[go: up one dir, main page]

CN111181856A - System and method for realizing virtual router service chain based on segment routing - Google Patents

System and method for realizing virtual router service chain based on segment routing Download PDF

Info

Publication number
CN111181856A
CN111181856A CN201911413356.7A CN201911413356A CN111181856A CN 111181856 A CN111181856 A CN 111181856A CN 201911413356 A CN201911413356 A CN 201911413356A CN 111181856 A CN111181856 A CN 111181856A
Authority
CN
China
Prior art keywords
flow
virtual router
service chain
steps
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911413356.7A
Other languages
Chinese (zh)
Other versions
CN111181856B (en
Inventor
关洪涛
刘冉
谭中华
谭航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Future Networks Innovation Institute
Original Assignee
Jiangsu Future Networks Innovation Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Future Networks Innovation Institute filed Critical Jiangsu Future Networks Innovation Institute
Priority to CN201911413356.7A priority Critical patent/CN111181856B/en
Publication of CN111181856A publication Critical patent/CN111181856A/en
Application granted granted Critical
Publication of CN111181856B publication Critical patent/CN111181856B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/58Association of routers
    • H04L45/586Association of routers of virtual routers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of business arrangement, in particular to a system and a method for realizing a virtual router service chain based on segment routing. The method comprises the flow of data flow through a firewall, the flow of an intrusion detection system and the flow of data forwarding, wherein the flow of data flow does not flow through the firewall. In the system and the method for realizing the virtual router Service Chain based on the segment routing, the method for realizing the Service Chain function in the virtual router network provides the rapid and flexible change of the network function along with the Service for the middllex box in the virtual router networking. The invention can be applied to the field of business arrangement in network networking and has wide application prospect.

Description

System and method for realizing virtual router service chain based on segment routing
Technical Field
The invention relates to the technical field of business arrangement, in particular to a system and a method for realizing a virtual router service chain based on segment routing.
Background
A middllex box, such as an IPS, a firewall, and other devices, may exist in the pseudo router networking, and is used to implement functions such as intrusion prevention and network security. In a traditional network, when traffic needs to be introduced into such devices, complex configuration such as tunnels, IP addresses, routing, etc. is required, and the rapid and flexible change of network functions along with services cannot be realized.
Disclosure of Invention
The present invention provides a system and method for implementing a virtual router service chain based on segment routing, so as to solve the problems in the background art.
In order to achieve the above object, the present invention provides a system and method for implementing a virtual router service chain based on segment routing, wherein the method comprises a flow of data traffic flowing through a firewall, a flow of an intrusion detection system, a flow of data forwarding, and a flow of data traffic not flowing through the firewall:
the method for the data flow to flow through the firewall and the intrusion detection system flow comprises the following steps: sending a Segment Routing path to and from a VR1 through an SDN controller, and realizing a ServiceChain function of a virtual router by setting an SR-MPLS label stack path;
the method of the data forwarding process comprises the following steps: removing one label at the top of the label stack through one network element until the label stack is empty;
the method for preventing the data flow from flowing through the firewall flow comprises the following steps: the SDN controller issues a new path to VR1, and no configuration modifications are required by other nodes in the network.
Preferably, the SDN controller is responsible for SR label allocation and path delivery within an SR domain.
Preferably, the service flow of the SDN controller includes the following steps:
step 101, the process starts;
step 102, constructing an SR forwarding plane in VR
Step 103, distributing nodes and adjacent labels for all VRs in SR domain
Step 104, configuring Service Chain path for specific user flow
At step 105, the process ends.
Preferably, the system for implementing a virtual router service chain based on segment routing includes a processor, a memory, and a computer program stored in the memory and running on the processor, and the processor implements the steps of the method as described in any one of the above when executing the computer program.
Compared with the prior art, the invention has the beneficial effects that: in the system and the method for realizing the virtual router Service Chain based on the segment routing, the method for realizing the Service Chain function in the virtual router network provides the rapid and flexible change of the network function along with the Service for the middllex box in the virtual router networking. The invention can be applied to the field of business arrangement in network networking and has wide application prospect.
Drawings
FIG. 1 is a diagram of a label stack message format of the present invention;
FIG. 2 is a diagram of a virtual router Service Chain according to the present invention;
fig. 3 is a flow chart of the SDN controller service of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-3, the present invention provides a technical solution:
the invention provides a system and a method for realizing a virtual router service chain based on segment routing, wherein the method comprises the following steps that data flow flows through a firewall and an intrusion detection system, and the data forwarding flow, and the data flow does not flow through the firewall flow:
the method for data flow to flow through the firewall and the intrusion detection system flow comprises the following steps: sending a Segment Routing path to and from a VR1 through an SDN controller, and realizing a Service Chain function of a virtual router by setting an SR-MPLS label stack path;
the method of the data forwarding process comprises the following steps: removing one label at the top of the label stack through one network element until the label stack is empty;
the method for preventing the data flow from flowing through the firewall flow comprises the following steps: the SDN controller issues a new path to VR1, and no configuration modifications are required by other nodes in the network.
In this embodiment, the element routing (SR for short) is a source routing protocol, a Segment list is added to a message to specify a path, and an intermediate node forwards the message according to the path of the message. SR may use a multiprotocol label switching (MPLS) forwarding plane, as shown in fig. 1, where the message path is represented by a label stack with the currently active label at the top of the stack.
Further, the programmable virtualized router implements ServiceChain functionality using Segment Routing and MPLS.
The SDN controller is responsible for the distribution and the path issuing of SR labels in the SR domain.
As shown in fig. 2, when data traffic needs to flow through a firewall and an intrusion detection system, the VR1 forwards a data packet to the VR4, and only needs to send a Segment Routing path to and from the VR1 through the SDN controller, and sets an SR-MPLS label stack path, thereby implementing a Service Chain function of the virtual router. In the process of data forwarding, one label at the top of the label stack is removed every time a network element passes through until the label stack is empty. And the SDN controller is responsible for the distribution and the path issuing of the SR labels in the SR domain.
When data traffic no longer needs to flow through MiddleBox such as a firewall, the SDN controller only needs to issue a new path to the VR1, such as VR1-VR2-VR3-VR4, and other nodes in the network do not need to be configured and modified.
The SDN controller comprises the following business process steps:
step 101, the process starts;
step 102, constructing an SR forwarding plane in VR
Step 103, distributing nodes and adjacent labels for all VRs in SR domain
Step 104, configuring Service Chain path for specific user flow
At step 105, the process ends.
It is worth mentioning that the virtual router service chain system is implemented based on segment routing, and includes a processor, a memory, and a computer program stored in the memory and running on the processor, and the processor implements the steps of any of the above methods when executing the computer program.
In summary, in the virtualized router networking, the invention can provide the user with the function of quickly and flexibly changing the network function along with the service. The method can be well applied to the field of business arrangement in network networking and has wide application prospect.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and the preferred embodiments of the present invention are described in the above embodiments and the description, and are not intended to limit the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (4)

1. The method comprises the following steps that data flow flows through a firewall and an intrusion detection system, the data forwarding flow is carried out, and the data flow does not flow through the firewall flow:
the method for the data flow to flow through the firewall and the intrusion detection system flow comprises the following steps: sending a Segment Routing path to and from a VR1 through an SDN controller, and realizing a ServiceChain function of a virtual router by setting an SR-MPLS label stack path;
the method of the data forwarding process comprises the following steps: removing one label at the top of the label stack through one network element until the label stack is empty;
the method for preventing the data flow from flowing through the firewall flow comprises the following steps: the SDN controller issues a new path to VR1, and no configuration modifications are required by other nodes in the network.
2. The system and method for implementing virtual router service chain based on segment routing according to claim 1, wherein: and the SDN controller is responsible for the distribution and the path issuing of SR labels in an SR domain.
3. The system and method for implementing virtual router service chain based on segment routing according to claim 1, wherein: the SDN controller comprises the following business process steps:
step 101, the process starts;
step 102, constructing an SR forwarding plane in VR
Step 103, distributing nodes and adjacent labels for all VRs in SR domain
Step 104, configuring Service Chain path for specific user flow
At step 105, the process ends.
4. Realize virtual router service chain system based on section route, its characterized in that: comprising a processor, a memory and a computer program stored in the memory and running on the processor, which when executed by the processor implements the steps of the method as claimed in any one of claims 1 to 3.
CN201911413356.7A 2019-12-31 2019-12-31 System and method for realizing virtual router service chain based on segment routing Active CN111181856B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911413356.7A CN111181856B (en) 2019-12-31 2019-12-31 System and method for realizing virtual router service chain based on segment routing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911413356.7A CN111181856B (en) 2019-12-31 2019-12-31 System and method for realizing virtual router service chain based on segment routing

Publications (2)

Publication Number Publication Date
CN111181856A true CN111181856A (en) 2020-05-19
CN111181856B CN111181856B (en) 2022-07-19

Family

ID=70657692

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911413356.7A Active CN111181856B (en) 2019-12-31 2019-12-31 System and method for realizing virtual router service chain based on segment routing

Country Status (1)

Country Link
CN (1) CN111181856B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112953827A (en) * 2020-12-31 2021-06-11 江苏省未来网络创新研究院 Method for realizing service chain function of programmable virtual router based on segmented routing

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8316435B1 (en) * 2008-08-14 2012-11-20 Juniper Networks, Inc. Routing device having integrated MPLS-aware firewall with virtual security system support
CN105681191A (en) * 2016-02-25 2016-06-15 武汉烽火网络有限责任公司 SDN (Software Defined Network) platform based on router virtualization and implementation method
CN107078950A (en) * 2014-10-24 2017-08-18 思科技术公司 Transparent Web Services Header Path Proxy
CN108055878A (en) * 2015-07-02 2018-05-18 瑞典爱立信有限公司 Use the Border Gateway Protocol to expose the maximum segment identifier depth to external applications
CN109495391A (en) * 2018-12-18 2019-03-19 天津城建大学 A kind of security service catenary system and data packet matched retransmission method based on SDN
US20190280960A1 (en) * 2016-05-20 2019-09-12 Telefonaktiebolaget Lm Ericsson (Publ) Method And Apparatus For Segment Routing And RSVP-TE Routing In Transport SDN Networks
CN110557316A (en) * 2018-05-30 2019-12-10 中国电信股份有限公司 Message transmission method, system, device and computer readable storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8316435B1 (en) * 2008-08-14 2012-11-20 Juniper Networks, Inc. Routing device having integrated MPLS-aware firewall with virtual security system support
CN107078950A (en) * 2014-10-24 2017-08-18 思科技术公司 Transparent Web Services Header Path Proxy
CN108055878A (en) * 2015-07-02 2018-05-18 瑞典爱立信有限公司 Use the Border Gateway Protocol to expose the maximum segment identifier depth to external applications
CN105681191A (en) * 2016-02-25 2016-06-15 武汉烽火网络有限责任公司 SDN (Software Defined Network) platform based on router virtualization and implementation method
US20190280960A1 (en) * 2016-05-20 2019-09-12 Telefonaktiebolaget Lm Ericsson (Publ) Method And Apparatus For Segment Routing And RSVP-TE Routing In Transport SDN Networks
CN110557316A (en) * 2018-05-30 2019-12-10 中国电信股份有限公司 Message transmission method, system, device and computer readable storage medium
CN109495391A (en) * 2018-12-18 2019-03-19 天津城建大学 A kind of security service catenary system and data packet matched retransmission method based on SDN

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112953827A (en) * 2020-12-31 2021-06-11 江苏省未来网络创新研究院 Method for realizing service chain function of programmable virtual router based on segmented routing

Also Published As

Publication number Publication date
CN111181856B (en) 2022-07-19

Similar Documents

Publication Publication Date Title
US10986024B1 (en) Dynamic prefix list for route filtering
CN109587054B (en) Connect virtual nodes in network devices using abstract fabric interfaces
US12184543B2 (en) In-situ operation, administration, and maintenance in segment routing with multiprotocol label switching networks
WO2018188464A1 (en) Methods and devices for realizing ioam, and storage medium
US20200008067A1 (en) Resource partitioning for network slices in segment routing networks
EP4106281A1 (en) Virtual private network vpn service optimization method and device
US9154411B2 (en) Pseudowire status maintenance for static pseudowires
CN106936715A (en) virtual machine message control method and device
Li et al. Improving SDN scalability with protocol-oblivious source routing: A system-level study
EP3389234B1 (en) Label management method and device for processing data stream
CN107181691B (en) Method, device and system for implementing message routing in a network
EP3148131A1 (en) Address information publishing method and apparatus
CN101505227A (en) Method, device and system for implementing point to multi-point pseudowire
CN109962850A (en) The method and controller and computer readable storage medium of realization Segment routing
US11888722B2 (en) Route advertisement method, device, and system
CN103493443B (en) Using Subpath Maintenance Element (SPME) for Multiprotocol Label Switching (MPLS) Shared Mesh Protection
CN108259466B (en) DDoS traffic re-injection method, SDN controller and network system
CN102035740A (en) Multi-protocol label switching layer-3 virtual private network fast reroute (MPLSL3VPNFRR) method and system
CN103916303B (en) A kind of MPLS traffic engineering tunnels configuration device and method
CN111181856B (en) System and method for realizing virtual router service chain based on segment routing
RU2675212C1 (en) Adaptive load balancing during package processing
CN107566298A (en) A method and device for generating entries
CN118802304A (en) Routing security configuration method, device, equipment, storage medium and program product
CN113316769B (en) Method for event priority in network function virtualization based on rule feedback
CN102904808B (en) Across the method for building up and system of resource reservation protocol flow engineering label switched path

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant