CN107181720A - A kind of method and device of software definition networking SDN secure communications - Google Patents

Abstract

The present invention provides a method and device for SDN secure communication in a software-defined network, which relates to the field of information security technology, and solves the problem that cloud security service providers control SDN computing and storage services in the prior art, and there are great security risks. Wherein the method for secure communication of software-defined network SDN is applied to the first SDN controller, wherein the method for secure communication of software-defined network SDN includes: obtaining a user request from a client; sending the user request to a cloud server, and receiving a detection result returned by the cloud server for security detection of the user request; processing the detection result, generating a processing result, and sending the detection result and/or the processing result to the client.

Description

A method and device for secure communication of software-defined network SDN

technical field

The invention relates to the technical field of information security, in particular to a method and device for secure communication in a software-defined network (SDN).

Background technique

SDN (Software Defined Network) is an open network architecture, and its core technology OpenFlow realizes flexible control of network traffic by separating the control plane of network equipment from the data plane.

Managers can view all areas of the network and modify the network through the SDN network. By viewing and modifying the network, the rules can be changed in time to bring better security to the system. Managers can centrally view network internal capabilities and quickly limit capabilities, then make effective changes. For example, in the event of malware appearing in the network, the centralized control plane via SDN and OpenFlow protocols blocks this traffic, thereby limiting such outbreaks without requiring access to multiple routers or switches.

With the application and development of cloud computing, cloud security services have also become a service model of SDN. Cloud security services have more advantages in terms of performance, scalability, availability, and fault tolerance, but cloud access also has certain security risks. Therefore, cloud security service providers control SDN computing and storage services, and there are great security risks.

Contents of the invention

The purpose of the embodiments of the present invention is to provide a method and device for SDN secure communication in a software-defined network, so as to solve the problem that cloud security service providers control SDN computing and storage services in the prior art, and there are great security risks.

In order to achieve the above object, an embodiment of the present invention provides a method for secure communication of a software-defined network SDN, which is applied to a first SDN controller, wherein the method for secure communication of a software-defined network SDN includes:

Get the user request from the client;

Sending the user request to a cloud server, and receiving a detection result returned by the cloud server for security detection of the user request;

Processing the detection result, generating a processing result, and sending the detection result and/or the processing result to the client.

Further, the user request of the user terminal includes: a user access request of a cloud user and/or at least one first network authorization request of a user terminal with a terminal application, wherein the at least one first network authorization request includes: the The user name of the user terminal, the password corresponding to the user name, and the domain name where the user terminal is located.

Further, when the user request at the client end is a user access request of a cloud user, the sending the user request to the cloud server, and receiving the detection result returned by the cloud server for security detection of the user request includes :

When detecting that the user access request of the cloud user is the user access request sent for the first time, forwarding the user access request to the cloud server;

receiving a detection result returned by the cloud server for security detection of the user access request, wherein the detection result includes: the cloud server detects the security of the user access request and generates an access deny The detection result of the first SDN controller or the detection result of accepting access to the first SDN controller.

Further, the processing the detection result, generating the processing result and sending the detection result and/or the processing result to the client includes:

Processing the detection result to generate a first-class entry record;

Sending the detection result and the flow entry record to the cloud user, wherein the flow entry record includes: a status field corresponding to the user access request.

Wherein, the method for secure communication of the software-defined network SDN also includes:

Detecting that there is a flow entry record corresponding to the user access request of the cloud user, and determining that the user access request is not a user access request sent for the first time;

A processing result returned to the cloud user for the user access request of the cloud user, wherein the processing result includes: recording through the flow entry that the user access request of the cloud user has been sent by the cloud server Detect security and generate a detection result that access to the first SDN controller is accepted.

Further, when the user request at the user end is a first network authorization request of a user terminal with a terminal application, the user request is sent to the cloud server, and the cloud server receives a security check for the user request. The returned test results include:

sending the first network authorization request to the cloud server;

receiving a detection result returned by the cloud server for security detection of the first network authorization request, wherein the detection result includes: detecting whether there is a user related to the first network authorization request in the first SDN controller The second network authorization request with the same name, password and domain name.

Further, the processing the detection result, generating the processing result and sending the detection result and/or the processing result to the client includes:

When the detection result is that the first SDN controller does not have a second network authorization request with the same username, password and domain name as the first network authorization request, according to the first network authorization request, generate a first token code uniquely corresponding to the first network authorization request;

verifying the user name, the password and the domain name in the first network authorization request, and generating an authorization object carrying the first network authorization request and the first token code when the verification is passed object and send the authorized target object to the user terminal.

Further, the processing the detection result, generating the processing result and sending the detection result and/or the processing result to the client includes:

When the detection result is that the first SDN controller has a second network authorization request that is the same as the user name, password, and domain name of the first network authorization request, obtain a uniquely corresponding to the second network authorization request a second token code, generating an authorization target object carrying the first network authorization request and the second token code, and sending the authorization target object to the user terminal.

Further, when the user request at the user end is a plurality of first network authorization requests of the user terminal with a terminal application, the sending the user request to the cloud server, and receiving the security request performed by the cloud server for the user request The detection results returned by the detection include:

assigning a priority corresponding to each first network authorization request;

sending the first network authorization request to the cloud server according to the priority;

receiving a detection result returned by the cloud server for security detection of the first network authorization request according to the priority.

Wherein, the software-defined network SDN secure communication also includes:

Converting the data format of the detection result through a predetermined interface to match the data format of the first SDN controller.

Wherein, the method for secure communication of the software-defined network SDN also includes:

establishing a connection between the first SDN controller and at least one second SDN controller, wherein the at least one second SDN controller is in a different domain from the first SDN controller;

Obtaining a user request from a client in the domain where the at least one second SDN controller is located.

The embodiment of the present invention also provides a method for secure communication of a software-defined network SDN, which is applied to a cloud server, wherein the method for secure communication of a software-defined network SDN includes:

receiving a user request forwarded from the first SDN controller, wherein the user request is sent by the client to the first SDN controller;

Carrying out security detection for the user request, and generating a detection result;

sending the detection result to the first SDN controller, and the first SDN controller processes the detection result, generates a processing result, and sends the detection result and/or the processing result to the user terminal.

Further, after receiving the user request forwarded from the first SDN controller, including:

The user access request sent by the cloud user and forwarded from the first SDN controller is received.

Further, the security detection is performed on the user request, and a detection result is generated, including:

For the user access request, detect the security of the user access request and generate a deny access to the first SDN controller or accept access to the first SDN controller.

Further, the receiving the user request forwarded from the first SDN controller includes:

receiving at least one first network authorization request sent by a user terminal with a terminal application forwarded by the first SDN controller, wherein the first network authorization request includes: the user name of the user terminal, and the user name The corresponding password and the domain name where the user terminal is located.

Further, the security detection is performed on the user request, and a detection result is generated, including:

Detecting whether there is a second network authorization request in the first SDN controller that is the same as the user name, password, and domain name of the first network authorization request, and generating a method for detecting that the first SDN controller exists in the second network A detection result of the authorization request or a detection result of the first SDN controller not having the authorization request of the second network.

Wherein, the method for secure communication of the software-defined network SDN also includes:

receiving and storing the authorization target object sent by the first SDN controller, wherein the authorization target object includes: the first network authorization request, the first token code and the second token code generated by the first SDN controller Any token code in the binary token code.

Wherein, the method for secure communication of the software-defined network SDN also includes:

Detecting the network attack information of the first SDN controller, prohibiting opening and deleting the network attack information, wherein the network attack information carries behavior information of stealing information and forwarding network.

The embodiment of the present invention also provides a software-defined network SDN security communication device, which is applied to the first SDN controller, including:

The first obtaining module is used to obtain the user request from the client;

A transceiver module, configured to send the user request to a cloud server, and receive a detection result returned by the cloud server for security detection of the user request;

The first processing module is configured to process the detection result, generate a processing result, and send the detection result and/or the processing result to the user terminal.

The embodiment of the present invention also provides a software-defined network SDN secure communication device, which is applied to a cloud server, including:

A receiving module, configured to receive a user request forwarded from the first SDN controller, wherein the user request is sent from the user terminal to the first SDN controller;

A generating module, configured to perform security detection on the user request and generate a detection result;

The second processing module is configured to send the detection result to the first SDN controller, and the first SDN controller processes the detection result, generates a processing result and sends the detection result and/or The processing result is sent to the client.

The beneficial effects of the foregoing technical solutions of the embodiments of the present invention are as follows:

In the solution of the embodiment of the present invention, the first SDN controller is connected to the cloud server, and the cloud server performs security detection on user requests, which can improve the cloud security of the first SDN controller; because the application service layer in the first SDN network The first SDN controller and the data layer perform data interaction with the first SDN controller respectively, so they exchange data with the application service layer and the data layer, and the first SDN controller is detected by the cloud server to avoid potential safety hazards between the first SDN controller and the storage business problems; the cloud server can also be used to assist the first SDN controller in processing user requests, thereby reducing the burden on the SDN controller to monitor data.

Description of drawings

1 is a schematic flowchart of a method for secure communication of a software-defined network (SDN) applied to a first SDN controller according to an embodiment of the present invention;

Fig. 2 is a detailed flow diagram of a method for secure communication in a software-defined network (SDN) according to an embodiment of the present invention;

FIG. 3 is another basic flow diagram of a method for secure communication of a software-defined network SDN applied to a first SDN controller according to an embodiment of the present invention;

Fig. 4 is a detailed flow diagram of step 12 of the method for secure communication of software-defined network SDN according to the embodiment of the present invention;

Fig. 5 is a detailed flow diagram of step 13 of the method for secure communication in a software-defined network SDN according to an embodiment of the present invention;

FIG. 6 is another detailed flow diagram of step 12 of the method for secure communication in a software-defined network (SDN) according to an embodiment of the present invention;

7 is a schematic diagram of a token authorization process of a method for secure communication in a software-defined network (SDN) according to an embodiment of the present invention;

8 is a schematic flowchart of a method for secure communication of a software-defined network (SDN) applied to a cloud server according to an embodiment of the present invention;

9 is a schematic structural diagram of a device for secure communication of a software-defined network SDN applied to a first SDN controller according to an embodiment of the present invention;

FIG. 10 is a schematic structural diagram of cross-domain token authorization of a software-defined network SDN secure communication device according to an embodiment of the present invention;

Fig. 11 is a schematic flow chart of the processing process of the data packets of the first SDN controller and the data forwarding layer according to the embodiment of the present invention;

12 is a schematic structural diagram of a device for secure communication of a software-defined network (SDN) applied to a cloud server according to an embodiment of the present invention;

FIG. 13 is a schematic structural diagram of an actual application of a cloud server according to an embodiment of the present invention;

14 is a schematic diagram of the basic structure of the actual application of the first SDN controller and the cloud server according to the embodiment of the present invention;

Fig. 15 is a detailed structural diagram of the actual application of the first SDN controller and the cloud server according to the embodiment of the present invention.

detailed description

In order to make the technical problems, technical solutions and advantages to be solved by the present invention clearer, the following will describe in detail with reference to the drawings and specific embodiments.

As shown in FIG. 1, the method for secure communication of a software-defined network SDN according to an embodiment of the present invention is applied to a first SDN controller, wherein the method for secure communication of a software-defined network SDN includes:

Step 11, obtain the user request from the client.

The client here may refer to a terminal at the application service layer in the SDN network. The application service layer includes command line applications, network management applications, security applications and other various applications, wherein the command line application is specifically an application accessed by the management personnel of the first SDN controller, reserved by the first SDN controller The command line of the first SDN controller realizes the configuration, query and other operations of the first SDN controller, and realizes some verification and debugging functions; the network management application is used to realize various network configurations of the first SDN controller by the network administrator and check the network status , such as alarms, topology, etc.; the security application is used by a third-party organization connected to the cloud server in the network to provide users with security services and guarantees; the other applications are used for various reserved processing applications, such as First SDN controller software upgrade, enable log, memory leak detection, etc.

Step 12, sending the user request to a cloud server, and receiving a detection result returned by the cloud server for security detection of the user request;

Step 13: Process the detection result, generate a processing result, and send the detection result and/or the processing result to the client.

In the embodiment of the present invention, the first SDN controller is connected to the cloud server, and the cloud server performs security detection on user requests, which can improve the cloud security of the first SDN controller; because the application service layer and data in the first SDN network Layers perform data interaction with the first SDN controller respectively, so they exchange data with the application service layer and the data layer, and the first SDN controller is detected by the cloud server to avoid potential safety hazards between the first SDN controller and the storage business ; It is also possible to use the cloud server to assist the first SDN controller in processing user requests, thereby reducing the burden on the SDN controller to monitor data.

As shown in FIG. 2, in the method for secure communication of a software-defined network SDN according to an embodiment of the present invention, the user request of the client includes: a user access request of a cloud user and/or at least one first network of a user terminal with a terminal application An authorization request, wherein the at least one first network authorization request includes: the user name of the user terminal, the password corresponding to the user name, and the domain name where the user terminal is located.

The cloud users here refer to users accessing cloud security services, including individual users and enterprise users.

In the embodiment of the present invention, the first SDN server can not only implement information interaction with the cloud server, but also interact with the application service layer. By using the cloud server to detect the interaction information of the first SDN controller, communication security for the interaction between the first SDN server and the application service layer is further improved.

As shown in Figure 2, in the method for secure communication of a software-defined network SDN according to an embodiment of the present invention, when the user request at the user end is a user access request of a cloud user, step 12 includes:

Step 121, when detecting that the user access request of the cloud user is the user access request sent for the first time, sending the user access request to the cloud server;

The cloud server here is provided by a third party, so as to realize the outsourcing or separate setting of the access, which is convenient to provide access security services for cloud users. Cloud servers provide security for users in the form of services, and a large number of cloud servers can be clustered together to form a system that specifically addresses cloud access security issues.

Step 122, receiving the detection result returned by the cloud server for the security detection of the user access request, wherein the detection result includes: the cloud server detects the security of the user access request and generates a denial of access to the first SDN The detection result of the controller or the detection result of the first SDN controller that accepts access.

It should be noted that: the content of the cloud server to detect the security of the user access request includes at least: data integrity detection, unified user management and network attack detection, wherein the data integrity detection includes: the user name and The password corresponding to the user name; the unified user management includes: storing the user name and the corresponding password in the user request; network attack detection includes: monitoring the Trojan horse or virus illegally intruding in the network. Use cloud servers to achieve at least one security content.

In the embodiment of the present invention, the first SDN controller may use the cloud server to determine the security of the user access request sent for the first time, thereby ensuring the security of the first SDN controller.

As shown in Figure 2, the method for secure communication of software-defined network SDN of the embodiment of the present invention, step 13 comprises:

Step 131, process the detection result to generate a first-class entry record;

The flow entry record here is to add at least one state attribute (such as State state) and at least the next state (such as Next_State) to the basic structure of the flow table defined by the OpenFlow protocol, and redefines the data packet to match the flow entry record The process makes the matching not only depend on the information of the header of the data frame, but also depend on its own state. If the matching is unsuccessful, the data forwarding layer will send a PacketIn request message to the first SDN controller, wherein the PacketIn request message includes the information of the data frame header and its own status information. The first SDN controller will send a flow group FlowMod message to the data forwarding layer and add a corresponding record to the data forwarding layer as a response; when the match is successful, the state in the connection state table will be assigned the next state of the corresponding record in the transformation flow table state.

Step 132, sending the detection result and the flow entry record to the cloud user, wherein the flow entry record includes: a state field corresponding to the user access request.

The purpose of the state field here is to establish synchronization between the terminal in the data forwarding layer and the update of the connection state table of the SDN controller.

In the embodiment of the present invention, by generating a flow entry, when there is the same user request in the follow-up, there is no need to perform verification again, and the cloud server can be used to assist the first SDN controller to process the user request, thereby reducing the monitoring data of the SDN controller. It also improves the detection efficiency of cloud security.

As shown in FIG. 3, after step 11 of the method for secure communication of software-defined network SDN according to the embodiment of the present invention, when the user request of the user end is a user access request of a cloud user, the method for secure communication of software-defined network SDN also includes:

Step 14: Detect that there is a flow entry record corresponding to the user access request of the cloud user, and determine that the user access request is not the user access request sent for the first time.

Step 15, return the processing result to the cloud user for the user access request of the cloud user, wherein the processing result includes: record that the user access request of the cloud user has been detected by the cloud server through the flow entry A detection result of accepting access to the first SDN controller is generated.

In the embodiment of the present invention, when it is judged that the cloud user is not sending the user request for the first time, the first SDN controller is directly accessed through the pre-established flow entry record, which reduces the verification process and improves the access efficiency. The server performs detection to improve the security of user access requests.

As shown in FIG. 4, in the method for secure communication of a software-defined network SDN according to an embodiment of the present invention, when the user request at the user end is a first network authorization request of a user terminal with a terminal application, step 12 includes:

Step 123, sending the first network authorization request to the cloud server.

Step 124, receiving the detection result returned by the cloud server for the security detection of the first network authorization request, wherein the detection result includes: detecting whether the user name of the first network authorization request exists in the first SDN controller, A second network authorization request with the same password and domain name.

In the embodiment of the present invention, the first network authorization request is sent to the first SDN controller, and the cloud server can assist the first SDN controller to detect the security of the first network authorization request, because the cloud server stores information related to the network authorization request. Therefore, it can be judged whether there is a first network authorization request in the stored data, which reduces the burden of the first SDN controller and improves the security of the data interaction of the first SDN controller.

As shown in Figure 4, in the method for secure communication of software-defined network SDN of the embodiment of the present invention, step 13 includes:

Step 133, when the detection result is that the first SDN controller does not have a second network authorization request with the same user name, password and domain name as the first network authorization request, according to the first network authorization request, generate A first token code uniquely corresponding to the first network authorization request;

Step 134, verify the user name, the password and the domain name in the first network authorization request, and when the verification is passed, generate an authorization target object carrying the first network authorization request and the first token code and send it to The authorized target object is to the user terminal.

Here, the specific steps of verifying the username, the password and the domain name in the first network authorization request include: first, verifying whether the username, the password and the domain name in the first network authorization request are complete; then, in After the user name, the password and the domain name in the first network authorization request are complete, it is judged whether the password in the first network authorization request is correct; finally, when the password in the first network authorization request is correct, the first network authorization The request is authenticated. This can enhance the accuracy of the application of the first network authorization request.

Step 134 here sends the authorization target object to the cloud server for storage when sending the authorization target object to the user terminal. This is beneficial for the later cloud server to determine whether the first network authorization request is a user request sent for the first time, so as to reduce repeated authorizations for the same network authorization request.

In the embodiment of the present invention, a unique and corresponding first token code is generated for the first first network authorization request, and fed back to the authorization target object of the user terminal, so that token authorization can be realized and only new network authorization requests are issued. A new access token code to avoid double-issuing access token codes.

As shown in Figure 5, in the method for secure communication of software-defined network SDN of the embodiment of the present invention, step 13 includes:

Step 135, when the detection result is that the first SDN controller has a second network authorization request that is the same as the user name, password and domain name of the first network authorization request, obtain the uniquely corresponding first network authorization request for the second network authorization request. Two token codes, generating an authorization target object carrying the first network authorization request and the second token code, and sending the authorization target object to the user terminal.

The "first" and "second" in the first network authorization request and the second network authorization request here are not to limit the order of network authorization requests, but to facilitate the distinction of the currently sent "first network authorization request". " and the previously stored "Second Network Authorization Request". Here, the relationship between the "first network authorization request" and the previously stored "second network authorization request" includes: the content of the "first network authorization request" is different from the previously stored "second network authorization request" and The "first network authorization request" has the same content as the previously stored "second network authorization request".

Step 135 here sends the authorization target object to the cloud server for storage when sending the authorization target object to the user terminal. This is beneficial for the later cloud server to judge whether the first network authorization request is a user request sent for the first time, so as to reduce repeated authorization for the same user. By storing the authorization target object in the cloud server, it is convenient for the later SDN controller to use the cloud server to detect whether there is a network authorization request when receiving a new network authorization request.

In the embodiment of the present invention, by judging that the first network authorization request already has a second network authorization request identical to the first network authorization request, the first SDN controller does not need to regenerate a new token code, and only needs to use The token code of the same second network authorization request has been stored, and the current first network authorization request generates an authorization target object, so that only one authorization target object is generated for multiple refreshes of the same first network authorization request, avoiding the occurrence of For the situation that multiple authorization target objects are generated by refreshing the same first network authorization request multiple times, not only the efficiency of generating authorization target objects is improved, but also the accuracy of generating authorization target objects is improved.

As shown in FIG. 6 , in the method for secure communication in a software-defined network SDN according to an embodiment of the present invention, when the user request at the user end is a plurality of first network authorization requests of a user terminal with a terminal application, the step 12 includes:

Step 125, allocating a priority corresponding to each first network authorization request.

Each first network authorization request here refers to a different request of the same user. Step 1310 specifically allocates a priority corresponding to each first network authorization request according to the request type of the application request in each first network authorization request.

Step 126, sending the first network authorization request to the cloud server according to the priority.

Step 127: Receive the detection result returned by the cloud server for the security detection of the first network authorization request according to the priority.

In the embodiment of the present invention, by assigning priorities to multiple first network authorization requests, conflicts are avoided according to the priority order, and not only can the processing of multiple first network authorization requests be completed, but also effective Each first network authorization request is treated differently, thereby improving processing efficiency.

In the method for secure communication of software-defined network SDN in the embodiment of the present invention, before step 13, the method for secure communication of software-defined network SDN further includes: converting the data format of the detection result and the first SDN control through a predetermined interface match the data format of the device. In this way, the first SDN controller can use the predetermined interface to accurately interpret the data of the cloud server and perform corresponding processing.

The predetermined interface is an API (Application Programming Interface, application programming interface) interface, and the predetermined interface includes but is not limited to these three functions to convert the data format issued by the cloud service layer into the same format as the control layer: 1. Network Behavior management is mainly responsible for converting the network behavior generated by the cloud server on the first SDN controller into the form of a flow entry. According to the permission or refusal requested by the user, an instruction is issued whether to forward data, so as to ensure the access security of cloud users. In addition, it can also count the physical address related information of the cloud server, translate the service name requested by the user into the corresponding physical related address, and complete the resource discovery that depends on the service name in the network; 2. The selection of routing ensures that user access requests pass through the cloud The server, according to the topology information and link loss of the entire network, selects the optimal path for the user; 3. Delivery of the flow table, ensuring that the flow table generated by the first SDN controller is sent to the OpenFlow switch to realize the deployment of data flow wait.

The API interface is the data conversion interface between the cloud service layer and the controller, and is mainly responsible for the interaction between the cloud service layer and the controller. The API interface may be an interface from the cloud server to the controller, and other functional policies may be pre-stored in the first SDN controller, and the first SDN controller sends it to the OpenFlow switch when needed.

In the embodiment of the present invention, the data format of the API interface can realize data interaction between the cloud server and the first SDN controller, and the API interface can control the access route of the cloud user to provide services for accessing the cloud server.

In the method for secure communication of software-defined network SDN in the embodiment of the present invention, before step 11, the secure communication of software-defined network SDN also includes:

Step 16, establishing a connection between the first SDN controller and at least one second SDN controller, wherein the at least one second SDN controller is in a different domain from the first SDN controller.

Step 17, acquiring a user request from at least one client in the domain where the second SDN controller is located.

In the embodiment of the present invention, by first establishing a connection between the first SDN controller and at least one second SDN controller, and then obtaining a user request from at least one user end in the domain where the second SDN controller is located, multi-domain or cross-domain Token authorization of the client, so that token authorization and security detection can be performed on the client in different domains.

second embodiment

As shown in FIG. 7 , the overall process of token authorization in the embodiment of the present invention is as follows.

In step 701, the user terminal sends a first user authorization request, and the first SDN controller receives the first user authorization request and joins a priority application application queue.

Step 702, the first SDN controller verifies the received first user authorization request of the user terminal.

Step 703, judge whether the path of the first network authorization request terminates the address, and return the address (the address includes but not limited to IP address) that the path of the first network authorization request allows access to. Judging whether the IP address is legal, if the IP address is an empty address, judge that the path of the first network authorization request is an IP address that allows access, then perform step 704; if the IP address is not an empty address, judge that the first network authorization request is an IP address that allows access. If the path of the authorization request is not an IP address that is allowed to be accessed, step 705 is performed. The method for specifically judging whether the path of the first network authorization request is terminated is to send URL (Uniform Resource Locator, Uniform Resource Locator), RPC (Remote Procedure Call Protocol) addresses, etc. in the first network authorization request sent. The access mode is judged and carried in the returned authorization target object message.

In step 704, the first SDN controller releases the token authorization and sends a message to the terminal user that the token authorization fails.

Step 705, the first SDN controller creates a token authorization, creates and distributes a token code uniquely corresponding to the terminal user requesting the authorization of the first network.

In step 706, the first SDN controller applies for a first network authorization request for registration and authentication.

Step 707: The first SDN controller verifies the username, the password corresponding to the username, and the domain name in the first network authorization request, and if the username, password, and domain name in the first network authorization request are incomplete or incorrect, execute Step 704, if the user name, password and domain name in the first network authorization request are complete, execute step 708;

Step 708, judging whether the password is correct, if the password is correct, then perform step 409;

Step 709, judging whether the token authorization type is a password authorization method, if not a password authorization method, then perform step 713;

Step 710, if it is a password authorization method, take out the user name and password in the first network authorization request, and generate a password authorization object with the user name, password and token code.

Step 711, fetch the domain name from the first network authorization request.

Step 712, using the password authorization object and the domain name to generate an authorization target object, which is provided by the authorizer after verifying the required user name, password and domain name.

In step 713, it is judged whether the token authorization type is a refresh token authorization method, and if yes, step 714 is executed. Among them, the refresh token is to prevent the requester from sending the same request twice or more within the preset time period (the time difference between the client and the server allowed by the server).

Step 714, acquire a second network authorization request in the same refresh token authorization mode as the first network authorization request.

Step 715, using the user name, password and domain name of the second network authorization request to generate an authorization target object.

Step 716, the first SDN controller returns a response carrying the authorized target object.

In the embodiment of the present invention, token authorization is used to perform authentication and token authorization on the first network authorization request of the accessing terminal user, and the identity of the first network authorization request is verified at the first SDN controller. An access token may be requested from the first SDN controller using the authorization target object.

third embodiment

As shown in FIG. 8, the method for secure communication of a software-defined network SDN according to an embodiment of the present invention is applied to a cloud server, including:

Step 81, receiving a user request forwarded from the first SDN controller, wherein the user request is sent by the client to the first SDN controller;

Wherein, the client includes cloud users and terminal users, and can implement data security detection of multiple terminals.

Step 82, performing security detection on the user request, and generating a detection result;

Step 83, sending the detection result to the first SDN controller, and the first SDN controller processes the detection result, generates a processing result, and sends the detection result and/or the processing result to the client.

In the embodiment of the present invention, the cloud server provides the access security function to the first SDN controller, and provides security protection for the user terminal in the form of service, forming a service specifically for access security issues, which improves the security of the first SDN controller cloud. Security of the Service.

In the SDN secure communication method of the embodiment of the present invention, the step 81 includes: receiving the user access request sent by the cloud user and forwarded from the first SDN controller.

In the embodiment of the present invention, the cloud server receives the user access request forwarded by the first SDN controller, and performs security detection on the user access request, thereby improving the security of the user access request accessing the first SDN controller.

In the method for secure communication in a software-defined network SDN according to an embodiment of the present invention, the step 82 includes: for the user access request, detecting the security of the user access request and generating a denial of access to the first SDN controller or accept access to the first SDN controller.

In the embodiment of the present invention, after the security detection of the user access request, the cloud server feeds back whether the user access request can access the first SDN controller, and completes the feedback of the security detection processing of the user access request.

In the method for secure communication in a software-defined network (SDN) according to an embodiment of the present invention, the step 81 includes: receiving at least one first network authorization request sent by a user terminal with a terminal application and forwarded from the first SDN controller, wherein the The first network authorization request includes: the user name of the user terminal, the password corresponding to the user name, and the domain name where the user terminal is located.

In the embodiment of the present invention, since the cloud server stores authorization target objects related to the network authorization request, the load of the first SDN controller can be reduced by using the cloud server to receive and judge the first network authorization request.

In the SDN secure communication method in the embodiment of the present invention, the step 82 includes: detecting whether the first SDN controller has the same username, password and domain name as the first network authorization request. A network authorization request, generating a detection result of detecting that the first SDN controller has the second network authorization request or a detection result that the first SDN controller does not have the second network authorization request.

In the embodiment of the present invention, if the first network authorization request is not the network authorization request sent for the first time, then the cloud server will store the second network authorization request identical to the first network authorization request, and the first SDN controller can directly use the The stored token code of the second network authorization request performs token authorization on the first network authorization request without regenerating a new token code, thereby reducing the token authorization process of the first SDN controller and reducing the load of the first SDN controller.

The method for the software-defined network SDN security communication of the embodiment of the present invention also includes:

Step 84: Receive and store the authorization target object sent by the first SDN controller, wherein the authorization target object includes: the first network authorization request and the first token generated by the first SDN controller code and any token code in the second token code.

In the embodiment of the present invention, the cloud server stores the authorization target object related to the first network authorization request, which facilitates direct authentication judgment on the refreshed or resent first network authorization request, and reduces the burden on the first SDN controller. The load also improves the security of data interaction.

The method for the software-defined network SDN security communication of the embodiment of the present invention also includes:

Step 85: Detect the network attack information of the first SDN controller, prohibit opening and deleting the network attack information, wherein the network attack information carries behavior information of stealing information and forwarding network.

The above-mentioned behavior information refers to information that forwards information multiple times or requests to copy network content. Shielding of network attack information of the first SDN controller can be realized.

In the embodiment of the present invention, the cloud server provides security guarantees for the first SDN controller in the form of network attack information services, and multiple cloud servers can be clustered together to form a system that specifically addresses access security issues; the cloud server also It has good scalability, and can also make up for the deficiencies of traditional networks in terms of poor defense capabilities, slow response speed, and small system size, etc., and meet various security needs.

Fourth embodiment

As shown in FIG. 9, the device for secure communication of software-defined network SDN according to the embodiment of the present invention is applied to the first SDN controller, and the device for secure communication of software-defined network SDN includes:

The first acquiring module 91 is configured to acquire a user request from the client;

The transceiver module 92 is configured to send the user request to the cloud server, and receive a detection result returned by the cloud server for security detection of the user request;

The first processing module 93 is configured to process the detection result, generate a processing result, and send the detection result and/or the processing result to the user terminal.

In the embodiment of the present invention, the first SDN controller is connected to the cloud server, and the cloud server performs security detection on user requests, which can improve the cloud security of the first SDN controller; because the application service layer and data in the first SDN network Layers perform data interaction with the first SDN controller respectively, so they exchange data with the application service layer and the data layer, and the first SDN controller is detected by the cloud server to avoid potential safety hazards between the first SDN controller and the storage business ; It is also possible to use the cloud server to assist the first SDN controller in processing user requests, thereby reducing the burden on the SDN controller to monitor data.

It should be noted that the device provided by the present invention is a device applying the above-mentioned software-defined network SDN secure communication method, and all embodiments of the above-mentioned software-defined network SDN secure communication method are applicable to the device, and can achieve the same or similar Beneficial effect.

In another embodiment of the present invention, in the device for SDN secure communication in a software-defined network, the user request of the client includes: a user access request of a cloud user and/or at least one first network authorization request of a user terminal with a terminal application, Wherein, the at least one first network authorization request includes: a user name of the user terminal, a password corresponding to the user name, and a domain name where the user terminal is located.

In another embodiment of the present invention, in the software-defined network SDN secure communication device, when the user request at the client end is a user access request of a cloud user, the transceiver module 92 includes:

A detecting unit, configured to forward the user access request to the cloud server when detecting that the user access request of the cloud user is the first user access request sent;

The receiving unit is configured to receive a detection result returned by the cloud server for security detection of the user access request, wherein the detection result includes: the cloud server detects the security of the user access request and generates A detection result of denying access to the first SDN controller or a detection result of accepting access to the first SDN controller.

In another embodiment of the present invention, in the software-defined network SDN secure communication device, the first processing module 93 includes:

A generating unit, configured to process the detection result and generate a first-class entry record;

A first sending unit, configured to send the detection result and the flow entry record to the cloud user, where the flow entry record includes: a status field corresponding to the user access request.

The device for secure communication of software-defined network SDN in another embodiment of the present invention also includes:

A detection module, configured to detect that there is a flow entry record corresponding to the user access request of the cloud user, and determine that the user access request is not a user access request sent for the first time;

A feedback module, configured to return a processing result to the cloud user regarding the user access request of the cloud user, wherein the processing result includes: recording through the flow entry that the user access request of the cloud user has The cloud server detects security and generates a detection result of accepting access to the first SDN controller.

In another embodiment of the present invention, in the software-defined network SDN secure communication device, when the user request at the user end is a first network authorization request of a user terminal with a terminal application, the transceiver module 92 includes:

a sending submodule, configured to send the first network authorization request to the cloud server;

The receiving submodule is configured to receive a detection result returned by the cloud server for the security detection of the first network authorization request, wherein the detection result includes: detecting whether the first SDN controller exists with the first SDN controller. A second network authorization request in which the user name, password and domain name of the network authorization request are the same.

In another embodiment of the present invention, in the software-defined network SDN secure communication device, the first processing module 93 includes:

A generating unit configured to, when the detection result is that the first SDN controller does not have a second network authorization request that is the same as the user name, password, and domain name of the first network authorization request, according to the first A network authorization request, generating a first token code uniquely corresponding to the first network authorization request;

A first processing unit, configured to verify the user name, the password, and the domain name in the first network authorization request, and generate a message containing the first network authorization request and the second network authorization request when the verification is passed. an authorization target object of a token code and send the authorization target object to the user terminal.

In another embodiment of the present invention, in the software-defined network SDN secure communication device, the first processing module 93 includes: a second processing unit, configured to, when the detection result is that the first SDN controller exists and the When the user name, password and domain name of the first network authorization request are all the same as the second network authorization request, obtain the second token code uniquely corresponding to the second network authorization request, and generate a second token code that carries the first network authorization request and Authorize the target object of the second token code and send the authorized target object to the user terminal.

In another embodiment of the present invention, in the device for secure communication of software-defined network SDN, when the user request of the user end is a plurality of first network authorization requests of the user terminal with terminal application, the transceiver module 92 includes:

An allocation unit, configured to allocate a priority corresponding to each first network authorization request;

a second sending unit, configured to send the first network authorization request to the cloud server according to the priority;

The transceiver unit is configured to receive, according to the priority, the detection result returned by the cloud server for the security detection of the first network authorization request.

The device for secure communication of software-defined network SDN in another embodiment of the present invention also includes:

A conversion module, configured to convert the data format of the detection result through a predetermined interface to match the data format of the first SDN controller.

The device for secure communication of software-defined network SDN in another embodiment of the present invention also includes:

An establishment module, configured to establish a connection between the first SDN controller and at least one second SDN controller, wherein the at least one second SDN controller is in a different domain from the first SDN controller;

An acquisition module, configured to acquire a user request from a user end in at least one domain where the second SDN controller is located.

In the embodiment of the present invention, establishing connections of end users in different domains can realize token authorization in a cross-domain situation. As shown in FIG. 10 , the specific cross-domain structure, for example, the application App2 of the end user is the authorized party, and the application App3 of the end user is the resource party. If the terminal user's application App2 wants to access the resource of the terminal user's application App3, it needs to obtain the access token from the token Token of the first SDN controller 1001 . One way is that the end user's application App2 directly obtains the end user's application App3 to obtain the authorization target object, and uses the authorization target object to obtain the access token from the token Token; the other way is that the end user's application App3 uses the end user's application App2 The network authorization request of the terminal user is transferred to the token Token, and after the terminal user’s application App3 is authenticated by the token Token of the second SDN controller 1002, the terminal user’s application App3 issues an authorization target object to the terminal user’s application App2, and the terminal user’s application App2 uses the authorization target object to obtain the access token code from the token Token.

As shown in FIG. 11 , the actual application process of the first SDN controller and the data packet processing process of the data forwarding layer in the embodiment of the present invention is as follows.

Step 31, the header information extraction module of the data forwarding layer extracts the header key information in the header information packet of the data frame, and processes and stores the header key information;

Step 32, the data forwarding layer compares and matches the key information of the header with the state table 21, if there is no record about this item in the state table 21, then add a relevant record, and set its state to default DEFAULT;

Step 33 , send the matching result information together with the state information, and compare and match with the transformation flow table 22 . If there is no corresponding record in the conversion flow table 22, the data forwarding layer sends the income packet number PacketIn message to the first SDN controller 23, and then the connection state table 21 matched by the first SDN controller 23 sends the flow group FlowMod to the data forwarding layer;

Step 34, update the conversion flow table 22 according to the instruction of the first SDN controller 23 and perform corresponding data forwarding operations at the same time;

Step 35, write back the relevant information of the next state in the transformation flow table 22 to the state table 21;

Step 36 , the data forwarding layer sends a data state DATA_STATE_IN message to the first SDN controller SDN23 to update the state table 21 in the first SDN controller 23 .

fifth embodiment

As shown in FIG. 12, the device for secure communication of software-defined network SDN according to the embodiment of the present invention is applied to a cloud server, including:

The receiving module 1201 is configured to receive a user request forwarded from the first SDN controller, wherein the user request is sent by the user terminal to the first SDN controller;

A generating module 1202, configured to perform security detection on the user request and generate a detection result;

The second processing module 1203 is configured to send the detection result to the first SDN controller, and the first SDN controller processes the detection result, generates a processing result and sends the detection result and/or Or the processing result is sent to the client.

In the embodiment of the present invention, the cloud server provides the access security function to the first SDN controller, and provides security protection for the user terminal in the form of service, forming a service specifically for access security issues, which improves the security of the first SDN controller cloud. Security of the Service.

It should be noted that the device provided by the present invention is a device that applies the above-mentioned method for secure communication of software-defined network SDN, and all embodiments of the above-mentioned method for secure communication of software-defined network SDN are applicable to the device, and can achieve the same or similar beneficial effects.

In still another embodiment of the present invention, in the SDN secure communication device, the receiving module 1201 includes: receiving the user access request sent by the cloud user and forwarded from the first SDN controller.

In another embodiment of the present invention, in the device for secure communication of software-defined network SDN, the generating module 1202 includes:

For the user access request, detect the security of the user access request and generate a deny access to the first SDN controller or accept access to the first SDN controller.

In the software-defined network SDN secure communication device according to another embodiment of the present invention, the receiving module 1201 includes: receiving at least one first network authorization request sent by a user terminal with a terminal application forwarded from the first SDN controller, Wherein, the first network authorization request includes: the user name of the user terminal, the password corresponding to the user name, and the domain name where the user terminal is located.

In yet another embodiment of the present invention, in the software-defined network SDN secure communication device, the generation module 1202 includes: detecting whether the first SDN controller has the same username, password and domain name as the first network authorization request. The same second network authorization request generates a detection result of detecting that the first SDN controller has the second network authorization request or that the first SDN controller does not have the second network authorization request.

The device for secure communication of software-defined network SDN in another embodiment of the present invention also includes:

A receiving and storing module, configured to receive and store the authorization target object sent by the first SDN controller, wherein the authorization target object includes: the first network authorization request and the first SDN generated by the first SDN controller Any token code in the first token code and the second token code.

The device for secure communication of software-defined network SDN in another embodiment of the present invention also includes:

The detection control module is used to detect the network attack information of the first SDN controller, prohibit opening and deleting the network attack information, wherein the network attack information carries behavior information of stealing information and forwarding network.

As shown in FIG. 13 , the actual application process of the cloud server in the embodiment of the present invention is as follows.

First of all, it needs to be explained that the cloud server needs to cooperate with the cloud service provider. The cloud service provider has big data computing capabilities. Different types of storage devices work together through application software to jointly provide a system of data storage, processing and business access functions. Secondly, it needs to be explained that the security service cloud (equivalent to the above-mentioned cloud server) places the access cloud server of cloud computing outside the cloud service provider and is provided by a third party, which can realize the outsourcing of access, and is specially designed for Cloud users provide access security services and provide users with security protection in the form of services. Here, one cloud service provider and one security service cloud are used for application description. The actual application can also be the deployment of multiple cloud service providers and security service clouds, so no examples are given here.

Step 1101: When the user access request of the cloud user (including individual user 451 or enterprise user 452) requires security services, the OpenFlow switch 43 according to the service type requested by the user access (the service type includes at least: data integrity detection, Unified user management, network attack detection) assign user access requests to the security service cloud 41 for execution.

Step 1102: the cloud service provider 44 implements storage and processing of user data requested by the user, and provides the storage and processing results to the first SDN controller 42.

Step 1103: the security service cloud 41 processes the user access request, determines the forwarding, blocking or user access or denial of user data of the user access request, and notifies the first SDN controller 42 of the decision result through the API interface 421 .

Step 1104: the first SDN controller 42 generates a corresponding flow entry, and sends it to the OpenFlow switch 43 (the OpenFlow switch 43 is an application entity of the data forwarding layer, which is only an example here), and the OpenFlow switch 43 executes the operation. When there is the same user access request later, the OpenFlow switch 43 can perform an operation according to the flow entry in the service history, and the user access request does not need to pass through the security service cloud 41 again. For services customized by cloud users, the corresponding flow entry can be directly configured on the first SDN controller to complete the specified function, and the first SDN controller 42 sends the responses of the OpenFlow switch 43 and cloud users and end users 46 to the security service cloud 41 .

As shown in FIG. 14 and FIG. 15 , the actual application of the first SDN controller and the cloud server in the embodiment of the present invention is as follows.

It should be noted that: in the specific implementation process, the SDN network includes five layers, of which the five layers are: application service layer 51 (equivalent to the above-mentioned terminal user), interface supervision layer 52 (the corresponding application entity can be a terminal display ), a control layer 53 (equivalent to the above-mentioned first SDN controller), a data forwarding layer 54 (the corresponding application entity may be a switch), and a cloud service layer 55 (equivalent to the above-mentioned cloud server).

The application service layer 51 sends a network authorization request to the control layer 53, and the control layer 53 analyzes the state of the control layer 53 according to various request types of the application service layer 51, formulates the priority of the network authorization request, and verifies the digital signature received from the application. , verify the network authorization request, and send the access authorization token to the application service layer 51 .

The interface supervision layer 52 is used to display token authorization information in the network, token authorization process, conflict analysis and decision results, network topology, alarms, links and other information.

The control layer 53 receives various user requests from the application service layer 51, sets the corresponding priority according to the application type, and requests the user through the token authorization module (equivalent to the above-mentioned first processing unit and/or second processing unit) Issue an authorization code, or issue a stop authorization code, and set priority for each user request through a priority analysis algorithm; communicate with the data forwarding layer 54 through a FlowMode message and a PacketIn message. The control layer 53 sends the first SDN controller-switch information (the data of the data forwarding layer 54 must also be realized by the control layer 53), which is used to control the operation of the OpenFlow switch, including communication handshake, switch flow table configuration, modification of switch status, and data queue The setting of the switch, the reading of the status of the switch, and the method of sending the package realize the security guarantee.

The following content is the specific content of each layer:

Specifically, the applications of the above-mentioned application service layer 51 can be divided into four types according to sources and functions: command line applications 511, network management applications 512, security applications 513 and other applications 514, wherein,

The command line application 511 is an application accessed by the controller management personnel. Through the command line (non-open source) reserved by the controller, operations such as configuration and query of the controller are realized, and some functions of verification and debugging are realized.

The network management application 512 is used to enable the network administrator to perform various network configurations on the controller, and to view network status, such as alarm and topology status.

The security application 513 refers to a security service cloud third-party organization connected to the network, which provides security services and guarantees for users.

Other applications 514 refer to various reserved processing applications, such as controller software upgrade, log opening, memory leak detection and so on.

Specifically, the interface supervision layer 52 includes two modules: a user interface 521 and an interface processing module 522, wherein,

The user interface 521 is used to obtain data from the interface processing module 522, then converts the data into a graphical interface, provides configuration windows for network administrators, and sends REST (Representational State Transfer, representational state transfer) or HTTP (HyperText Transfer Protocol, hypertext Text Transfer Protocol) protocol to send the configuration to the interface processing module 522.

The interface processing module 522 receives the information from the feedback module 531, sends the response result to the user interface 521 in the form of REST and HTTP protocols, and caches the instructions of the user interface 521 before sending it to the feedback module 531.

Specifically, the control layer 53 includes a feedback module 531, a token authorization module 532, an authentication authorization module 533, a priority analysis module 534, a flow table management module 535, a command issuing and connection state table synchronization module 536, a storage module 537 and an AIP Interface module 538 (equivalent to the above-mentioned conversion module), wherein,

The feedback module 531 (equivalent to the feedback module) implements feedback of authentication and authorization information, priority analysis and decision information to network administrators.

The token authorization module 532 (equivalent to the above-mentioned first processing unit and/or the second processing unit) requests an access token from the authorization server through the network authorization request sent by the application service layer 51 Token service, and sends the access token to Authentication and authorization module 3-3.

The authentication and authorization module 533 (equivalent to the transceiver module) receives the authorization request of the application service layer 51 and the token code of the token authorization module, sets the access priority level of each application, and issues authorization and token codes to each application to be accessed.

The priority analysis module 534 (equivalent to the transceiver module) analyzes the importance of each user request, and judges whether there is a conflict with the existing flow rules in the flow table management module 535. If there is a conflict, the conflict is alleviated according to the analysis algorithm. The flow rule acceptance or rejection operation requested by the user updates the flow table management module 535 . The priority analysis module 534 also defines the connection state table of the SDN controller, which is responsible for keeping synchronization with the connection state table in the SDN switch of the data forwarding module. The state information is compared with the connection state table or the firewall rule set, the corresponding state is assigned, and the transformation flow table is sent to the OpenFlow switch at the same time.

The flow table management module 535 (equivalent to the first processing module) is configured to save all flow table information running in the network. On the one hand, the flow table management module 535 is the flow rule requested by the user, which provides services for the priority analysis module 534; on the other hand, it provides the flow rule for the command issuing and connection state table synchronization module, so as to send OpenFlow messages to the switch.

Command issuance and connection state table synchronization module 536 (equivalent to the first processing module), used to establish a connection state table at the first SDN controller end, keep synchronous with the state table in the OpenFlow switch, and simultaneously receive when the OpenFlow switch sends When receiving a PacketIn message, the module will compare the packet header information and state information in the OpenFlow switch with the connection state table or firewall rule set, assign the corresponding state, and send the transformation flow table to the OpenFlow switch at the same time.

The storage module 537 (equivalent to the first processing module) is used to realize data storage of each module, realize persistence of user authentication data, realize storage of topological resources, etc., and ensure data recovery after power failure.

The AIP module 538 (equivalent to the AIP interface) is used to realize the interface to the controller on the one hand, and to realize the interface to the cloud service module on the other hand, responsible for the interaction between the cloud service module and the SDN controller, and ensuring that the network management strategy of the cloud server Send it to the OpenFlow switch, and the OpenFlow switch will implement it.

Specifically, the data forwarding layer 54 includes a switch information extraction module 541, a state table module 542, a flow table module 543, a data detection module 544, and a data queue module 545, wherein,

The data forwarding layer 54 uses TLS (Transport Layer Security, secure transport layer protocol) to authenticate and encrypt the traffic between the network device end and the first SDN controller, and uses TLS to help verify the controller and the network device or the first SDN controller, Prevents eavesdropping and forgery of southbound communications. Send a PacketIn message to the first SDN controller through the OpenFlow switch, for refreshing the network behavior of the first SDN controller and changing the switch state, deploying the SDN firewall in the first SDN controller and the OpenFlow switch, and adding new information to the OpenFlow protocol The message and adding related status fields realize the deployment of SDN firewall.

The switch information extraction module 541 is used to extract key information in the data frame packet header, and the key information includes source address, source port, destination address, destination port, sequence number, confirmation number and TCP (Transmission Control Protocol, transmission control protocol) flag;

The state table module 542 is used to establish a connection state table in the data forwarding layer, and at the same time synchronize the update of the connection state table to the first SDN controller. The update of the connection state table of this module will be performed by the transformation The flow table is controlled by instructions, such as the SET_STATE instruction;

The flow table module 543 is configured to establish a conversion flow table in the data forwarding layer when the first SDN controller sends an instruction, and is responsible for the state transition process and data packet forwarding operation.

The data queue module 544 is configured to set a data queue for sending messages and store queue information, such as Hello messages, response requests, and response requests.

The data detection module 545 is responsible for judging that the data packet coming to the data forwarding layer belongs to the connection setting counter, and checking the legitimacy of the connection state.

The connection state table realizes the synchronization of these two modules by sending messages to the SDN controller and the data forwarding layer 54 respectively. When the first SDN controller or the data forwarding layer 54 switch state tables are updated, they send messages to the other party respectively, Also commands the other side to update, and returns the update status.

In the embodiment of the present invention, by extending the OpenFlow protocol, the state field is added, so that the flow table is executed according to the state, the update of the connection state table is realized, and the deployment of the firewall at the data forwarding layer is realized. It can also implement security authentication for the first SDN controller. The northbound service provides access security services for users, and provides security protection for users through token authorization. It also supports cluster controllers and a large number of network devices, and supports a large number of Cloud security service for network device applications, and feedback the network status to users in real time. The first SDN controller generates corresponding flow entries, sends them to the OpenFlow switch for execution, implements data flow allocation, and sends feedback information from the OpenFlow switch to the first SDN controller or network managers for decision-making.

The above description is a preferred embodiment of the present invention, it should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (20)

1. A method for software-defined network SDN secure communication, applied to the first SDN controller, characterized in that, the method for described software-defined network SDN secure communication comprises: Get the user request from the client; Sending the user request to a cloud server, and receiving a detection result returned by the cloud server for security detection of the user request; Processing the detection result, generating a processing result, and sending the detection result and/or the processing result to the client. 2. the method for software defined network SDN secure communication as claimed in claim 1, is characterized in that, The user request of the user terminal includes: a user access request of a cloud user and/or at least one first network authorization request of a user terminal with a terminal application, wherein the at least one first network authorization request includes: the user terminal user name, the password corresponding to the user name, and the domain name where the user terminal is located. 3. the method for software defined network SDN secure communication as claimed in claim 2, is characterized in that, When the user request at the client end is a user access request of a cloud user, the sending the user request to the cloud server, and receiving the detection result returned by the cloud server for security detection of the user request includes: When detecting that the user access request of the cloud user is the user access request sent for the first time, forwarding the user access request to the cloud server; receiving a detection result returned by the cloud server for security detection of the user access request, wherein the detection result includes: the cloud server detects the security of the user access request and generates an access deny The detection result of the first SDN controller or the detection result of accepting access to the first SDN controller. 4. the method for software defined network SDN secure communication as claimed in claim 3, is characterized in that, The processing the detection result, generating the processing result and sending the detection result and/or the processing result to the client includes: Processing the detection result to generate a first-class entry record; Sending the detection result and the flow entry record to the cloud user, wherein the flow entry record includes: a status field corresponding to the user access request. 5. the method for software defined network SDN secure communication as claimed in claim 2, is characterized in that, After the acquisition of the user request from the user terminal, when the user request of the user terminal is a user access request of a cloud user, the method for secure communication of a software-defined network SDN further includes: Detecting that there is a flow entry record corresponding to the user access request of the cloud user, and determining that the user access request is not a user access request sent for the first time; A processing result returned to the cloud user for the user access request of the cloud user, wherein the processing result includes: recording through the flow entry that the user access request of the cloud user has been sent by the cloud server Detect security and generate a detection result that access to the first SDN controller is accepted. 6. The method for software-defined network SDN secure communication as claimed in claim 2, characterized in that, when the user request at the user end is a first network authorization request of a user terminal with a terminal application, the sending of the user request to the cloud server, and receive the detection result returned by the cloud server for the security detection of the user request, including: sending the first network authorization request to the cloud server; receiving a detection result returned by the cloud server for security detection of the first network authorization request, wherein the detection result includes: detecting whether there is a user related to the first network authorization request in the first SDN controller The second network authorization request with the same name, password and domain name. 7. The method for software-defined network SDN security communication as claimed in claim 6, is characterized in that, The processing the detection result, generating the processing result and sending the detection result and/or the processing result to the client includes: When the detection result is that the first SDN controller does not have a second network authorization request with the same username, password and domain name as the first network authorization request, according to the first network authorization request, generate a first token code uniquely corresponding to the first network authorization request; verifying the user name, the password and the domain name in the first network authorization request, and generating an authorization object carrying the first network authorization request and the first token code when the verification is passed object and send the authorized target object to the user terminal. 8. The method for software-defined network SDN security communication as claimed in claim 6, is characterized in that, The processing the detection result, generating the processing result and sending the detection result and/or the processing result to the client includes: When the detection result is that the first SDN controller has a second network authorization request that is the same as the user name, password, and domain name of the first network authorization request, obtain a uniquely corresponding to the second network authorization request a second token code, generating an authorization target object carrying the first network authorization request and the second token code, and sending the authorization target object to the user terminal. 9. The method for software-defined network SDN security communication as claimed in claim 2, is characterized in that, when the user request of the user terminal is a plurality of first network authorization requests of the user terminal with terminal applications, the sending of the user Request to the cloud server, and receive the detection result returned by the cloud server for the security detection of the user request, including: assigning a priority corresponding to each first network authorization request; sending the first network authorization request to the cloud server according to the priority; receiving a detection result returned by the cloud server for security detection of the first network authorization request according to the priority. 10. The method for secure communication in a software-defined network (SDN) according to any one of claims 1 to 9, wherein, when the detection result is processed, a processing result is generated and the detection result and/or the detection result is sent. Before the processing result is sent to the client, the software-defined network SDN secure communication also includes: Converting the data format of the detection result through a predetermined interface to match the data format of the first SDN controller. 11. The method for secure communication of software-defined network SDN as claimed in any one of claims 1 to 9, wherein, before obtaining the user request from the user end, the method for secure communication of software-defined network SDN further comprises: establishing a connection between the first SDN controller and at least one second SDN controller, wherein the at least one second SDN controller is in a different domain from the first SDN controller; Obtaining a user request from a client in the domain where the at least one second SDN controller is located. 12. A method for secure communication of a software-defined network SDN, applied to a cloud server, characterized in that, the method for secure communication of a software-defined network SDN comprises: receiving a user request forwarded from the first SDN controller, wherein the user request is sent by the client to the first SDN controller; Carrying out security detection for the user request, and generating a detection result; sending the detection result to the first SDN controller, and the first SDN controller processes the detection result, generates a processing result, and sends the detection result and/or the processing result to the user terminal. 13. The method for software-defined network SDN security communication as claimed in claim 12, is characterized in that, described receiving the user request that forwards from first SDN controller, comprises: The user access request sent by the cloud user and forwarded from the first SDN controller is received. 14. The method for software-defined network SDN security communication as claimed in claim 13, is characterized in that, described user request is carried out security detection, produces detection result, comprises: For the user access request, detect the security of the user access request and generate a deny access to the first SDN controller or accept access to the first SDN controller. 15. The method for software-defined network SDN security communication as claimed in claim 13, is characterized in that, described receiving the user request that forwards from first SDN controller, comprises: receiving at least one first network authorization request sent by a user terminal with a terminal application forwarded by the first SDN controller, wherein the first network authorization request includes: the user name of the user terminal, and the user name The corresponding password and the domain name where the user terminal is located. 16. The method for software-defined network SDN security communication as claimed in claim 15, is characterized in that, described user request is carried out security detection, produces detection result, comprises: Detecting whether there is a second network authorization request in the first SDN controller that is the same as the user name, password, and domain name of the first network authorization request, and generating a method for detecting that the first SDN controller exists in the second network A detection result of the authorization request or a detection result of the first SDN controller not having the authorization request of the second network. 17. The method for software-defined network SDN secure communication as claimed in claim 16, is characterized in that, the method for described software-defined network SDN secure communication also comprises: receiving and storing the authorization target object sent by the first SDN controller, wherein the authorization target object includes: the first network authorization request, the first token code and the second token code generated by the first SDN controller Any token code in the binary token code. 18. The method for secure communication of a software-defined network SDN as claimed in any one of claims 12 to 16, wherein the method for secure communication of a software-defined network SDN further comprises: Detecting the network attack information of the first SDN controller, prohibiting opening and deleting the network attack information, wherein the network attack information carries behavior information of stealing information and forwarding network. 19. A device for secure communication of a software-defined network SDN, applied to a first SDN controller, characterized in that, the device for secure communication of a software-defined network SDN comprises: The first obtaining module is used to obtain the user request from the client; A transceiver module, configured to send the user request to a cloud server, and receive a detection result returned by the cloud server for security detection of the user request; The first processing module is configured to process the detection result, generate a processing result, and send the detection result and/or the processing result to the user terminal. 20. A device for software-defined network SDN secure communication, applied to a cloud server, characterized in that, the device for software-defined network SDN secure communication comprises: A receiving module, configured to receive a user request forwarded from the first SDN controller, wherein the user request is sent from the user terminal to the first SDN controller; A generating module, configured to perform security detection on the user request and generate a detection result; The second processing module is configured to send the detection result to the first SDN controller, and the first SDN controller processes the detection result, generates a processing result and sends the detection result and/or The processing result is sent to the client.