CN105812502A - OpenFlow-based implementation method for address resolution protocol proxy technology - Google Patents

Abstract

The invention relates to an implementation method of an address resolution protocol proxy technology based on OpenFlow, which belongs to the field of network communication. OpenFlow technology provides a platform and tools for network innovation by separating the data plane and control plane of the network. Based on the architecture of OpenFlow management and control separation, software programming is performed on the controller POX, and a powerful ARP proxy service is designed and implemented. In the OpenFlow network environment, by analyzing the DHCP data packet uploaded to the controller, the host IP, host MAC, host port number and other data are automatically extracted to establish a host information binding table. After the host information table is established, the OpenFlow controller is made to reply the ARP request as an agent, so as to solve the communication problem between the two hosts conveniently and efficiently. On the other hand, the binding table can also be used to judge whether the data packets sent to the controller are legal, so as to realize the normal forwarding of legal packets and the discarding of illegal packets, which greatly improves the security of the system.

Description

Implementation method of address resolution protocol proxy technology based on OpenFlow

technical field

The invention belongs to the technical field of computer network.

Background technique

After the network in the traditional IT architecture is deployed and launched according to business needs, if the business needs change, it is very cumbersome to re-modify the configuration on the corresponding network devices (routers, switches, firewalls). In the rapidly changing business environment of the Internet/mobile Internet, the high stability and high performance of the network are not enough to meet business needs, and flexibility and agility are more critical. What SDN does is to separate the control rights on the network devices and manage them by a centralized controller without relying on the underlying network devices (routers, switches, firewalls), shielding the differences from the underlying network devices. The control right is completely open, and users can customize any network routing and transmission rules and strategies they want to achieve, making it more flexible and intelligent.

After the SDN transformation, there is no need to repeatedly configure the routers of each node in the network, and the devices in the network are automatically connected. You only need to define simple network rules when using it. If you don't like the router's own built-in protocol, you can modify it programmatically to achieve better data exchange performance.

The concept of cloud host, which has been very popular in Hong Kong and the United States, has gradually begun to emerge in my country. Cloud host is an important part of cloud computing in infrastructure applications. It is located at the bottom of the pyramid of the cloud computing industry chain, and its products come from cloud computing platforms. The platform integrates three core elements of Internet applications: computing, storage, and network, and provides public Internet infrastructure services for users. Cloud host is a virtualization technology similar to VPS host. VPS uses virtual software. VZ or VM virtualizes multiple parts similar to independent hosts on one host. operating system, the management method is the same as that of the host. The cloud host is to virtualize multiple parts similar to independent hosts on a group of cluster hosts. Each host in the cluster has a mirror image of the cloud host, which greatly improves the security and stability of the virtual host. If there is a problem with all the hosts, the cloud host will be inaccessible.

It is worth mentioning that when an enterprise rents a cloud host, all the hosts it leases may not be located in a data center, or even in a city. Then the physical network of the cloud host rented by the enterprise may not be in the same network segment, although all the cloud hosts rented in the enterprise are under the same network segment. Then how cloud hosts on different network segments in the physical network communicate in the enterprise network has become a very complicated matter.

We already know that to communicate between hosts, you must first send an ARP request to obtain the MAC address of the destination host. Then the cloud hosts rented by the enterprise may span multiple different networks. In order to forward the ARP request to the destination host, in the traditional network, the network tunnel technology must be used to transmit messages in the network connected between the two hosts. . Because we don't know where the cloud hosts assigned to enterprises by cloud service providers are stored and how many networks they span. Simply put, it is to encapsulate the ARP request sent by the source host in a specific data packet, use the network tunneling protocol to forward the data packet to the network connected to the destination host, and then decapsulate the data packet, and finally achieve the goal host. The cost of doing so is relatively high, the efficiency is relatively low, and the workload for implementation is also huge. Therefore, with the development of cloud services, the disadvantages of traditional networks in this area are revealed, and our ARP proxy through SDN can solve this problem very well.

As we all know, in the SDN architecture, the controller is the brain of the entire network, all hosts in the network must be connected to the controller, and the controller has the information of all hosts. Therefore, if there is communication between hosts on different networks, the ARP request can be sent to the controller first, because the controller knows the information of all hosts in the network, and the controller can directly reply the MAC address of the destination host to the source host. In this way, the problem of communication between the two hosts can be solved conveniently and efficiently.

The DHCPSnooping technology is a security feature of DHCP. It establishes and maintains a DHCPSnooping binding table to filter untrusted DHCP information, which refers to DHCP information from untrusted areas. The DHCPSnooping binding table contains user IP address, MAC address, lease period, VLAN-ID interface and other information in the untrusted area.

When DHCP-Snooping is enabled on the switch, it will listen to DHCP packets, and can extract and record the IP address and MAC address information from the received DHCPRequest or DHCPAck packets. In addition, DHCP-Snooping allows a physical port to be set as a trusted port or an untrusted port. Trusted ports can normally receive and forward DHCPOffer packets, while untrusted ports discard received DHCPOffer packets. In this way, the shielding effect of the switch on the counterfeit DHCPServer can be completed, ensuring that the client obtains an IP address from a legitimate DHCPServer.

The role of DHCPSnooping

(1). The main function of DHCPSnooping is to isolate illegal DHCPServers by configuring untrusted ports.

(2). Cooperate with the exchange DAI to prevent the spread of ARP virus.

(3). Establish and maintain a binding table for DHCPSnooping. This table is firstly generated through the IP and MAC addresses in the DHCPAck packet, and secondly, it can be manually specified. This table is the basis for subsequent DAI (dynamicarpinspect) and IPSourceGuard. These two similar technologies use this table to determine whether the IP or MAC address is legal to restrict users from connecting to the network.

In this solution, through the operation and analysis of the DHCP data packets uploaded to the controller, the required data is automatically extracted to create a binding table, no need to manually add, IP, MAC, PORT and other information correspond to each other , after the binding relationship is established, the data message received from the corresponding port will determine whether the message is legal according to whether its source address matches in the port binding relationship table, so that the legal message is forwarded normally, and the illegal message is forwarded normally. It is discarded, which greatly improves the security of the system.

In a large data center, there are tens of thousands of hosts. By using the advantages of SDN, the information of all hosts connected to the network is integrated, and a binding table is established and maintained, so that not only the detailed information of all hosts can be obtained , to provide necessary data for ARP agent and host communication, and it is very helpful for the centralized management of daily hosts. This is an advantage that traditional networks cannot match, and it is also the significance of my research on this work.

Contents of the invention

The ARP proxy in the SDN environment has been listed in detail in the research significance, and the SDN network itself is a very innovative technology. We take SDN as the background and use its own characteristics to develop an ARP proxy solution that is more efficient and safer than traditional networks. Compared with the traditional network, our ARP proxy solution has many innovations, the details are as follows:

The controller is very important in the SDN network environment. Our solution is to create a dhcp_lease table in the controller that stores information about the host, including the host IP address, host MAC address, host port number, and IP address acquisition time. IP lease time. However, we can obtain these data automatically without manual intervention, and ensure the security of the obtained data. Therefore, our ARP proxy solution uses the DHCP proxy method to obtain the host IP address, host MAC address, host port number, IP address acquisition time, and IP lease time at the same time. We automatically obtain the data we want by simulating the workflow of the DHCP protocol, and write it into the dhcp_lease table. This is another innovation point of our scheme.

The host IP address corresponds to the host MAC address. If the host IP address lease expires, this entry in the table will be deleted, and the host MAC address will no longer correspond to this IP address.

When the program starts, it will automatically deliver the flow table matching the ARP and DHCP data packets, upload the data packets matching the flow table to the controller and start the timer scan_expire to scan the expired host IP entry in the dhcp_lease table at the same time. At the same time, if the DHCPDISCOVER or DHCPREQUEST message sent by the host client is received, the event.port in the message is extracted, that is, the port number information is written into the dhcp_lease table. When receiving the DHCPACK message, extract the IP address assigned to the host by the DHCP server in the message, write it into the dhcp_lease table together with the MAC address of the host, the time when the IP was obtained, and the lifetime of the IP. So far, the controller has completed the operation of the matched DHCP data packets, and automatically builds the data we need into a dhcp_lease table to provide necessary data for the subsequent ARP agent.

Next, we will introduce the implementation method of our ARP proxy solution in detail.

When the host sends an ARPREQUEST, the ARPREQUEST message will not be forwarded to the destination host at this time, but the controller will extract the destination IP address in the ARPREQUEST packet, and compare it with the first column in the dhcp_lease table, which is the host IP information For comparison, if a matching item is found, an ARPREPLY response packet containing the destination MAC address is constructed according to the format of ARPREPLY, and the proxy replies to the host that issued the ARPREQUEST. When the host that sends the ARPREQUEST obtains the MAC address of the destination host, it continues to send the ICMPREQUEST message, because according to the issued flow table rules, the matching data packets will be uploaded to the controller first, so when the controller receives the ICMPREQUEST message , the destination IP address contained in the data packet will be extracted, continue to compare with the first column in the dhcp_lease table, and if a match is found, the port number of the corresponding host will be extracted and encapsulated in the Packet_out message, and the ICMPREQUEST message will be The packet is forwarded to the destination host through the Packet_out message, and the destination host will reply the ICMPREPLY message after receiving the message. So far, the two hosts have successfully communicated with each other through the proxy ARP method of the controller.

During the running of the whole program, the timer is also running non-stop, scanning the dhcp_lease table every once in a while. scan_expire(), as the name implies, scans expired items. Its function is to delete the expired IP entry information in the dhcp_lease table, because the IP address assigned to each host by the DHCP server has a lease, and the IP address will be released automatically when the lease expires. Combined with the actual situation, if the IP address in the dhcp_lease table we constructed expires, that is, the host MAC no longer corresponds to the IP address, then there will be problems in the subsequent ARP proxy process. This program sets the timer to scan the dhcp_lease table every 30 seconds, and subtracts the write time of the IP address in the table from the current system time. If the difference is greater than the life cycle defined in the table, it indicates that the IP address is leased When the time expires, the IP information will be deleted from the dhcp_lease table when it is reclaimed by the DHCP server to be allocated.

Description of drawings

Figure 1 is a schematic diagram of the development experiment environment.

detailed description

This program uses POX as the controller and is developed based on the Openflow1.0 protocol.

POX provides several basic components to complete the parsing of common packets. The data packets are uploaded to the controller by sending the flow table matching the data packets, and the operations on the data packets are completed in the Packet_in event. After processing, the POX controller sends a Packet_out message to the Openflow switch.

Development experiment environment:

Controller: POX controller

Openvswitch version: 2.3.0

PC1 system version: Ubuntu14.04.2LTS

PC2 system version: Windows7

PC3 system version: Windows7

The controller POX and the Openvswitch switch run on a PC with Ubuntu14.04.2LTS system version, called PC1. This PC1 is equipped with 3 network card interfaces. Plus two PC2 and PC3 equipped with Windows7 system constitute the simulation environment of this experiment.

The PC equipped with the controller POX and OVS is called the control host PC1, and the two Windows 7 PCs are called PC2 and PC3. PC2 and PC3 are respectively connected to the two network cards of PC1. The bridge br0 built by OVS connects the two The PCs are connected together, and the other network card of PC1 is connected to the DHCP server. In this way, PC2 and PC3 can communicate with the DHCP server through the bridge to obtain the DHCP service.

Experimental effect:

This program uses 2 PCs to simulate any 2 different hosts in the network, and they respectively obtain their own IP addresses from the DHCP server. At the same time, the controller POX also obtains the relevant information of the two PCs and creates a table. Afterwards, PC2 can establish communication with PC3 by using the ARP proxy technology proposed in this solution.

The present invention is realized in the following steps successively in computer:

Step (1): Send the flow table matching ARP and DHCP packets

Start the program on PC1, issue the flow table matching the ARP and DHCP packets, and then upload the data packets matching the flow table to the controller POX

Step (2): Start a timer to scan expired IP entries

Start the timer scan_expire that scans the expired host IP entry in the dhcp_lease table, and run continuously according to the content defined by the program during the entire program running. The function of the timer setting is as follows:

Step (2.1): Print out the system time for observation and analysis.

Step (2.2): traverse the list_all list, delete the expired IP entry information, and rewrite the non-expired entry to the disk file.

Step (2.3): format the time and convert it into a format that the system can handle.

Step (2.4): the time when the IP entry is written and the current time are converted into seconds.

Step (2.5): subtract the time when the IP entry information is written to the disk with the current time to obtain the existing time of this information.

Step (2.6): If the time that the IP entry information exists is greater than the specified lease time, then delete this information.

Step (2.7): The timer scans every 30 seconds.

Step (3): PC2 and PC3 obtain and apply for an IP address through the DHCP service

Enter the ipconfig/renew command on PC2 and PC3 to apply for an IP address from the DHCP server. This command triggers the relevant operations of the DHCP module in arp_dhcp_handler.py, that is, writes the relevant information of PC2 and PC3 into the dhcp_lease table. The controller analyzes the uploaded DHCP data packet, extracts its main information and writes it into the table. The contents of the table are, from the beginning to the end, the IP addresses obtained by PC2 and PC3, the MAC addresses of PC2 and PC3, and the PC2 and PC3 Port number connected to PC1, IP acquisition time, and IP lifetime.

Step (4): Realize the controller proxy ARP function.

When the program starts, the flow table of matching DHCP and ARP packets has been issued to upload to the controller. In order to realize the mutual communication between host PC2 and PC3 in the network, first PC2 needs to send an ARP request, and the ARP request data packet is uploaded to the controller POX, and the controller POX extracts the destination IP address information in the ARP request packet sent by PC2 , make it match with the host IP information in the first column in the dhcp_lease table, and find that it matches the information of PC3, then reply the MAC address of PC3 in the second column to the host computer PC2 that sends the ARP request. When the host PC2 that sent the ARP request learns the MAC address of the destination host PC3, it will continue to send the ICMPREQUEST message. When the controller obtains this message, it will extract the destination IP address contained in the data packet and continue to communicate with The first column in the dhcp_lease table is compared, and if a match is found, the OpenFlow port number of the corresponding host PC3 is extracted and encapsulated in a Packet_out message, and then forwarded to the destination host PC3, and then the destination host PC3 sends an ICMPREPLY message to PC2. So far, the two hosts meet the conditions for communication and thus realize mutual communication.

Step (5): Deliver the matching destination host IP and destination host port number to the flow table

Send the flow table matching the IP and port number of the destination host PC3. Afterwards, similar data packets are directly forwarded from the switch according to the rules of the flow table, and are no longer uploaded to the controller. This can not only ensure the communication efficiency but also reduce the load of the controller, so as to ensure the normal operation of the entire network.

Claims (1)

1. The realization method of the address resolution protocol agent technology based on OpenFlow, it is characterized in that: Create a dhcp_lease table in the controller that stores relevant information about the host, use the DHCP proxy method to obtain the host IP address, host MAC address, host port number, IP address acquisition time and IP lease time, and write it into the dhcp_lease table; The host IP address corresponds to the host MAC address. If the host IP address lease expires, this entry in the table will be deleted, and the host MAC address will no longer correspond to this IP address; When the host sends ARPREQUEST, the controller extracts the destination IP address in the ARPREQUEST packet, and compares it with the first column in the dhcp_lease table, that is, the host IP information. If a match is found, the destination MAC is constructed in the format of ARPREPLY The ARPREPLY response packet of the address will send its agent back to the host that sent the ARPREQUEST; when the host that sent the ARPREQUEST gets the MAC address of the destination host, it will continue to send the ICMPREQUEST message; when the controller receives the ICMPREQUEST message, it will extract the The destination IP address contained in the data packet continues to be compared with the first column in the dhcp_lease table, and if a match is found, the port number of the corresponding host is extracted and encapsulated in the Packet_out message, and the ICMPREQUEST message is forwarded to In the destination host, the destination host will reply the ICMPREPLY message after receiving the message; During the running of the whole program, the timer scans the dhcp_lease table every once in a while, and subtracts the writing time of the IP address in the table from the current system time. If the difference is greater than the life cycle defined in the table, it indicates that the IP address When the lease expires and is taken back by the DHCP server to be allocated, this piece of IP information will be deleted from the dhcp_lease table.