A method for verifying the consistency of SDN network status in cloud environment

Abstract

The invention discloses a method for verifying the consistency of an SDN network state in a cloud environment, which is verified from two aspects of network update request and response, including request verification, security rule verification and forwarding layer path verification; in the network update request stage, by analyzing The network state metadata forms a constraint space, and analyzes the security policy to form a security space, analyzes the network update request and performs rapid verification with the constraint space and the security space in turn, detects malicious requests in real time, and ensures that the controller maintains a correct global network view. The flow rule sent by the controller to the forwarding layer is consistent with the security policy; in the response phase of network status update, the SDN controller actively sends the detection packet to verify the flow forwarding path, and uses the OpenFlow group table method to add a label mark to the head of the detection packet The actual forwarding path of the data packet at the forwarding layer realizes lightweight data packet forwarding path verification and abnormal path location.

Description

technical field [0001] The invention relates to the technical field of virtual network security in a cloud environment, in particular to a method for verifying the state consistency of an SDN network in a cloud environment. Background technique [0002] Software Defined Networking (SDN) is a new network architecture that decouples the data plane from the control plane and logically implements centralized control and management. The emergence of SDN provides an effective solution for managing large-scale virtual networks in cloud environments. An important challenge in SDN is to ensure the consistency between the network functions defined by the high layer and the configuration of the underlying forwarding equipment, that is, to ensure that the network functions and policies configured at the control layer are implemented in the forwarding layer. SDN is a typical flow rule-driven network. The legitimacy and consistency of flow rules are the basis for ensuring the normal and ...

AI Technical Summary

Problems solved by technology

However, the correct strategy of the control layer cannot guarantee the correct forwarding status of the forwarding layer, so it is necessary to monitor the forwarding layer to ensure the normal data forwarding

The second category is to detect abnormal behaviors at the forwarding layer. The flexible mechanism of SDN makes the defense against attacks at the forwarding layer very complicated. At present, the research on the network status of the forwarding layer mainly focuses on the detection and verification of abnormal forwarding behaviors.

[0005] The defects of the existing research methods mainly include: 1) Focus on solving the inconsistency of the single-layer network state in SDN, or the inconsistency of the network state caused by a certain type of attack. Since there are many kinds of attacks in the network, one attack cannot guarantee the network state. Consistency; 2) Since the network state in the cloud environment is flexible and changeable, the inconsistency of the network state can be located by obtaining the network state for global comparison, which cannot ensure that the obtained network state is the latest, and the global comparison will bring huge 3) In the cloud environment, the network configuration is dispersed in multiple virtual network terminals, relying on the terminal host to implement network functions on the data plane, so the implementation mechanism of SDN in the cloud environment is different from that in the pure SDN environment , the core-based SDN development technology cannot be directly used on the cloud platform

Images