud environment, in particular to a method for verifying the consistency of an SDN network state in a cloud environment. Background technique [0002] Software Defined Networking (SDN) is a new type of network architecture that decouples the data plane from the control plane and logically realizes centralized control and management. The emergence of SDN provides an effective solution for managing large-scale virtual networks in cloud environments. An important challenge in SDN is to ensure the consistency between the network functions defined by the high layer and the configuration of the underlying forwarding devices, that is, to ensure that the network functions and policies configured at the control layer are implemented in the forwarding layer. SDN is a typical flow rule-driven network. The legality and consistency of flow rules are the basis for ensuring the normal an...

AI Technical Summary

Problems solved by technology

However, the correct strategy of the control layer cannot guarantee the correct forwarding status of the forwarding layer, so it is necessary to monitor the forwarding layer to ensure the normal data forwarding

The second category is to detect abnormal behaviors at the forwarding layer. The flexible mechanism of SDN makes the defense against attacks at the forwarding layer very complicated. At present, the research on the network status of the forwarding layer mainly focuses on the detection and verification of abnormal forwarding behaviors.

[0005] The defects of the existing research methods mainly include: 1) Focus on solving the inconsistency of the single-layer network state in SDN, or the inconsistency of the network state caused by a certain type of attack. Since there are many kinds of attacks in the network, one attack cannot guarantee the network state. Consistency; 2) Since the network state in the cloud environment is flexible and changeable, the inconsistency of the network state can be located by obtaining the network state for global comparison, which cannot ensure that the obtained network state is the latest, and the global comparison will bring huge 3) In the cloud environment, the network configuration is dispersed in multiple virtual network terminals, relying on the terminal host to implement network functions on the data plane, so the implementation mechanism of SDN in the cloud environment is different from that in the pure SDN environment , the core-based SDN development technology cannot be directly used on the cloud platform

Images