CN106487556B

CN106487556B - Service function SF deployment method and device

Info

Publication number: CN106487556B
Application number: CN201510543835.6A
Authority: CN
Inventors: 李忠良; 李炀; 王小威; 左奇
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2015-08-28
Filing date: 2015-08-28
Publication date: 2020-05-22
Anticipated expiration: 2035-08-28
Also published as: WO2016180181A1; CN106487556A

Abstract

The invention provides a method and a device for deploying a Service Function (SF), wherein the method comprises the following steps: acquiring predetermined Network Function Virtualization (NFV) information, wherein the NFV information comprises resource indication information used for indicating underlying network resources required for establishing a network function and function indication information used for indicating a Service Function (SF) deployed on the underlying network resources; and creating underlying network resources according to the resource indication information and the function indication information and deploying SF on the underlying network resources. The invention solves the problems that the establishment of the underlying network resources and the deployment of the SF are rigid due to the manual intervention of the underlying network resources and the deployment of the SF in the related technology, and the underlying network resources and the SF cannot be flexibly adjusted, thereby achieving the effect of flexibly adjusting the underlying network resources and the SF.

Description

Service function SF deployment method and device

Technical Field

The present invention relates to the field of communications, and in particular, to a method and an apparatus for deploying a service function SF.

Background

In Network Function Virtualization (NFV) technology, a very multifunctional software process can be carried by using general hardware such as x86 and Virtualization technology. Thereby reducing the cost of expensive equipment for the network. The functions of the network equipment can be independent of special hardware through software and hardware decoupling and function abstraction, resources can be shared fully and flexibly, rapid development and deployment of new services are achieved, and automatic deployment, elastic expansion, fault isolation, self-healing and the like are carried out based on actual service requirements.

A Service Function Chain (SFC) is an ordered set of Service functions that performs a series of Service processes on IP packets, link frames, or data streams on a network based on classification and policy. The SFC can be used in fixed, mobile network, data center, and other scenarios independent of the specific network application. SFC relates to a flow classification node, a Service Function (SF for short), a Service forwarding node (SFF for short), an SFC proxy, Deep Packet Inspection (DPI for short), and the like. The SF receives messages from one or more SFFs and transmits messages to one or more SFFs. The SFF is responsible for sending messages or data frames received from the network to the SF according to the SFC encapsulation information. The SFC control plane is responsible for management and configuration of the SFC, including discovery, management, and configuration of flow classification nodes, SFs, SFF, SFC proxies, and other related nodes.

SFC is an indispensable component in NFV technology, wherein SFC users can create SF, SFF, and other components required by SFC through virtual resources such as virtual machines and virtual switches created by NFV, where SF is a representation of Virtualized Network Function Instance (VNFI) in a service chain.

In the related art, when an SFC is planned, an administrator is required to create underlying Network resources of a Network Function Virtualization (NFV) and provide the Network resources for the SFC, deploy a new SF on the basis of the existing Network resources, and then select and assemble the SFC by the administrator. The SFC thus constructed is relatively rigid, and cannot adjust the SF according to the change of the actual service requirement, and cannot make any change to the underlying network resources.

Aiming at the problems that the establishment of underlying network resources and the deployment of SF are rigid and the underlying network resources and SF cannot be flexibly adjusted due to the fact that manual intervention is needed in the related technology, an effective solution is not provided at present.

Disclosure of Invention

The invention provides a method and a device for deploying a Service Function (SF), which are used for at least solving the problems that the establishment of underlying network resources and the deployment of the SF are rigid and the underlying network resources and the SF cannot be flexibly adjusted due to the fact that the underlying network resources are created and the SF is deployed by manual intervention in the related technology.

According to an aspect of the present invention, a method for deploying a service function SF is provided, including: acquiring preset Network Function Virtualization (NFV) information, wherein the NFV information comprises resource indication information used for indicating underlying network resources required for establishing a network function and function indication information used for indicating a Service Function (SF) deployed on the underlying network resources; and creating the underlying network resources according to the resource indication information and the function indication information and deploying the SF on the underlying network resources.

Optionally, creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource comprises: transmitting the resource indication information to a forwarding plane through an interface with the forwarding plane to indicate the forwarding plane to create the underlying network resource on the forwarding plane according to the resource indication information; and transmitting the deployment information determined according to the function indication information to the virtual machine in a mode of communicating with a resident program in the virtual machine in the underlying network resources by using the interface so as to indicate the virtual machine to deploy the SF.

Optionally, passing the resource indication information to a forwarding plane through an interface with the forwarding plane for deploying underlying network resources and SFs to instruct the forwarding plane to create the underlying network resources on the forwarding plane according to the resource indication information includes: transmitting the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to configure the parameters for creating the underlying network resources, which are included in the resource indication information, onto a virtual machine in the forwarding plane; communicating deployment information determined from the functional indication information to a virtual machine in the underlying network resources by communicating with a resident program in the virtual machine using the interface to instruct the virtual machine to deploy the SF includes: and communicating the deployment information to the virtual machine by using the interface to communicate with the resident program so as to instruct the virtual machine to configure the parameter for deploying the SF contained in the function indication information on the virtual machine.

Optionally, the SF is load balancing, and the resource indication information includes: a first management network protocol IP address, an IP address of a first service subnet, and first routing information, where the function indication information includes load balancing protocol information, member information of the load balancing resource pool, and load balancing algorithm information, and where transferring, through the interface, the resource indication information to the forwarding plane to instruct the forwarding plane to load parameters included in the resource indication information for creating the underlying network resources onto a virtual machine in the forwarding plane includes: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a first virtual machine in the forwarding plane on a management network as the first management network IP address, configuring the IP address of the first virtual machine on a service subnet as the first service subnet IP address, and configuring routing information of the first virtual machine as the first routing information; communicating the deployment information to the virtual machine by communicating with the resident program through the interface to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine includes: creating a load balancing configuration file according to the function indication information; communicating the load balancing configuration file to the first virtual machine by communicating with the resident program using the interface to instruct the first virtual machine to: configuring the protocol of the first virtual machine as the protocol corresponding to the load balancing protocol information, configuring the members of the first virtual machine as the members corresponding to the member information of the load balancing resource pool, and configuring the algorithm of the first virtual machine as the algorithm corresponding to the load balancing algorithm information.

Optionally, the SF is a firewall, and the resource indication information includes: a second management network protocol IP address, an IP address of a second service subnet, and second routing information, where the function indication information includes firewall rules and policy information, where passing the resource indication information through the interface to the forwarding plane to instruct the forwarding plane to load parameters included in the resource indication information for creating the underlying network resources onto a virtual machine in the forwarding plane includes: communicating the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a second virtual machine on a management network in the forwarding plane as the second management network IP address, configuring an IP address of the second virtual machine on a service subnet as the second service subnet IP address, and configuring routing information of the second virtual machine as the second routing information; communicating the deployment information to the virtual machine by communicating with the resident program through the interface to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine includes: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second virtual machine in a mode of communicating with the resident program by using the interface so as to instruct the second virtual machine to configure the rules and the policies of the second virtual machine into the rules and the policies corresponding to the firewall rules and the policy information.

Optionally, the SF is a virtual private network VPN, and the resource indication information includes: a third management network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information includes a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and IPSec site information, where transmitting the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to load parameters included in the resource indication information for creating the underlying network resource onto a virtual machine in the forwarding plane includes: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a third virtual machine on a management network in the forwarding plane as the third management network IP address, configuring the IP address of the third virtual machine on a service subnet as the third service subnet IP address, and configuring routing information of the third virtual machine as the third routing information; communicating the deployment information to the virtual machine by communicating with the resident program through the interface to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine includes: creating a VPN configuration file according to the function indication information; communicating the VPN configuration file to the third virtual machine by communicating with the resident program using the interface to instruct the third virtual machine to: and configuring the protocol policy of the third virtual machine into the key exchange protocol IKE policy and the IP layer security protocol IPSec policy, and configuring the site of the third virtual machine into a site corresponding to the IPSec site information.

Optionally, the SF is a network element WEB protection, and the resource indication information includes: a fourth management network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes a WEB protection policy and WEB application server or data center information that needs to be protected, where the resource indication information is transmitted to the forwarding plane through the interface to indicate the forwarding plane to load parameters included in the resource indication information and used for creating the underlying network resources onto a virtual machine in the forwarding plane includes: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a fourth virtual machine on a management network in the forwarding plane as the fourth management network IP address, configuring an IP address of the fourth virtual machine on a service subnet as the fourth service subnet IP address, and configuring routing information of the fourth virtual machine as the fourth routing information; communicating the deployment information to the virtual machine by communicating with the resident program through the interface to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine includes: establishing a WEB protection configuration file according to the function indication information; communicating the WEB protection configuration file to the fourth virtual machine by using the interface to communicate with the resident program, so as to instruct the fourth virtual machine to perform the following operations: and configuring the rules and the strategies of the fourth virtual machine as the WEB protection strategies and the strategies, and configuring the server or the data center of the fourth virtual machine as the server or the data center corresponding to the WEB application server or the data center information needing protection.

Optionally, the acquiring the predetermined network function virtualization NFV information includes: receiving the NFV information transmitted by an application plane.

Optionally, the acquiring the predetermined network function virtualization NFV information includes: receiving the NFV information transferred by a control plane, wherein the NFV information is transferred by an application plane to the control plane.

Optionally, after creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource, the method further includes: acquiring updated NFV information, wherein the updated NFV information comprises updated resource indication information and/or updated function indication information; and updating the created underlying network resources and the deployed SF according to the updated resource indication information and/or the updated function indication information.

Optionally, updating the created underlying network resources and the deployed SFs according to the updated resource indication information and/or the updated function indication information includes: changing, adding or deleting the created underlying network resources according to the updated resource indication information; and/or changing, adding or deleting the deployed SF according to the updated function indication information.

Optionally, after creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource, the method further includes: after the forwarding plane finishes creating the underlying network resources, the forwarding plane reports the information of the underlying network resources to a control plane; and/or after the forwarding plane deploys the SF, reporting the deployed SF information to a control plane.

According to another aspect of the present invention, there is provided a device for deploying a service function SF, including: a first obtaining module, configured to obtain predetermined Network Function Virtualization (NFV) information, where the NFV information includes resource indication information used to indicate an underlying network resource required to establish a network function, and function indication information used to indicate a Service Function (SF) deployed on the underlying network resource; and the processing module is used for creating the underlying network resources according to the resource indication information and the function indication information and deploying the SF on the underlying network resources.

Optionally, the processing module includes: a first transmitting unit, configured to transmit the resource indication information to a forwarding plane through an interface with the forwarding plane, so as to instruct the forwarding plane to create the underlying network resource on the forwarding plane according to the resource indication information; and a second transmitting unit, configured to transmit, to the virtual machine, deployment information determined according to the function indication information by using the interface to communicate with a resident program in the virtual machine in the underlying network resource, so as to instruct the virtual machine to deploy the SF.

Optionally, the first transfer unit comprises: a first transmitting subunit, configured to transmit the resource indication information to the forwarding plane through the interface, so as to instruct the forwarding plane to configure, to a virtual machine in the forwarding plane, a parameter included in the resource indication information and used for creating the underlying network resource; the second transfer unit includes: a second transferring subunit, configured to transfer the deployment information to the virtual machine by using the interface to communicate with the resident program, so as to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information onto the virtual machine.

Optionally, the SF is load balancing, and the resource indication information includes: the first management network protocol IP address, the IP address of the first service subnet, and the first routing information, the function indication information includes load balancing protocol information, member information of the load balancing resource pool, and load balancing algorithm information, wherein the first transfer subunit indicates the forwarding plane to configure the underlying network resources by: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a first virtual machine in the forwarding plane on a management network as the first management network IP address, configuring the IP address of the first virtual machine on a service subnet as the first service subnet IP address, and configuring routing information of the first virtual machine as the first routing information; the second pass subunit instructs the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; communicating the load balancing configuration file to the first virtual machine by communicating with the resident program using the interface to instruct the first virtual machine to: configuring the protocol of the first virtual machine as the protocol corresponding to the load balancing protocol information, configuring the members of the first virtual machine as the members corresponding to the member information of the load balancing resource pool, and configuring the algorithm of the first virtual machine as the algorithm corresponding to the load balancing algorithm information.

Optionally, the SF is a firewall, and the resource indication information includes: the first management network protocol IP address, the IP address of the first service subnet, and the first routing information, where the function indication information includes firewall rules and policy information, and the first transfer subunit indicates the forwarding plane to configure the underlying network resources in the following manner: communicating the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a second virtual machine on a management network in the forwarding plane as the second management network IP address, configuring an IP address of the second virtual machine on a service subnet as the second service subnet IP address, and configuring routing information of the second virtual machine as the second routing information; the second pass subunit instructs the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second virtual machine in a mode of communicating with the resident program by using the interface so as to instruct the second virtual machine to configure the rules and the policies of the second virtual machine into the rules and the policies corresponding to the firewall rules and the policy information.

Optionally, the SF is a virtual private network VPN, and the resource indication information includes: a third management network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information includes a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and IPSec site information, and the first transmitting subunit indicates the forwarding plane to configure the underlying network resource by: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a third virtual machine on a management network in the forwarding plane as the third management network IP address, configuring the IP address of the third virtual machine on a service subnet as the third service subnet IP address, and configuring routing information of the third virtual machine as the third routing information; the second pass subunit instructs the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; communicating the VPN configuration file to the third virtual machine by communicating with the resident program using the interface to instruct the third virtual machine to: and configuring the protocol policy of the third virtual machine into the key exchange protocol IKE policy and the IP layer security protocol IPSec policy, and configuring the site of the third virtual machine into a site corresponding to the IPSec site information.

Optionally, the SF is a network element WEB protection, and the resource indication information includes: a fourth management network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes a WEB protection policy and WEB application server or data center information that needs to be protected, and the first transmitting subunit indicates the forwarding plane to configure the underlying network resources by: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a fourth virtual machine on a management network in the forwarding plane as the fourth management network IP address, configuring an IP address of the fourth virtual machine on a service subnet as the fourth service subnet IP address, and configuring routing information of the fourth virtual machine as the fourth routing information; the second pass subunit instructs the virtual machine to deploy the SF by: establishing a WEB protection configuration file according to the function indication information; communicating the WEB protection configuration file to the fourth virtual machine by using the interface to communicate with the resident program, so as to instruct the fourth virtual machine to perform the following operations: and configuring the rules and the strategies of the fourth virtual machine as the WEB protection strategies and the strategies, and configuring the server or the data center of the fourth virtual machine as the server or the data center corresponding to the WEB application server or the data center information needing protection.

Optionally, the first obtaining module includes: a first receiving unit, configured to receive the NFV information transferred by an application plane.

Optionally, the first obtaining module includes: a second receiving unit, configured to receive the NFV information delivered by a control plane, where the NFV information is delivered by an application plane to the control plane.

Optionally, the apparatus further comprises: a second obtaining module, configured to obtain updated NFV information after creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource, where the updated NFV information includes updated resource indication information and/or updated function indication information; and the updating module is used for updating the created underlying network resources and the deployed SF according to the updated resource indication information and/or the updated function indication information.

Optionally, the update module includes: a first updating unit, configured to change, add, or delete the created underlying network resources according to the updated resource indication information; and/or the second updating unit is used for changing, adding or deleting the deployed SF according to the updated function indication information.

Optionally, the apparatus further comprises: the first reporting module is applied to a forwarding plane and used for reporting the information of the underlying network resources to a control plane after the underlying network resources are created; and/or the second reporting module is applied to a forwarding plane and used for reporting the deployed information of the SF to a control plane after the SF is deployed.

According to the invention, the NFV information is virtualized by acquiring the preset network function, wherein the NFV information comprises resource indication information used for indicating the underlying network resource required by establishing the network function and function indication information used for indicating the service function SF deployed on the underlying network resource; and creating the underlying network resources according to the resource indication information and the function indication information and deploying the SF on the underlying network resources. The problem of need manual intervention to establish underlying network resource and deploy SF that exist among the correlation technique to cause and establish underlying network resource and deploy SF and rigidify, can not adjust underlying network resource and SF in a flexible way is solved, and then reached the effect of adjusting underlying network resource and SF in a flexible way.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

fig. 1 is a flow chart of a method for deploying a service function SF according to an embodiment of the present invention;

fig. 2 is a block diagram of a configuration of a device for deploying a service function SF according to an embodiment of the present invention;

fig. 3 is a block diagram of a processing module 24 in a deployment apparatus of a service function SF according to an embodiment of the present invention;

fig. 4 is a block diagram of the structures of the first delivery unit 32 and the second delivery unit 34 in the deployment apparatus of the service function SF according to the embodiment of the present invention;

fig. 5 is a first block diagram of the structure of the first obtaining module 22 in the deployment apparatus of the service function SF according to the embodiment of the present invention;

fig. 6 is a block diagram of a first obtaining module 22 in a deployment apparatus of a service function SF according to an embodiment of the present invention;

fig. 7 is a block diagram of a preferred structure of a device for deploying a service function SF according to an embodiment of the present invention;

fig. 8 is a block diagram of the structure of the update module 74 in the deployment apparatus of the service function SF according to the embodiment of the present invention;

figure 9 is a schematic diagram of an SDN network architecture according to an embodiment of the invention;

FIG. 10 is a flowchart one of a method for planning and deploying SFCs according to an embodiment of the present invention;

FIG. 11 is a flowchart of a method of planning and deploying SFCs according to an embodiment of the invention;

FIG. 12 is a schematic diagram of an SFC including a load balancing node, according to an embodiment of the present invention;

fig. 13 is a schematic diagram of an SFC including a firewall according to an embodiment of the present invention.

Detailed Description

The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. Meanwhile, it should be noted that, in the description and claims of the present invention and the accompanying drawings, the "application plane" may be a set of logical application functions formed by software and/or hardware, and the logical application functions may be implemented by an application device, and similarly, the "control plane" may be a set of logical control functions formed by software and/or hardware, and the logical control functions may be implemented by a control device, and the "forwarding plane" may be a set of logical forwarding functions formed by software and/or hardware, and the logical forwarding functions may be implemented by a forwarding device.

In this embodiment, a method for deploying a service function SF is provided, and fig. 1 is a flowchart of the method for deploying the service function SF according to the embodiment of the present invention, as shown in fig. 1, the flowchart includes the following steps:

step S102, acquiring predetermined Network Function Virtualization (NFV) information, wherein the NFV information includes resource indication information for indicating underlying network resources required for establishing a network function, and function indication information for indicating a Service Function (SF) deployed on the underlying network resources;

and step S104, establishing underlying network resources according to the resource indication information and the function indication information, and deploying SF on the underlying network resources.

The resource management system can perform the above operations, and can complete the deployment of the underlying network resources and the deployment of the SF without manual intervention, thereby solving the problems that the underlying network resources are created and the SF is deployed by manual intervention in the prior art, the underlying network resources are created and the SF is rigidly arranged, and the underlying network resources and the SF cannot be flexibly adjusted, and further achieving the effect of flexibly adjusting the underlying network resources and the SF.

In an optional embodiment, creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource includes: transmitting the resource indication information to a forwarding plane through an interface between the forwarding plane and the forwarding plane so as to indicate the forwarding plane to create underlying network resources on the forwarding plane according to the resource indication information; and transmitting the deployment information determined according to the function indication information to the virtual machine in a mode of communicating with a resident program in the virtual machine in the underlying network resource by using the interface so as to indicate the virtual machine to deploy the SF. Through the embodiment, the establishment of the underlying network resources and the deployment of the SF can be realized by utilizing the forwarding plane, so that manual intervention is not needed, and the flexibility of adjustment of the underlying network resources and the SF is improved.

There are various ways to create the above underlying network resources and deploy SFs on the underlying network resources, and in an optional embodiment, the creation of the underlying network resources and the deployment of the SFs may be performed in a parameter configuration manner, which is described below:

communicating resource indication information to a forwarding plane through an interface with the forwarding plane for deploying the underlying network resources and the SFs to indicate that the forwarding plane creates the underlying network resources on the forwarding plane according to the resource indication information comprises: transmitting the resource indication information to a forwarding plane through the interface so as to indicate the forwarding plane to configure the parameters for creating the underlying network resources, which are contained in the resource indication information, to a virtual machine in the forwarding plane; transmitting the deployment information determined according to the function indication information to the virtual machine by communicating with a resident program in the virtual machine in the underlying network resource by using the interface, so as to indicate that the virtual machine deploys the SF, including: and communicating the deployment information to the virtual machine by using the interface and the resident program so as to instruct the virtual machine to configure the parameters for deploying the SF contained in the function indication information to the virtual machine.

The scheme for creating underlying network resources and deploying SFs can be applied to various scenarios, and the specific scenarios are as follows:

in an optional embodiment, the SF may be load balancing, and the resource indication information includes: the method comprises the steps that a first management network protocol IP address, an IP address of a first service subnet and first routing information are provided, the function indication information comprises load balancing protocol information, member information of a load balancing resource pool and load balancing algorithm information, wherein the resource indication information is transmitted to a forwarding plane through an interface so as to indicate the forwarding plane to load parameters used for creating underlying network resources and contained in the resource indication information onto a virtual machine in the forwarding plane, and the method comprises the following steps: transmitting the resource indication information to the forwarding plane through the interface to indicate the forwarding plane to execute the following operations: configuring an IP address of a first virtual machine in a forwarding plane on a management network as a first management network IP address, configuring the IP address of the first virtual machine on a service subnet as a first service subnet IP address and configuring routing information of the first virtual machine as first routing information; the step of communicating the deployment information with the resident program by using the interface to transfer the deployment information to the virtual machine so as to instruct the virtual machine to configure the parameter for deploying the SF contained in the function instruction information onto the virtual machine includes: creating a load balancing configuration file according to the function indication information; communicating the load balancing configuration file to the first virtual machine by communicating with the resident program using the interface to instruct the first virtual machine to: configuring the protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, configuring the members of the first virtual machine as members corresponding to the member information of the load balancing resource pool, and configuring the algorithm of the first virtual machine as an algorithm corresponding to the load balancing algorithm information.

In another optional embodiment, the SF may be a firewall, and the resource indication information includes: the second management network protocol IP address, the IP address of the second service subnet, and the second routing information, where the function indication information includes firewall rules and policy information, where the resource indication information is transmitted to the forwarding plane through the interface to indicate the forwarding plane to load parameters, included in the resource indication information, for creating underlying network resources onto a virtual machine in the forwarding plane, including: and transmitting the resource indication information to the forwarding plane through the interface so as to indicate the forwarding plane to execute the following operations: configuring the IP address of a second virtual machine in the forwarding plane on the management network as a second management network IP address, configuring the IP address of the second virtual machine on the service subnet as a second service subnet IP address and configuring the routing information of the second virtual machine as second routing information; the step of communicating the deployment information to the virtual machine by using the interface to communicate with the resident program, so as to instruct the virtual machine to configure the parameter for deploying the SF contained in the function instruction information onto the virtual machine, includes: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second virtual machine in a mode of communicating with the resident program by using the interface so as to instruct the second virtual machine to configure the rules and the policies of the second virtual machine into the rules and the policies corresponding to the firewall rules and the policy information.

In another optional embodiment, the SF is a virtual private network VPN, and the resource indication information includes: the third management network protocol IP address, the third service subnet IP address, and the third routing information, where the function indication information includes a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and IPSec site information, where transmitting the resource indication information to the forwarding plane through the interface to indicate the forwarding plane to load the parameters for creating the underlying network resources included in the resource indication information onto the virtual machine in the forwarding plane includes: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to perform the following operations: configuring an IP address of a third virtual machine in a forwarding plane on a management network as a third management network IP address, configuring the IP address of the third virtual machine on a service subnet as a third service subnet IP address and configuring the routing information of the third virtual machine as third routing information; the step of communicating the deployment information to the virtual machine by using the interface to communicate with the resident program, so as to instruct the virtual machine to configure the parameter for deploying the SF contained in the function instruction information onto the virtual machine, includes: creating a VPN configuration file according to the function indication information; communicating the VPN configuration file to a third virtual machine by communicating with the resident program using the interface to instruct the third virtual machine to: and configuring the protocol policy of the third virtual machine into a key exchange protocol IKE policy and an IP layer security protocol IPSec policy, and configuring the site of the third virtual machine into a site corresponding to IPSec site information.

In another optional embodiment, the SF is a WEB element WEB protection, and the resource indication information includes: a fourth management network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes a WEB protection policy and WEB application server or data center information that needs to be protected, and the resource indication information is transmitted to the forwarding plane through the interface to indicate the forwarding plane to load parameters, included in the resource indication information, for creating underlying network resources onto a virtual machine in the forwarding plane, including: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to perform the following operations: configuring an IP address of a fourth virtual machine on the management network in the forwarding plane as a fourth management network IP address, configuring an IP address of the fourth virtual machine on the service subnet as a fourth service subnet IP address, and configuring routing information of the fourth virtual machine as fourth routing information; the step of communicating the deployment information to the virtual machine by using the interface to communicate with the resident program, so as to instruct the virtual machine to configure the parameter for deploying the SF contained in the function instruction information onto the virtual machine, includes: establishing a WEB protection configuration file according to the function indication information; transmitting the WEB protection configuration file to a fourth virtual machine in a mode of communicating with the resident program by utilizing the interface so as to instruct the fourth virtual machine to execute the following operations: and configuring the rules and the strategies of the fourth virtual machine into the WEB protection strategies and the rules, and configuring the server or the data center of the fourth virtual machine into a server or a data center corresponding to the WEB application server or the data center information needing protection.

The embodiments under the above four scenarios will be described in detail in the embodiments described later.

The above-mentioned manner of acquiring the NFV information may be various, and in an optional embodiment, the acquiring the NFV information includes: NFV information delivered by an application plane is received.

In another optional embodiment, the acquiring NFV information includes: and receiving the NFV information transmitted in a control plane, wherein the NFV information is transmitted to the control plane by an application plane.

In an optional embodiment, after creating an underlying network resource according to the resource indication information and the function indication information and deploying an SF on the underlying network resource, the method further includes: acquiring updated NFV information, wherein the updated NFV information comprises updated resource indication information and/or updated function indication information; and updating the created underlying network resources and the deployed SF according to the updated resource indication information and/or the updated function indication information.

In an optional embodiment, updating the created underlying network resources and the deployed SFs according to the updated resource indication information and/or the updated function indication information includes: changing, adding or deleting the created underlying network resources according to the updated resource indication information; and/or changing, adding or deleting the deployed SF according to the updated function indication information.

In an optional embodiment, after creating an underlying network resource according to the resource indication information and the function indication information and deploying an SF on the underlying network resource, the method further includes: after the forwarding plane creates the underlying network resources, the forwarding plane reports the information of the underlying network resources to the control plane; and/or after the forwarding plane deploys the SF, reporting the deployed SF information to the control plane. Thereby enabling the control plane to discover and manage the created underlying network resources and deployed SFs.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.

In this embodiment, a device for creating a service function SF is further provided, where the device is used to implement the foregoing embodiments and preferred embodiments, and details are not described again after the description is given. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.

Fig. 2 is a block diagram of a configuration apparatus for deploying a service function SF according to an embodiment of the present invention, and as shown in fig. 2, the apparatus includes a first obtaining module 22 and a processing module 24, which is described below.

A first obtaining module 22, configured to obtain predetermined network function virtualization NFV information, where the NFV information includes resource indication information used for indicating an underlying network resource required for establishing a network function, and function indication information used for indicating a service function SF deployed on the underlying network resource; and the processing module 24 is connected to the first obtaining module 22, and configured to create an underlying network resource according to the resource indication information and the function indication information, and deploy an SF on the underlying network resource.

Fig. 3 is a block diagram of a processing module 24 in a deployment apparatus of a service function SF according to an embodiment of the present invention, and as shown in fig. 3, the processing module 24 includes a first delivery unit 32 and a second delivery unit 34, and the processing module 24 is explained below.

A first transmitting unit 32, configured to transmit the resource indication information to the forwarding plane through an interface with the forwarding plane, so as to instruct the forwarding plane to create an underlying network resource on the forwarding plane according to the resource indication information; and a second transferring unit 34, connected to the first transferring unit 32, for transferring the deployment information determined according to the function indication information to the virtual machine by using the interface to communicate with a resident program in the virtual machine in the underlying network resource, so as to indicate the virtual machine to deploy the SF.

Fig. 4 is a block diagram of structures of a first delivery unit 32 and a second delivery unit 34 in a deployment apparatus of a service function SF according to an embodiment of the present invention, as shown in fig. 4, the first delivery unit 32 includes a first delivery sub-unit 42, the second delivery unit 34 includes a second delivery sub-unit 44, and the first delivery sub-unit 42 and the second delivery sub-unit 44 are explained below.

And a first transmitting subunit 42, configured to transmit the resource indication information to the forwarding plane through the above interface, so as to instruct the forwarding plane to configure the parameter, included in the resource indication information, for creating the underlying network resource onto the virtual machine in the forwarding plane.

And a second delivery subunit 44, configured to deliver the deployment information to the virtual machine by using the above-mentioned interface to communicate with the resident program, so as to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine.

In an alternative embodiment, the SF may be load balancing, and the resource-only information may include: the IP address of the first management network, the IP address of the first service subnet, and the first routing information, where the function indication information may include load balancing protocol information, member information of a load balancing resource pool, and load balancing algorithm information, and the first pass subunit 42 may instruct the forwarding plane to configure the underlying network resources by: transmitting the resource indication information to the forwarding plane through the interface to indicate the forwarding plane to execute the following operations: configuring an IP address of a first virtual machine in a forwarding plane on a management network as a first management network IP address, configuring the IP address of the first virtual machine on a service subnet as a first service subnet IP address and configuring routing information of the first virtual machine as first routing information; the second transfer subunit 44 may instruct the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; communicating the load balancing configuration file to the first virtual machine by communicating with the resident program using the interface to instruct the first virtual machine to: configuring the protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, configuring the members of the first virtual machine as members corresponding to the member information of the load balancing resource pool, and configuring the algorithm of the first virtual machine as an algorithm corresponding to the load balancing algorithm information.

In another optional embodiment, the SF may be a firewall, and the resource indication information may include: the IP address of the second management network, the IP address of the second service subnet, and the second routing information, and the function indication information may include firewall rules and policy information, where the first forwarding subunit 42 may instruct the forwarding plane to configure the underlying network resources by: and transmitting the resource indication information to the forwarding plane through the interface so as to indicate the forwarding plane to execute the following operations: configuring the IP address of a second virtual machine in the forwarding plane on the management network as a second management network IP address, configuring the IP address of the second virtual machine on the service subnet as a second service subnet IP address and configuring the routing information of the second virtual machine as second routing information; the second transfer subunit 44 may instruct the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second virtual machine in a mode of communicating with the resident program by using the interface so as to instruct the second virtual machine to configure the rules and the policies of the second virtual machine into the rules and the policies corresponding to the firewall rules and the policy information.

In another optional embodiment, the SF is a virtual private network VPN, and the resource indication information includes: a third management network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information includes a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and IPSec site information, and the first transmitting subunit 42 may instruct the forwarding plane to configure the underlying network resources by: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to perform the following operations: configuring an IP address of a third virtual machine in a forwarding plane on a management network as a third management network IP address, configuring the IP address of the third virtual machine on a service subnet as a third service subnet IP address and configuring the routing information of the third virtual machine as third routing information; the second transfer subunit 44 may instruct the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; communicating the VPN configuration file to a third virtual machine by communicating with the resident program using the interface to instruct the third virtual machine to: and configuring the protocol policy of the third virtual machine into a key exchange protocol IKE policy and an IP layer security protocol IPSec policy, and configuring the site of the third virtual machine into a site corresponding to IPSec site information.

In another optional embodiment, the SF is a WEB element WEB protection, and the resource indication information includes: a fourth management network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes a WEB protection policy and information of a WEB application server or a data center that needs to be protected, and the first transmitting subunit 42 may indicate a forwarding plane to configure underlying network resources by: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to perform the following operations: configuring an IP address of a fourth virtual machine on the management network in the forwarding plane as a fourth management network IP address, configuring an IP address of the fourth virtual machine on the service subnet as a fourth service subnet IP address, and configuring routing information of the fourth virtual machine as fourth routing information; the second transfer subunit 44 may instruct the virtual machine to deploy the SF by: establishing a WEB protection configuration file according to the function indication information; transmitting the WEB protection configuration file to a fourth virtual machine in a mode of communicating with the resident program by utilizing the interface so as to instruct the fourth virtual machine to execute the following operations: and configuring the rules and the strategies of the fourth virtual machine into the WEB protection strategies and the rules, and configuring the server or the data center of the fourth virtual machine into a server or a data center corresponding to the WEB application server or the data center information needing protection.

Fig. 5 is a first structural block diagram of the first obtaining module 22 in the deployment apparatus of the service function section SF according to the embodiment of the present invention, as shown in fig. 5, the first obtaining module 22 includes a first receiving unit 52, and the first receiving unit 52 is explained below.

A first receiving unit 52, configured to receive the NFV information transmitted by the application plane.

Fig. 6 is a block diagram of a structure of the first obtaining module 22 in the deployment apparatus of the service function SF according to the embodiment of the present invention, and as shown in fig. 6, the first obtaining module 22 includes a second receiving unit 62, and the second receiving unit 62 is explained below.

A second receiving unit 62, configured to receive NFV information delivered by the control plane, where the NFV information is delivered by the application plane to the control plane.

Fig. 7 is a block diagram of a preferred structure of a deployment apparatus of a service function SF according to an embodiment of the present invention, and as shown in fig. 7, the deployment apparatus includes a second obtaining module 72 and an updating module 74 in addition to all modules shown in fig. 2, and the deployment apparatus is explained below.

A second obtaining module 72, connected to the processing module 24, configured to obtain updated NFV information after creating an underlying network resource according to the resource indication information and the function indication information and deploying an SF on the underlying network resource, where the updated NFV information includes updated resource indication information and/or updated function indication information; and an updating module 74, connected to the second obtaining module 72, configured to update the created underlying network resources and the deployed SFs according to the updated resource indication information and/or the updated function indication information.

Fig. 8 is a block diagram of a structure of an update module 74 in a creating apparatus of a service function SF according to an embodiment of the present invention, as shown in fig. 8, the update module 74 includes a first update unit 82 and/or a second update unit 84, and the update module 74 is explained below.

A first updating unit 82, configured to change, add, or delete the created underlying network resources according to the updated resource indication information;

a second updating unit 84, configured to change, add, or delete a deployed SF according to the updated node indication information.

The method and apparatus in the above embodiments may be applied to a resource management system.

In an optional embodiment, the creating apparatus of the service function SF may further include a first reporting module and/or a second reporting module, where both the first reporting module and the second reporting module may be applied in a forwarding plane, and the following describes the apparatus: the first reporting module is applied to the forwarding plane and used for reporting the information of the underlying network resources to the control plane after the underlying network resources are established; and the second reporting module is applied to the forwarding plane and used for reporting the deployed SF information to the control plane after the SF deployment is finished.

Compared with the technical scheme existing in the related technology, the scheme in the embodiment of the invention has more advantages, and in the related technology, the SFC planning in the SDN network needs to create the underlying network resources first, deploy SF on the existing network resources, and then plan the SFC. The mode of 'resource first and planning later' causes that the SFC cannot self-define SF and automatically create required network resources according to the change of actual service requirements, so that the deployment of the SFC is not flexible, and simultaneously, the waste of resources is caused. In the embodiment of the invention, the SDN supports self-defining SF with functions of load balancing, firewall, Carrier grade Network Address Translation (CGN), IP service identification and control system DPI, router and the like according to the planned SFC, automatically creates required Network resources and deploys the SF in an underlying Network, and a control plane can discover and manage the newly created SF. By using the mode of 'defining before resource', the SFC has the characteristic of flexible deployment in the SDN, the resource utilization rate is improved, and the manual maintenance cost is reduced.

In the embodiment of the invention, network resources and deployed SFs required by the automatic creation of the planned SFC are mainly created by using a resource management system in an SDN network architecture, and related information of the SFs is updated to an SFC controller, so that the SFC controller can discover and manage the newly created SFs and can be used by service applications of an application plane.

The technical solution in the above embodiment is described here:

fig. 9 is a schematic diagram of an SDN network architecture according to an embodiment of the present invention, and as shown in fig. 9, the SDN network architecture mainly includes a resource management system, a network management system, and three layers, that is, an application plane, a control plane, and a forwarding plane in a software defined network SDN framework. Wherein, the Application plane is divided into applications (APP for short) with various service functions; the control plane consists of a composer and a controller; the data forwarding plane is composed of forwarding devices such as a flow classifier, an SF and a switch. The network management system is an important module for ensuring the reliable operation of the network, and is responsible for detecting the operation state of the network resources of the forwarding plane, diagnosing faults, giving an alarm and the like, and interacting the state of the network with the control plane. The resource management system is responsible for creating network resources and deploying SFs for the newly planned SFC in the forwarding plane.

Fig. 9 mainly includes 5 interfaces: the A-CPI interface is used for the interaction between the application plane and the control plane, and the interactive content comprises the creation, modification, configuration and the like of the SFC by the application layer; B-CPI is used for interaction between an application plane and a resource management system, and interactive contents comprise related information of NFV; the C-CPI is used for interaction between a control plane and a resource management system, and the interactive content is SF information of the constructed SFC needing to be created; D-CPI is used for interaction of the control plane and SFC supporting SF, and is used for discovery, management and configuration of the control plane; E-CPI is used for the resource management system's interaction with the forwarding plane for the resource management system to create network resources at the forwarding plane, the interface locations, as shown in fig. 9.

The trigger resource management system has two schemes of creating required network resources according to the planned SFC and deploying SF: in the first scheme, an application plane directly transmits related information of a planned NFV to a resource management system through a B-CPI interface, the resource management system is triggered to create required network resources on a forwarding plane through an E-CPI interface and deploy SF, and SF information is updated to a control plane through D-CPI; and in the second scheme, the application plane transmits the NFV related information to the control plane through an A-CPI interface, the control plane transmits SF related information of the SFC to be established to the resource manager through a C-API interface, triggers the resource management system to establish the required network resource and deploy SF in the forwarding layer through an E-CPI interface, and the SF information is updated to the SFC controller through a D-CPI interface.

Fig. 10 is a flowchart of a first method for planning and deploying SFC according to an embodiment of the present invention (the flowchart is a first solution), and as shown in fig. 10, the flowchart includes the following steps:

step 1, a new service application needs to be deployed to a cloud platform, and an application plane plans an SFC according to a requirement of the service application, such as customized virtual machine specifications (CPU, memory, mirror image file, etc.), an address of a network Protocol (Internet Protocol, abbreviated as IP) of an SF, a network, a route, a gateway, etc., and parameter settings related to the SF, which are similar to the SFC shown in fig. 12. (corresponding to step S1002 in FIG. 10)

And 2, the application plane transmits the related information of the NFV and the SF to a resource management system through a B-CPI interface, and the resource management system creates required network resources including a route, a virtual machine (using a customized image file containing modules such as a resident program) and a network on the forwarding plane through an E-CPI interface according to the related information of the SFC. (corresponding to steps S1004-1006 in FIG. 10)

And 3, the resource management system stores the related information of the defined SF into the control forwarding interface adaptation module, then the agent program in the control forwarding interface is communicated with the resident program in the virtual machine, and the information is transmitted to the virtual machine. The resident program will complete the deployment and configuration of the SF function according to the received information. (corresponding to steps S1008-1010 in FIG. 10)

And 4, the forwarding plane updates the NFV and related information of the SF thereof to the SFC controller through the D-CPI interface, so that the SFC controller can discover and manage the SF, and the service application can use the whole SFC. (corresponding to steps S1012-1014 in FIG. 10)

Fig. 11 is a flowchart of a second method for planning and deploying SFC according to an embodiment of the present invention (the flowchart is a scheme two), and as shown in fig. 11, the flowchart includes the following steps:

step 1, a new service application needs to be deployed to a cloud platform, an application plane plans an SFC according to the requirements of the service application, such as customizing virtual machine specifications (CPU, memory, mirror image file, etc.), IP address of SF, network, route, gateway, etc., and parameter settings related to SF, which is similar to the SFC shown in fig. 12, and transmits the NFV and SF related information to a control plane through an a-CPI interface. (corresponding to step S1102 in FIG. 11)

And 2, the control plane transmits SF related information supporting the SFC to be created to a resource management system through a C-CPI interface, and the resource management system creates required network resources including a route, a virtual machine (using a customized image file containing a resident program and other modules), a network and the like on the forwarding plane through an E-CPI interface according to the related information of the SF. (corresponding to steps S1104-1108 in FIG. 11)

Step 3. same as step 3 in scheme I. (corresponding to step S1110 in FIG. 11)

Step 4. same as step 4 in scheme two. (corresponding to steps S1112-1114 in FIG. 11)

The following describes the embodiments in different scenarios:

example one

When the SF is load balancing, a Load Balancer (LB) is dynamically created according to the first SFC usage scheme:

fig. 12 is a schematic diagram of an SFC including a load balancing node according to an embodiment of the present invention, and as shown in fig. 12, a scheme of automatically deploying SFs with load balancing functions according to the SFC is used to provide load balancing for a back-end service server. The load balancing service is realized based on Nginx, but is not limited to Nginx, and load balancing products with high performance are all applicable to the invention.

The resource management system automatically creates the deployment load balancing SF according to the planned SFC, and the steps are as follows:

step 1, the service capability of the service application of the application plane needs to be greatly improved, which puts forward a demand for load balancing service to the SDN, and requires that one load balancer be constructed to provide load balancing for three service servers, of course, a load balancer that provides load balancing for other number of service servers may also be constructed.

And 2, the application plane plans the SFC containing the load balancing SF according to the service application requirement, as shown in figure 12. In this scenario, the IP address of the virtual machine in the forwarding plane in the management network, the IP address of the service subnet, and the IP address of the service subnet may be 10.46.178.0/24, the IP address of the management network in the service subnet may be 192.168.100.0/24, the floating IP address of the management network in the load balancing SF may be 10.46.178.27, the VIP of the load balancing SF in the service subnet may be 192.168.100.27, load balancing may be provided for three cloud hosts with IP addresses of 192.168.100.1, 192.168.100.2, and 192.168.100.3, and the like.

And 3, the application plane transmits the related information of the SFC to a resource management system through a B-CPI interface, the resource management system automatically creates the network resources required in the step 2 according to the SFC planned by the application plane, the network resources comprise public networks and vxlan networks and routers, a resource pool and a main virtual machine (using a customized virtual machine image file comprising a resident program, a Nginx module and the like) are automatically created for the load balancing SF, and a floating IP (virtual IP) and virtual terminal protocol (VIP) address and the like are distributed for the resource pool and the main virtual machine. That is, the IP address of the virtual machine on the management network in the forwarding plane is configured as the IP address of the virtual machine on the management network included in the resource indication information in this embodiment by using the forwarding plane, the IP address of the virtual machine on the service subnet is configured as the IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment. And mounting load balancing SF and three cloud hosts in the vxlan, wherein the SF provides load balancing for the three cloud hosts. The whole process is completed by calling a control forwarding interface by a resource management system, and a cloud administrator does not need to manually create a virtual machine and configure a network.

Step 4, the resource management system may automatically create a load balancing configuration file conf according to the requirement of the load balancing SF in the planned SFC, that is, according to the function instruction information of this embodiment, and communicate with the resident program in the virtual machine through the control forwarding interface, and transfer the conf configuration file to the virtual machine, and automatically deploy a load balancing device (Nginx) according to the information included in the function instruction information of this embodiment, and configure load balancing policies such as Protocol, Member, Method, and the like.

And 5, the forwarding plane updates the SFC and all SF information to an SFC controller in the control plane through a D-API (digital-to-application interface), so that related SFs such as load balance and the like can be discovered and managed by the SFC controller, and the SFC controller can also configure the SFC according to requirements and supply service application calling of the application plane.

Example two

When the SF is a FireWall, according to the first SFC usage scheme, a FireWall strong (FireWall, abbreviated as FW) is dynamically created:

fig. 13 is a schematic diagram of an SFC including a firewall according to an embodiment of the present invention, and as shown in fig. 13, a scheme for automatically deploying an SF having a firewall function according to the SFC is used to provide security protection for a back-end service network.

The resource management system automatically creates and deploys the firewall SF according to the planned SFC, and the steps are as follows:

step 1, the application plane puts requirements on the safety of the service network of the service application, and a firewall needs to be constructed to provide safety protection for the service network.

Step 2. requirement planning of application plane service application SFC containing firewall SF, as shown in fig. 13. The IP of the management network public in the SFC may be 10.46.178.0/24, the IP address of the service network vxlan may be 192.168.168.0/24, router interface settings, firewalls, firewall rules and policies (including supporting protocols, IP versions, source addresses, destination addresses, source ports, destination ports, action sets, etc.), etc. In this scenario, the resource indication information may include an IP address of the virtual machine in the forwarding plane in the management network, an IP address in the service subnet, and routing information, and the function indication information may include firewall rules and policy information.

And 3, the application plane transmits the related information of the SFC to a resource management system through a B-CPI interface, and the resource management system automatically creates the network resources required by the step 2 according to the SFC planned by the application plane, wherein the network resources comprise a router, a virtual machine (using a customized virtual machine image file comprising modules such as a resident program and the like) required by the deployment of the firewall, a service network and the like. That is, the IP address of the virtual machine on the management network in the forwarding plane is configured as the IP address of the virtual machine on the management network included in the resource indication information in this embodiment by using the forwarding plane, the IP address of the virtual machine on the service subnet is configured as the IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment. The whole process is completed by calling a control forwarding interface by a resource management system, and a cloud administrator does not need to manually create a virtual machine and configure a network.

And 4, the resource manager stores the planned firewall rules and the strategies into files corresponding to the firewall rules and the strategies according to the function requirements of the firewall SF in the planned SFC, namely, the resource manager can communicate with the resident programs in the corresponding virtual machines according to the function indication information in the embodiment, transmits the strategies and the rules in the files to the virtual machines, and instructs the resident programs in the virtual machines to update the strategies and the rules to the firewall according to the information contained in the function indication information in the embodiment and starts protection.

And 5, updating all related information of the SFC including the firewall SF to the SFC controller through a D-API (digital-to-application interface) by the forwarding plane, so that the related SF such as the firewall can be discovered and managed by the SFC controller, and the SFC controller can modify the firewall rules and the strategies according to requirements.

EXAMPLE III

When the SF is a Virtual Private Network (VPN), a VPN is dynamically created according to the second SFC usage scenario, so as to provide a VPN service for the Network.

The resource management system automatically creates a deployment VPN according to the planned SFC, and the steps are as follows:

step 1, the application plane puts requirements on a service network of service application, and a VPN needs to be constructed to provide VPN service for the service network.

And 2, the application plane plans the SFC comprising the VPN function according to the requirement of the service application. The IP address of the management network public in the SFC can be 10.46.178.0/24, the IP address of the service network vxlan can be 192.168.168.0/24, the router interface is set, and the like, and the information related to the SFC is transmitted to the control plane through the A-CPI interface. In this scenario, the resource indication information may include an IP address of the virtual machine in the forwarding plane in the management network, an IP address in the service subnet, and routing information, and the function indication information may include a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and IPSec site information.

And 3, the control plane transmits related information (VPN) of the SF supporting the SFC to be created to a resource management system through a C-API (client application program interface), triggers the resource management system to automatically create the network resources required in the step 2 according to the planned SFC, and comprises a router (a router with special functions, a customized virtual machine image file containing modules such as a resident program and the like), a service network and the like. That is, the IP address of the virtual machine on the management network in the forwarding plane is configured as the IP address of the virtual machine on the management network included in the resource indication information in this embodiment by using the forwarding plane, the IP address of the virtual machine on the service subnet is configured as the IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment. The whole process is completed by calling a control forwarding interface by a resource management system, and a cloud administrator does not need to manually create a virtual machine and configure a network.

Step 4, the resource manager, according to the function requirement of the VPN in the planned SFC, that is, according to the function instruction information in this embodiment, stores the planned configuration of the Key exchange protocol (Internet Key Management, abbreviated as IKE) Policy (IKE), the IP layer Security protocol (IP Security, abbreviated as IPSec) Policy (IPSec Policy), and the IPSec Site (IPSec Site) into the configuration file corresponding to the VPN, communicates with the resident program in the corresponding virtual machine, and transfers the configuration file to the virtual machine, so that the resident program in the virtual machine configures and starts the VPN according to the function instruction information in this embodiment.

And 5, updating all related information of the SFC including the VPN to the SFC controller by the forwarding plane through the D-CPI, so that related SFs such as the VPN and the like can be discovered and managed by the SFC controller, and the SFC controller can modify the strategy of the VPN and the like according to requirements.

Example four

When the SF is WEB protection, dynamically creating a WEB protection SF according to a second SFC usage scheme, providing WEB security protection for the server, and resisting attacks including Structured Query Language (SQL) injection, file vulnerability, Cross Site Scripting (XSS) attack, Cross-Site request forgery (XSRF) and directory traversal.

Step 1, the service application of the application plane requires to provide WEB security protection for the service server, and WEB security protection SF needs to be constructed to provide security protection for the service server.

And 2, planning the SFC containing the WEB safety protection SF by the application plane according to the requirement of the service application. Planning a network in the SFC, wherein the planned network includes a management network and a service subnet, a WEB protection policy (which may include an Access Control List (ACL)), an IP blacklist, user data to be shielded, a method for disabling danger (including OPTIONS, DELETE, etc.), a hotlink, hidden server version information, flow Control, configuration for known attack features, etc.), a WEB application server or a data center that needs protection, etc., and transmitting the planned SFC related information to a Control plane through an a-CPI interface. In this scenario, the resource indication information may include an IP address of a virtual machine in the forwarding plane in the management network, an IP address in the service subnet, and routing information, and the function indication information may include the WEB protection policy and information of a WEB application server or a data center that needs protection.

And 3, the control plane transmits related information (WEB security protection) of the SF to be created to the resource management system through the C-CPI interface, triggers the resource management system to automatically create network resources required in the step 2 according to the SFC planned by the application plane, comprises a network, deploys virtual machines required by the WEB security protection SF (uses a customized virtual machine image file comprising modules such as a resident program, a Naxsi module, a Nginx module and an SSL module), adds a WEB application server and the like. That is, the IP address of the virtual machine on the management network in the forwarding plane is configured as the IP address of the virtual machine on the management network included in the resource indication information in this embodiment by using the forwarding plane, the IP address of the virtual machine on the service subnet is configured as the IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment. The whole process is completed by calling a control forwarding interface by a resource management system, and a cloud administrator does not need to manually create a virtual machine and configure a network.

And 4, the resource manager stores the planned safety protection strategy into a file corresponding to the safety protection strategy according to the function requirement of the WEB safety protection SF in the planned SFC (the control node creates a file for each SF configuration information) according to the indication information, communicates with the resident program in the corresponding virtual machine, transmits the strategy in the file to the virtual machine, and the resident program in the virtual machine configures the strategy and the rule to the WEB safety module according to the function indication information in the embodiment and starts protection.

And 5, the forwarding plane updates the related information containing the WEB security protection SF to the SFC controller through the D-CPI port, so that the SF can be discovered and managed by the SFC controller, and the SFC controller can modify the security protection rules and strategies according to requirements.

The above embodiments can show that, in the scheme of the embodiment of the present invention, the resource management system automatically creates underlying network resources for the SFC planned by the application plane, and deploys the SF, and the related information of the SF is updated to the SFC controller, so that the SFC controller can discover and manage the newly added SF. The scheme of the invention realizes the purpose of dynamically creating the SF based on the SDN service chain, so that the SFC has the characteristic of flexible deployment in the SDN, the resource utilization rate is improved, and the manual maintenance cost is reduced.

It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in a plurality of processors.

The embodiment of the invention also provides a storage medium. Alternatively, in the present embodiment, the storage medium may be configured to store program codes for performing the following steps:

s1, acquiring predetermined network function virtualization NFV information, where the NFV information includes resource indication information for indicating an underlying network resource required for establishing a network function, and function indication information for indicating a service function SF deployed on the underlying network resource;

and S2, creating underlying network resources according to the resource indication information and the function indication information, and deploying SF on the underlying network resources.

Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing program codes, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.

Alternatively, in the present embodiment, the processor performs the above steps S1-S2 according to program codes already stored in the storage medium.

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.

In a related technical scheme, when an SDN creates an SFC, an administrator is required to create underlying network resources required by the SFC first, deploy a new SF on the basis of existing network resources, and then construct the SFC. In the scheme of the embodiment of the invention, the support SDN can conveniently plan the SFC according to the service requirement of the application plane without considering the underlying network resources. The resource management system automatically creates required underlying network resources, configures and deploys SF according to the requirements of the SFC, and the SF information is updated to the SFC controller, so that the SFC controller can discover and manage related SF nodes. The method and the device improve the flexibility and the expansibility of the SFC in the SDN and reduce the manual maintenance cost.

It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.

The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. A method for deploying service function SF is characterized by comprising the following steps:

acquiring preset Network Function Virtualization (NFV) information, wherein the NFV information comprises resource indication information used for indicating underlying network resources required for establishing a network function and function indication information used for indicating a Service Function (SF) deployed on the underlying network resources;

creating the underlying network resources according to the resource indication information and the function indication information and deploying the SF on the underlying network resources;

wherein the creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource comprises: transmitting the resource indication information to a forwarding plane through an interface with the forwarding plane to indicate the forwarding plane to create the underlying network resource on the forwarding plane according to the resource indication information; and transmitting the deployment information determined according to the function indication information to the virtual machine in a mode of communicating with a resident program in the virtual machine in the underlying network resources by using the interface so as to indicate the virtual machine to deploy the SF.

2. The method of claim 1,

communicating the resource indication information to a forwarding plane through an interface with the forwarding plane for deploying underlying network resources and SFs to indicate to the forwarding plane to create the underlying network resources on the forwarding plane according to the resource indication information comprises: transmitting the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to configure the parameters for creating the underlying network resources, which are included in the resource indication information, onto a virtual machine in the forwarding plane;

communicating deployment information determined from the functional indication information to a virtual machine in the underlying network resources by communicating with a resident program in the virtual machine using the interface to instruct the virtual machine to deploy the SF includes: and communicating the deployment information to the virtual machine by using the interface to communicate with the resident program so as to instruct the virtual machine to configure the parameter for deploying the SF contained in the function indication information on the virtual machine.

3. The method of claim 2, wherein the SF is load balancing, and wherein the resource indication information comprises: a first management network protocol IP address, an IP address of a first service subnet and first routing information, the function indication information comprising load balancing protocol information, member information of the load balancing resource pool, load balancing algorithm information, wherein,

passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to load the parameters for creating the underlying network resources included in the resource indication information onto a virtual machine in the forwarding plane comprises: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a first virtual machine in the forwarding plane on a management network as the first management network IP address, configuring the IP address of the first virtual machine on a service subnet as the first service subnet IP address, and configuring routing information of the first virtual machine as the first routing information;

communicating the deployment information to the virtual machine by communicating with the resident program through the interface to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine includes: creating a load balancing configuration file according to the function indication information; communicating the load balancing configuration file to the first virtual machine by communicating with the resident program using the interface to instruct the first virtual machine to: configuring the protocol of the first virtual machine as the protocol corresponding to the load balancing protocol information, configuring the members of the first virtual machine as the members corresponding to the member information of the load balancing resource pool, and configuring the algorithm of the first virtual machine as the algorithm corresponding to the load balancing algorithm information.

4. The method of claim 2, wherein the SF is a firewall, and wherein the resource indication information includes: a second management network protocol, IP, address of a second traffic subnet, and second routing information, the function indication information including firewall rules and policy information, wherein,

passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to load the parameters for creating the underlying network resources included in the resource indication information onto a virtual machine in the forwarding plane comprises: communicating the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a second virtual machine on a management network in the forwarding plane as the second management network IP address, configuring an IP address of the second virtual machine on a service subnet as the second service subnet IP address, and configuring routing information of the second virtual machine as the second routing information;

communicating the deployment information to the virtual machine by communicating with the resident program through the interface to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine includes: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second virtual machine in a mode of communicating with the resident program by using the interface so as to instruct the second virtual machine to configure the rules and the policies of the second virtual machine into the rules and the policies corresponding to the firewall rules and the policy information.

5. The method of claim 2, wherein the SF is a Virtual Private Network (VPN), and wherein the resource indication information comprises: a third management network protocol IP address, a third service subnet IP address and third routing information, the function indication information comprises a key exchange protocol IKE strategy, an IP layer security protocol IPSec strategy and IPSec site information, wherein,

passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to load the parameters for creating the underlying network resources included in the resource indication information onto a virtual machine in the forwarding plane comprises: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a third virtual machine on a management network in the forwarding plane as the third management network IP address, configuring the IP address of the third virtual machine on a service subnet as the third service subnet IP address, and configuring routing information of the third virtual machine as the third routing information;

communicating the deployment information to the virtual machine by communicating with the resident program through the interface to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine includes: creating a VPN configuration file according to the function indication information; communicating the VPN configuration file to the third virtual machine by communicating with the resident program using the interface to instruct the third virtual machine to: and configuring the protocol policy of the third virtual machine into the key exchange protocol IKE policy and the IP layer security protocol IPSec policy, and configuring the site of the third virtual machine into a site corresponding to the IPSec site information.

6. The method according to claim 2, wherein the SF is a WEB element WEB protection, and the resource indication information includes: a fourth management network protocol IP address, a fourth service subnet IP address and fourth routing information, the function indication information comprises a WEB protection strategy and WEB application server or data center information needing protection, wherein,

passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to load the parameters for creating the underlying network resources included in the resource indication information onto a virtual machine in the forwarding plane comprises: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a fourth virtual machine on a management network in the forwarding plane as the fourth management network IP address, configuring an IP address of the fourth virtual machine on a service subnet as the fourth service subnet IP address, and configuring routing information of the fourth virtual machine as the fourth routing information;

communicating the deployment information to the virtual machine by communicating with the resident program through the interface to instruct the virtual machine to configure the parameter for deploying the SF included in the function instruction information onto the virtual machine includes: establishing a WEB protection configuration file according to the function indication information; communicating the WEB protection configuration file to the fourth virtual machine by using the interface to communicate with the resident program, so as to instruct the fourth virtual machine to perform the following operations: and configuring the rules and the strategies of the fourth virtual machine as the WEB protection strategies and the strategies, and configuring the server or the data center of the fourth virtual machine as the server or the data center corresponding to the WEB application server or the data center information needing protection.

7. The method according to claim 1, wherein said obtaining predetermined Network Function Virtualization (NFV) information comprises:

receiving the NFV information transmitted by an application plane.

8. The method according to claim 1, wherein said obtaining predetermined Network Function Virtualization (NFV) information comprises:

receiving the NFV information transferred by a control plane, wherein the NFV information is transferred by an application plane to the control plane.

9. The method of claim 1, wherein after creating the underlying network resources according to the resource indication information and the function indication information and deploying the SF on the underlying network resources, further comprising:

acquiring updated NFV information, wherein the updated NFV information comprises updated resource indication information and/or updated function indication information;

and updating the created underlying network resources and the deployed SF according to the updated resource indication information and/or the updated function indication information.

10. The method of claim 9, wherein updating the created underlying network resources and the deployed SFs according to the updated resource indication information and/or updated function indication information comprises:

changing, adding or deleting the created underlying network resources according to the updated resource indication information;

and/or the presence of a gas in the gas,

and changing, adding or deleting the deployed SF according to the updated function indication information.

11. The method of claim 1, wherein after creating the underlying network resources according to the resource indication information and the function indication information and deploying the SF on the underlying network resources, further comprising:

after the forwarding plane finishes creating the underlying network resources, the forwarding plane reports the information of the underlying network resources to a control plane; and/or the presence of a gas in the gas,

and after the forwarding plane deploys the SF, reporting the deployed SF information to a control plane.

12. A device for deploying service function SF is characterized by comprising:

a first obtaining module, configured to obtain predetermined Network Function Virtualization (NFV) information, where the NFV information includes resource indication information used to indicate an underlying network resource required to establish a network function, and function indication information used to indicate a Service Function (SF) deployed on the underlying network resource;

the processing module is used for creating the underlying network resources according to the resource indication information and the function indication information and deploying the SF on the underlying network resources;

wherein the processing module comprises: a first transmitting unit, configured to transmit the resource indication information to a forwarding plane through an interface with the forwarding plane, so as to instruct the forwarding plane to create the underlying network resource on the forwarding plane according to the resource indication information; and a second transmitting unit, configured to transmit, to the virtual machine, deployment information determined according to the function indication information by using the interface to communicate with a resident program in the virtual machine in the underlying network resource, so as to instruct the virtual machine to deploy the SF.

13. The apparatus of claim 12,

the first transfer unit includes: a first transmitting subunit, configured to transmit the resource indication information to the forwarding plane through the interface, so as to instruct the forwarding plane to configure, to a virtual machine in the forwarding plane, a parameter included in the resource indication information and used for creating the underlying network resource;

the second transfer unit includes: a second transferring subunit, configured to transfer the deployment information to the virtual machine by using the interface to communicate with the resident program, so as to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information onto the virtual machine.

14. The apparatus of claim 13, wherein the SF is load balancing, and wherein the resource indication information comprises: a first management network protocol IP address, an IP address of a first service subnet and first routing information, the function indication information comprising load balancing protocol information, member information of the load balancing resource pool, load balancing algorithm information, wherein,

the first transferring subunit instructs the forwarding plane to configure the underlying network resources by: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a first virtual machine in the forwarding plane on a management network as the first management network IP address, configuring the IP address of the first virtual machine on a service subnet as the first service subnet IP address, and configuring routing information of the first virtual machine as the first routing information;

the second pass subunit instructs the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; communicating the load balancing configuration file to the first virtual machine by communicating with the resident program using the interface to instruct the first virtual machine to: configuring the protocol of the first virtual machine as the protocol corresponding to the load balancing protocol information, configuring the members of the first virtual machine as the members corresponding to the member information of the load balancing resource pool, and configuring the algorithm of the first virtual machine as the algorithm corresponding to the load balancing algorithm information.

15. The apparatus of claim 13, wherein the SF is a firewall, and wherein the resource indication information comprises: a second management network protocol, IP, address of a second traffic subnet, and second routing information, the function indication information including firewall rules and policy information, wherein,

the first transferring subunit instructs the forwarding plane to configure the underlying network resources by: communicating the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a second virtual machine on a management network in the forwarding plane as the second management network IP address, configuring an IP address of the second virtual machine on a service subnet as the second service subnet IP address, and configuring routing information of the second virtual machine as the second routing information;

the second pass subunit instructs the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second virtual machine in a mode of communicating with the resident program by using the interface so as to instruct the second virtual machine to configure the rules and the policies of the second virtual machine into the rules and the policies corresponding to the firewall rules and the policy information.

16. The apparatus of claim 13, wherein the SF is a Virtual Private Network (VPN), and wherein the resource indication information comprises: a third management network protocol IP address, a third service subnet IP address and third routing information, the function indication information comprises a key exchange protocol IKE strategy, an IP layer security protocol IPSec strategy and IPSec site information, wherein,

the first transferring subunit instructs the forwarding plane to configure the underlying network resources by: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a third virtual machine on a management network in the forwarding plane as the third management network IP address, configuring the IP address of the third virtual machine on a service subnet as the third service subnet IP address, and configuring routing information of the third virtual machine as the third routing information;

the second pass subunit instructs the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; communicating the VPN configuration file to the third virtual machine by communicating with the resident program using the interface to instruct the third virtual machine to: and configuring the protocol policy of the third virtual machine into the key exchange protocol IKE policy and the IP layer security protocol IPSec policy, and configuring the site of the third virtual machine into a site corresponding to the IPSec site information.

17. The apparatus of claim 13, wherein the SF is a WEB element WEB protection, and the resource indication information includes: a fourth management network protocol IP address, a fourth service subnet IP address and fourth routing information, the function indication information comprises a WEB protection strategy and WEB application server or data center information needing protection, wherein,

the first transferring subunit instructs the forwarding plane to configure the underlying network resources by: passing the resource indication information to the forwarding plane through the interface to instruct the forwarding plane to: configuring an IP address of a fourth virtual machine on a management network in the forwarding plane as the fourth management network IP address, configuring an IP address of the fourth virtual machine on a service subnet as the fourth service subnet IP address, and configuring routing information of the fourth virtual machine as the fourth routing information;

the second pass subunit instructs the virtual machine to deploy the SF by: establishing a WEB protection configuration file according to the function indication information; communicating the WEB protection configuration file to the fourth virtual machine by using the interface to communicate with the resident program, so as to instruct the fourth virtual machine to perform the following operations: and configuring the rules and the strategies of the fourth virtual machine as the WEB protection strategies and the strategies, and configuring the server or the data center of the fourth virtual machine as the server or the data center corresponding to the WEB application server or the data center information needing protection.

18. The apparatus of claim 12, wherein the first obtaining module comprises:

a first receiving unit, configured to receive the NFV information transferred by an application plane.

19. The apparatus of claim 12, wherein the first obtaining module comprises:

a second receiving unit, configured to receive the NFV information delivered by a control plane, where the NFV information is delivered by an application plane to the control plane.

20. The apparatus of claim 12, further comprising:

a second obtaining module, configured to obtain updated NFV information after creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource, where the updated NFV information includes updated resource indication information and/or updated function indication information;

and the updating module is used for updating the created underlying network resources and the deployed SF according to the updated resource indication information and/or the updated function indication information.

21. The apparatus of claim 20, wherein the update module comprises:

a first updating unit, configured to change, add, or delete the created underlying network resources according to the updated resource indication information; and/or the presence of a gas in the gas,

and a second updating unit, configured to change, add, or delete the deployed SF according to the updated function indication information.

22. The apparatus of claim 12, further comprising:

the first reporting module is applied to a forwarding plane and used for reporting the information of the underlying network resources to a control plane after the underlying network resources are created; and/or the presence of a gas in the gas,

and the second reporting module is applied to a forwarding plane and used for reporting the deployed SF information to a control plane after the SF is deployed.