A network security converged gateway system based on service function chaining
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
- Filing Date
- 2023-12-05
- Publication Date
- 2026-06-26
AI Technical Summary
Existing monolithic gateway products cannot meet the security protection requirements of the "intelligent, flexible, and high-performance" cloud + edge network security defense system, and traditional designs have failed to effectively achieve on-demand orchestration and dynamic reconfiguration of security services.
This paper proposes a network security converged gateway system that integrates "switching and routing, network security, and application delivery" using an SRv6-based service function chain. The system includes an application plane, a control plane, and a data plane. Service chain settings are implemented through a drag-and-drop canvas, and the on-demand orchestration and dynamic reconfiguration of security services are achieved by combining SRv6 encapsulation methods.
It achieves elastic scalability and dynamic service provision in cloud application scenarios, solves the compatibility issues of monolithic gateway products, and provides an intelligent security defense system.
Smart Images

Figure CN117792693B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security technology, and in particular relates to a network security converged gateway system based on service function chain. Background Technology
[0002] The future of cybersecurity lies in the cloud. As enterprise networks and business architectures gradually evolve towards "cloudification" and "service-oriented architecture," the traditional boundary-based "string of hawthorns" security defense system is making networks increasingly complex and difficult to manage and maintain. Moreover, the repeated parsing and processing of data packets causes attenuation and increased latency in network performance, making it unable to meet the security protection requirements of business application scenarios such as "elastic scaling, dynamic service-oriented architecture, and high performance with low latency."
[0003] As a new type of monolithic gateway product solution, network security converged gateways currently mostly adopt a design architecture of "distribution and switching + network traffic processing". However, this is merely a compact design of security and network functions, without much consideration for security delivery capabilities such as on-demand orchestration and dynamic reconfiguration of security services.
[0004] Service Function Chaining (SFCL), a network service construction technology, is standardized by the IETF SFC working group, which has designed and described the relevant architecture of SFC. RFC 8754 proposes using the SRv6-based SRH header as the control header for segmented routing to achieve programmable flow control. However, this technology requires hardware network device chip support, so its adoption by manufacturers is currently limited, and its promotion is not widespread, especially in network security converged gateway applications. But with the gradual adoption of IPv6 and the increasing demand for finer-grained control of secure traffic, the widespread application of SRv6 is inevitable. Summary of the Invention
[0005] The purpose of this invention is to address the issue that existing monolithic gateway products cannot meet the security protection requirements of a "cloud + edge" network security defense system that is "intelligent, flexible, and high-performance". This invention provides an intelligent network security converged gateway system that integrates "switching and routing, network security, and application delivery" and uses an "SRv6-based service function chain" to achieve "on-demand orchestration and dynamic reconstruction of security services".
[0006] The objective of this invention is achieved through the following technical solution:
[0007] A network security converged gateway system based on service function chain, the network security converged gateway system includes an application plane, a control plane and a data plane;
[0008] The application plane includes several human-computer interaction interfaces and provides a visual operation and management interface to the outside world. Operation and maintenance management personnel carry out operation and maintenance management based on the corresponding service list and pre-set orchestration templates.
[0009] The control plane includes a network controller and a security controller, which realizes the mapping and association between business requirements and security network elements, security network elements and hardware resources, so as to achieve centralized control of security network elements and virtual resources.
[0010] The data plane is configured to handle data forwarding and security protection for business traffic.
[0011] According to a preferred embodiment, the application plane enables service chain settings through a drag-and-drop canvas, which can visualize the device operating status, resource occupancy status, service execution status, log alarm information, etc.
[0012] According to a preferred embodiment, security element management, security service orchestration, and security policy management are performed in the security controller;
[0013] The aforementioned security network element management refers to the full lifecycle management of various virtualized security network elements, including installation, initialization, operation, scaling up and down, upgrading, and decommissioning.
[0014] Security service orchestration refers to combining different security network elements into network security services through service chains, and managing the association and mapping relationship between network elements and corresponding hardware resources;
[0015] Security strategy management refers to the management of security protection strategies, traffic redirection strategies, and service chain strategies.
[0016] According to a preferred embodiment, topology management, flow table management, and hardware resource management are performed in the network controller;
[0017] Topology management refers to the management of the topology information formed by the boards in the device, which is used to form service chain paths and complete data exchange commands.
[0018] Flow table management refers to the parsing and distribution of flow rules, as well as the maintenance of flow tables;
[0019] Hardware resource management refers to the monitoring, allocation, and statistics of computing, storage, and network resources contained in the integrated framework, which are then provided to the security controller for scheduling.
[0020] According to a preferred embodiment, the data plane includes a classification node SC, a forwarding node SFF, and a service node SF;
[0021] Among them, the classification node SC is configured to classify user traffic, encapsulate service packets with SRv6, form a transmission channel within the service function chain domain, and introduce service traffic of preset types into the corresponding SFC domain.
[0022] The forwarding node SFF is configured to forward data packets encapsulated with the corresponding logical service function chain hop by hop to achieve traffic redirection;
[0023] The service node SF is configured to be deployed via VNF instantiation to implement different network security protection functions for processing received data packets.
[0024] According to a preferred embodiment, the service node SF is divided into aware SF and unaware SF based on whether it can perceive SFC encapsulation. For unaware SF, the encapsulation and decapsulation of messages are performed through an SFC proxy.
[0025] According to a preferred embodiment, the service node SF defines two SID types based on whether it can recognize SRv6 packets: End.AW SID and End.NW SID, and the packet forwarding action is as follows:
[0026] For the service node SF that can recognize SRv6 messages, since the service node SF can recognize SRv6 messages, the forwarding node SFF will directly forward the message to the service node SF for processing. After completing the service processing, the service node SF will directly forward the message to the forwarding node SFF.
[0027] For the service node SF that cannot recognize SRv6 packets, the forwarding node SFF will first decapsulate the SRv6 packets and then forward the original data packets to the service node SF for processing. After completing the service processing, the service node SF will forward the packets back to the forwarding node SFF, and the forwarding node SFF will decide whether to continue forwarding the packets in the SRv6 SFC network.
[0028] According to a preferred implementation, the corresponding packet forwarding action for End.AW SID is as follows:
[0029] a. Before a packet travels from the forwarding node SFF to the serving node SF, the forwarding node SFF first modifies the destination address DA in the IPv6 basic header to the 0th SID value in the SRH, and then forwards the packet according to the outgoing interface associated with the End.AW SID.
[0030] b. After the packet is sent from the serving node SF to the forwarding node SFF, the forwarding node SFF restores the destination address DA in the IPv6 basic header to SRH[SL] and forwards the packet according to the normal SRv6 packet forwarding process.
[0031] According to a preferred implementation, the corresponding packet forwarding action for End.NW SID is as follows:
[0032] a. Before a message travels from the forwarding node SFF to the service node SF, the forwarding node SFF first decapsulates the message, and then forwards the message according to the outgoing interface associated with the End.NW SID.
[0033] b. After the message is sent from the service node SF to the forwarding node SFF, the forwarding node SFF re-encapsulates the message with an SRv6 header according to the ingress interface of the message or its associated SID list and its configuration.
[0034] The aforementioned main solution of the present invention and its various further alternative solutions can be freely combined to form multiple solutions, all of which are solutions that can be adopted and are claimed by the present invention. Those skilled in the art, after understanding the solution of the present invention, will realize that there are many combinations based on existing technology and common knowledge, all of which are technical solutions to be protected by the present invention, and will not be exhaustively listed here.
[0035] The beneficial effects of this invention are:
[0036] This invention can be applied to the field of intelligent network security converged gateways. It combines a service function chain encapsulation method based on SRv6 and provides design references for system hardware and software implementation. It provides a "cloud + terminal" security defense system that integrates "switching and routing, network security, and application delivery". It solves the problem that single gateway products cannot meet the requirements of "elastic scalability and dynamic service" in cloud application scenarios. Furthermore, it effectively solves the compatibility problem of existing security protection products by using a custom SID method. Attached Figure Description
[0037] Figure 1 This is a schematic diagram of the network security converged gateway system architecture of the present invention;
[0038] Figure 2 This is a schematic diagram illustrating the working principle of the network security converged gateway system of the present invention;
[0039] Figure 3 This is a schematic diagram of a hardware architecture for the network security converged gateway system of the present invention;
[0040] Figure 4 It is the SRv6 encapsulation format in the network security converged gateway system of this invention. Detailed Implementation
[0041] The following specific examples illustrate the implementation of the present invention. Those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this specification. The present invention can also be implemented or applied through other different specific embodiments, and various details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of the present invention. It should be noted that, unless otherwise specified, the following embodiments and features described therein can be combined with each other.
[0042] It should be noted that similar labels and letters in the following figures indicate similar items. Therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.
[0043] In the description of this invention, it should be noted that the terms "center," "upper," "lower," "left," "right," "vertical," "horizontal," "inner," and "outer," etc., indicate the orientation or positional relationship based on the orientation or positional relationship shown in the accompanying drawings, or the orientation or positional relationship commonly used when the product of this invention is in use. They are only for the convenience of describing this invention and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of this invention. In addition, the terms "first," "second," "third," etc., are only used to distinguish descriptions and should not be construed as indicating or implying relative importance.
[0044] Furthermore, terms such as "horizontal," "vertical," and "sag" do not imply that components must be absolutely horizontal or suspended, but rather that they can be slightly tilted. For example, "horizontal" simply means that its direction is more horizontal relative to "vertical," and does not mean that the structure must be completely horizontal, but can be slightly tilted.
[0045] In the description of this invention, it should also be noted that, unless otherwise explicitly specified and limited, the terms "set," "install," "connect," and "link" should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral connection; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; and they can refer to the internal connection of two components. Those skilled in the art can understand the specific meaning of the above terms in this invention based on the specific circumstances.
[0046] Furthermore, it should be noted that, unless otherwise specified, the structures, connections, positions, power sources, etc. involved in this invention are all things that a person skilled in the art can know without creative effort based on the prior art.
[0047] Example
[0048] refer to Figures 1 to 4 As shown in the figure, this embodiment discloses a network security converged gateway system based on a service function chain. The network security converged gateway system adopts a layered design, consisting of an application plane, a control plane, and a data plane.
[0049] The application plane primarily serves as the human-computer interaction interface, providing a visual operation and management interface that presents security services to the outside world. It supports service chain configuration via drag-and-drop canvas and provides a visual display of device operating status, resource usage, service execution status, log and alarm information. It also provides maintenance personnel with a current service list and pre-set orchestration templates to facilitate maintenance management.
[0050] The control plane mainly consists of network controllers and security controllers, which realize the integrated and centralized control of security network elements and virtual resources, thereby realizing the mapping and association between business requirements and security network elements, security network elements and hardware resources, and is the core of the entire system.
[0051] 1) Among them, in the security controller, security network element management refers to the full lifecycle management of various virtualized security network elements, including installation, initialization, operation, scaling up and down, upgrading, and decommissioning; security service orchestration refers to combining different security network elements into network security services in the form of service chains, and managing the association and mapping relationship between network elements and corresponding hardware resources; security policy management refers to managing security protection policies, traffic redirection policies, and service chain policies.
[0052] 2) Among them, in the network controller, topology management refers to the management of the topology information formed by the boards in the device, which is used to form service chain paths and complete data exchange commands; flow table management refers to the parsing and distribution of flow rules, as well as the maintenance of flow tables; hardware resource management refers to the monitoring, allocation, and statistics of computing, storage and network resources contained in the integrated framework, which are provided to the security controller for scheduling.
[0053] The data plane primarily handles data forwarding and security protection for business traffic. Specifically, it includes classification nodes (SC), forwarding nodes (SFF), and service nodes (SF).
[0054] Among them, SC is used to classify user traffic and encapsulate service packets with SRv6, directing specific service traffic to specific SFC domains; SFF forwards data packets encapsulated with corresponding logical service function chains hop by hop to achieve traffic redirection; SF is deployed through VNF instantiation to implement different network security protection functions and is used to process received data packets.
[0055] Furthermore, based on whether SFC encapsulation is perceptible, SF can be divided into aware SF and unaware SF. For unaware SF, packet encapsulation and decapsulation are performed through an SFC proxy. NFV technology decouples the underlying physical device from the upper-layer software functions, achieving efficient utilization of device hardware resources. During VNF instantiation and deployment, adjustments are made dynamically based on the current hardware resource usage.
[0056] Service Function Chain (SFC) encapsulation technology based on SRv6 encapsulates packets to form a transmission channel within the service function chain domain. Service packets carrying path information are forwarded according to the forwarding path specified by the service function chain by the Service Function Chain (SFF), ensuring that the packets pass through each secure service node sequentially. Due to the programmability of SRv6, the needs of various business scenarios can be easily met.
[0057] SRv6 encapsulation format as follows Figure 4 As shown.
[0058] In the IPv6 basic header, a Next Header value of 43 indicates that the next header is a routing extension header. A route type field value of 4 in the routing extension header indicates that the routing extension header is an SRH (Short Route Header).
[0059] The meanings of each field in SRH are as follows:
[0060] 1) Next header: 8 bits, indicating the type of the next message header.
[0061] 2) Hdr Ext Len: 8 bits, the length of the SRH header, in 8-byte units, excluding the first 8 bytes.
[0062] 3) Routing Type: 8 bits, the routing type field, with a value of 4, indicating that it carries an SRH.
[0063] 4) Segments Left: 8 bits, indicating the number of remaining unprocessed SIDs. The initial value is n-1 (n represents the number of SIDs in the route extension header), and it is decremented by 1 for each node passed.
[0064] 5) Last Entry: 8 bits, contains the index of the last element of the segment list.
[0065] 6) Flags: 8 bits, some identifiers in the data packet.
[0066] 7) Tag: 16 bits, used to mark data packets in the same group.
[0067] 8) Segment List: SID list. Arranged in order of the nodes on the packet forwarding path from farthest to nearest, that is, Segment List[0] represents the last SID of the path, Segment List[1] represents the second to last SID of the path, and so on.
[0068] 9) Optional TLV: Variable length, optional Type-Length-Value.
[0069] SRv6's programming attributes are manifested on three levels: 1) Multiple segments are combined to form an SRv6 path; 2) Each SRv6 SID is 128 bits long, with customizable segment lengths. The Function field is equivalent to the opcode of a computer instruction, which can be used to express the forwarding actions that the VPN instance needs to perform, and can be freely programmed; 3) An optional TLV field is provided, which can encapsulate some irregular information at the forwarding plane when the packet is transmitted in the network.
[0070] Therefore, to determine whether the service service node (SF) in the converged gateway can recognize SRv6 packets, we can define two types of SIDs: End.AW SID (for aware SFs) and End.NW SID (for unware SFs).
[0071] The forwarding action is described in detail:
[0072] 1) For the Service Provider (SF) node that can recognize SRv6 packets, the Service Filter (SFF) directly forwards the packet to the SF for processing. After completing the service processing, the SF forwards the packet back to the SFF. For the End.AW SID, the corresponding forwarding action is as follows:
[0073] a. Before the packet travels from SFF to SF, SFF first modifies the destination address DA in the IPv6 basic header to the 0th SID value in SRH, and then forwards the packet according to the outgoing interface associated with the End.AW SID.
[0074] b. After the message passes from SF to SFF, SFF restores the destination address DA in the IPv6 basic header to SRH[SL] and forwards the message according to the normal SRv6 message forwarding process.
[0075] 2) For service nodes (SFs) that cannot recognize SRv6 packets, the service fairing (SFF) needs to decapsulate the SRv6 packets before forwarding the original data packets to the SF for processing. After completing service processing, the SF forwards the packets back to the SFF node, which then decides whether to continue forwarding the packets in the SRv6 SFC network. For End.NW SID, the corresponding forwarding action is as follows:
[0076] a. Before a message travels from SFF to SF, SFF first decapsulates the message and then forwards the message according to the outgoing interface associated with End.NW SID;
[0077] b. After the message is sent from the SF to the SFF, the SFF re-encapsulates the SRv6 header of the message according to the ingress interface of the message or its associated SID list and its configuration.
[0078] Furthermore, depending on the different functional types of SF, opcodes for SIDs can be defined. For serial SFs that need to return business data, such as FW, the SID can be defined as End.SF SID. For side-mounted SFs that do not need to return business data, such as IDS, the SID can be defined as End.BF SID, and so on. We can fully utilize its programming attributes to cope with diverse application scenarios.
[0079] Working principle as follows Figure 2 As shown, the network security converged gateway system of this invention enables unified pooling management of security business functions through virtualization images; the hardware infrastructure adopts NFV technology to achieve sharing and flexible scheduling of hardware computing resources, storage resources, and network resources.
[0080] First, a "business-security capability" parsing and mapping is performed on security business requirements to determine the required security service function nodes and define the security service configuration on each node. Then, instantiation and deployment are performed based on hardware resource usage to complete the "security network element-hardware resource" mapping. By constructing a service function chain, specifying parameters such as the service chain ID number, source and destination feature groups, and selecting the security service function nodes to be referenced, the chain is finally distributed to each node of the forwarding plane in the form of OpenFlow flow tables. The forwarding plane enables high-speed forwarding and processing of business data between various security service nodes, thereby achieving flexible and elastic security protection.
[0081] Preferably, refer to Figure 3As shown, the network security converged gateway system of this invention adopts a compact design scheme of chassis + boards. The chassis features multi-slot redundancy, providing basic hardware support including chassis management, heat dissipation, and power supply. The boards are functionally divided into main control boards, interface boards, service boards, and switching network boards. In addition, to improve the overall reliability and scalability, the main control board adopts 1+1 redundancy backup, which can seamlessly switch to the backup board when the main control board fails; the switching network board adopts N+1 redundancy backup, which can be customized and expanded according to performance requirements; the interface boards can be selected according to the number of interfaces, speed, and other requirements; the fans and power supplies both adopt N+1 redundancy and can be customized according to the overall power consumption of the system.
[0082] The system adopts a design approach that separates data channels and management channels to ensure the reliability of the management channel under high traffic volumes. The management channel employs a distributed management method, consisting of a dedicated management CPU on the main control board and management CPUs on the interface boards, switching network boards, and service boards. This dedicated channel is used for data exchange of flow table information, status information, etc. The high-speed data channel is physically connected by orthogonal connectors on the interface boards, service boards, and switching network boards. Service data is forwarded at line speed between boards via high-performance switching chips according to flow table definitions.
[0083] The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A network security converged gateway system based on service function chain, characterized in that, The network security converged gateway system includes an application plane, a control plane, and a data plane; The application plane includes several human-computer interaction interfaces and provides a visual operation and management interface to the outside world. Operation and maintenance management personnel carry out operation and maintenance management based on the corresponding service list and pre-set orchestration templates. The control plane includes a network controller and a security controller, which realizes the mapping and association between business requirements and security network elements, security network elements and hardware resources, so as to achieve centralized control of security network elements and virtual resources. The data plane is configured to perform data forwarding and security protection processing for business traffic; The data plane includes a classification node SC, a forwarding node SFF, and a service node SF. Among them, the classification node SC is configured to classify user traffic, encapsulate service packets with SRv6, form a transmission channel within the service function chain domain, and introduce service traffic of preset types into the corresponding SFC domain. The forwarding node SFF is configured to forward data packets encapsulated with the corresponding logical service function chain hop by hop to achieve traffic redirection; The service node SF is configured to be deployed via VNF instantiation to implement different network security protection functions for processing received data packets; The service node SF defines two SID types based on whether it can recognize SRv6 packets: End.AW SID and End.NWSID. The packet forwarding action is as follows: For the service node SF that can recognize SRv6 messages, since the service node SF can recognize SRv6 messages, the forwarding node SFF will directly forward the message to the service node SF for processing. After completing the service processing, the service node SF will directly forward the message to the forwarding node SFF. For the service node SF that cannot recognize SRv6 packets, the forwarding node SFF will first decapsulate the SRv6 packets and then forward the original data packets to the service node SF for processing. After completing the service processing, the service node SF will forward the packets back to the forwarding node SFF, and the forwarding node SFF will decide whether to continue forwarding the packets in the SRv6 SFC network.
2. The network security converged gateway system as described in claim 1, characterized in that, The application plane enables service chain setup through a drag-and-drop canvas, and can visualize device operating status, resource usage status, service execution status, and log alarm information.
3. The network security converged gateway system as described in claim 1, characterized in that, The security controller manages security network elements, orchestrates security services, and manages security policies. The aforementioned security network element management refers to the full lifecycle management of various virtualized security network elements, including installation, initialization, operation, scaling up and down, upgrading, and decommissioning. Security service orchestration refers to combining different security network elements into network security services through service chains, and managing the association and mapping relationship between network elements and corresponding hardware resources; Security strategy management refers to the management of security protection strategies, traffic redirection strategies, and service chain strategies.
4. The network security converged gateway system as described in claim 1, characterized in that, The network controller performs topology management, flow table management, and hardware resource management. Topology management refers to the management of the topology information formed by the boards in the device, which is used to form service chain paths and complete data exchange commands. Flow table management refers to the parsing and distribution of flow rules, as well as the maintenance of flow tables; Hardware resource management refers to the monitoring, allocation, and statistics of computing, storage, and network resources contained in the integrated framework, which are then provided to the security controller for scheduling.
5. The network security converged gateway system as described in claim 1, characterized in that, The service nodes (SFs) are divided into aware SFs and unaware SFs based on whether they can perceive SFC encapsulation. For unaware SFs, packet encapsulation and decapsulation are performed through an SFC proxy.
6. The network security converged gateway system as described in claim 1, characterized in that, For End.AW SID, the corresponding packet forwarding action is: a. Before a packet travels from the forwarding node SFF to the serving node SF, the forwarding node SFF first modifies the destination address DA in the IPv6 basic header to the 0th SID value in the SRH, and then forwards the packet according to the outgoing interface associated with the End.AW SID. b. After the packet is sent from the serving node SF to the forwarding node SFF, the forwarding node SFF restores the destination address DA in the IPv6 basic header to SRH[SL] and forwards the packet according to the normal SRv6 packet forwarding process.
7. The network security converged gateway system as described in claim 1, characterized in that, For End.NW SID, the corresponding packet forwarding action is: a. Before a message travels from the forwarding node SFF to the service node SF, the forwarding node SFF first decapsulates the message, and then forwards the message according to the outgoing interface associated with End.NWSID. b. After the message is sent from the service node SF to the forwarding node SFF, the forwarding node SFF re-encapsulates the message with an SRv6 header according to the ingress interface of the message or its associated SID list and its configuration.