CN114338378B - Configuration verification method for multi-domain software defined network - Google Patents
Configuration verification method for multi-domain software defined network Download PDFInfo
- Publication number
- CN114338378B CN114338378B CN202210024228.9A CN202210024228A CN114338378B CN 114338378 B CN114338378 B CN 114338378B CN 202210024228 A CN202210024228 A CN 202210024228A CN 114338378 B CN114338378 B CN 114338378B
- Authority
- CN
- China
- Prior art keywords
- network
- software
- defined network
- model
- domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a configuration verification method for a multi-domain software defined network, which comprises the steps of extracting configuration information from software defined network subnet equipment of the multi-domain software defined network, and constructing a software defined network subnet formalized model according to the configuration information. And extracting configuration information from core network equipment of the multi-domain software defined network, and constructing a core network formalized model according to the configuration information. And combining the software defined network subnet formalization model and the core network formalization model into a multi-domain software defined network formalization model. Checking the multi-domain software defined network formalization model for violations of reachability and absolute blocking network rules. If there is a violation of the network rule in the model, outputting a flow element in the multi-domain software defined network formalization model corresponding to the violation. If there is no violation of the network rules, the multi-domain software defined network formalization model is validated. The method realizes the configuration verification of the multi-domain software defined network and is beneficial to the deployment and management of the multi-domain software defined network.
Description
Technical Field
The invention belongs to the technical field of network configuration verification, and particularly relates to a configuration verification method for a multi-domain software defined network.
Background
The software defined network is a novel network, has good programmability and is beneficial to the development and deployment of new functions of the network. Software-defined networks are currently widely deployed in campus networks, enterprise networks, data center networks, and operator networks, but are mostly single control domains of smaller size. At present, the academic world and the industrial world begin to explore how to check the correctness of a network and ensure the reliability of the network by interconnecting a plurality of software-defined networks to form a large-scale multi-domain software-defined network.
Network authentication technology is an important means for ensuring that network communication protocols are designed correctly and that correct interconnection between different network devices is achieved. The basic idea is to establish a formal model of the network to be verified, then to search for errors in the model, and further to locate specific problems in the network.
In the prior art, the verification is performed on a network of a single control domain, and the verification of a multi-domain software defined network is not considered; meanwhile, most of the network formal models for verification are constructed manually, and the degree of automation is insufficient. The multi-domain software defined network has large scale, the workload of manually constructing the model is too large, the method is difficult to be applied, and a method for automatically constructing the model according to network configuration needs to be designed.
Disclosure of Invention
One of the technical problems to be solved by the invention is that the network verification method in the prior art is limited to manually constructing a formal model, does not support large-scale network modeling, and is not beneficial to multi-domain software defined network verification.
In order to solve the above technical problem, an embodiment of the present application first provides a configuration verification method for a multi-domain software defined network, including:
configuration information is extracted from software-defined network subnet equipment of the multi-domain software-defined network, and a software-defined network subnet formal model is constructed according to the configuration information.
And extracting configuration information from core network equipment of the multi-domain software defined network, and constructing a core network formalized model according to the configuration information.
And combining the software defined network subnet formalization model and the core network formalization model into a multi-domain software defined network formalization model.
Checking the multi-domain software defined network formalization model for violations of reachability and absolute blocking network rules.
If there is a violation of the network rule in the model, outputting a flow element in the multi-domain software defined network formalization model corresponding to the violation.
If there is no violation of the network rules, the multi-domain software defined network formalization model is validated.
Preferably, the multi-domain software defined network should be a network formed by a combination of a plurality of software defined network subnets and a core network, including:
each software-defined network subnet is a software-defined network, and the software-defined network is a network formed by one or more software-defined network controllers for running software-defined network applications and a plurality of software-defined network forwarding devices, wherein the forwarding devices comprise software-defined network switches, software-defined network wireless network access points and the like.
The core network is the software defined network or a traditional network, and the traditional network is a network formed by a plurality of routers running a routing protocol.
Each software-defined network subnet is connected to the core network, and the core network performs routing and switching among the plurality of software-defined network subnets.
Preferably, the extracting configuration information from the software-defined network subnet device of the multi-domain software-defined network and constructing the software-defined network subnet formalization model according to the configuration information includes:
establishing a connection with a software-defined network controller of a software-defined network subnet of the multi-domain software-defined network;
acquiring configuration information of all devices of the software-defined network subnet, including device information, link information and flow table information, through a representation state transition application programming interface of the software-defined network controller;
constructing a software-defined network subnet formal model according to the configuration information of the software-defined network subnet equipment, wherein the software-defined network subnet formal model comprises a point element for representing the forwarding equipment, an edge element for representing a link between the forwarding equipment and the connection equipment in the forwarding equipment, and a flow element for representing a flow table entry;
and repeating the steps for each software-defined network subnet of the multi-domain software-defined network, and establishing a plurality of software-defined network subnet formal models.
Preferably, the extracting configuration information from the core network device of the multi-domain software defined network, and constructing the core network formalized model according to the configuration information includes:
if the core network is a software-defined network, establishing a core network formal model by using the method for constructing a software-defined network subnet formal model;
if the core network is a traditional network consisting of a plurality of routers, acquiring configuration information of each router by using a router configuration extraction tool, wherein the configuration information comprises equipment information, link information and routing information; and constructing a core network formalized model, wherein the core network formalized model comprises a point element for representing the routing equipment, an edge element for representing a link between the connection and the forwarding equipment in the routing equipment, and a flow element for representing the starting point and the end point of the route.
Preferably, the step of combining the software-defined network subnet formalization model and the core network formalization model into the multi-domain software-defined network formalization model includes adding necessary edge elements and flow elements in the software-defined network subnet formalization model and the core network formalization model respectively according to the actual connection condition between a plurality of software-defined network subnets and a core network in the multi-domain software-defined network, so as to form a complete multi-domain software-defined network formalization model.
Preferably, the checking whether the multi-domain software defined network formalization model has violation of reachability and absolute blocking network rules includes:
selecting flow elements needing to be verified in the formal model;
starting from the starting point of the flow element, traversing flow table information or routing information of equipment corresponding to a first point element in the formal model, and marking the next point element according to forwarding information in the information if the flow table information or the routing information matched with the flow element exists;
repeating the foregoing steps, the reachability rule being satisfied if the end point of the stream element is marked, the reachability rule being violated if the next point element matching the stream element cannot be found.
Preferably, the checking whether the multi-domain software defined network formal model meets the requirement of absolute blocking includes:
selecting flow elements needing to be verified in the formal model;
starting from the starting point of the stream element, traversing the formalized model through breadth-first search and depth-first search, and searching for a path capable of reaching the end point of the stream element;
if said path is present, said absolute blocking rule is violated, and if said path is not present, said absolute blocking rule is satisfied.
Preferably, the multi-domain software defines stream elements in the network formalization model, including information such as source IP address and destination IP address.
Compared with the prior art, one or more embodiments in the above scheme can have the following advantages or beneficial effects:
the configuration verification of the multi-domain software defined network is realized by automatically extracting the equipment configuration information and constructing the formal model based on the equipment configuration information aiming at the multi-domain software defined network, and the accuracy and the reliability of the multi-domain software defined network are improved.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the technology or prior art of the present application and are incorporated in and constitute a part of this specification. The drawings expressing the embodiments of the present application are used for explaining the technical solutions of the present application, and should not be construed as limiting the technical solutions of the present application.
Fig. 1 is a flowchart illustrating a configuration verification method for a multi-domain software defined network according to an embodiment of the present invention;
FIG. 2 is a block diagram of a configuration verification framework for a multi-domain SDN according to an embodiment of the present invention;
Detailed Description
The following detailed description will be given with reference to the accompanying drawings and examples to explain how to apply the technical means to solve the technical problems and to achieve the technical effects. The embodiments and the features of the embodiments can be combined without conflict, and the technical solutions formed are all within the scope of the present invention.
Fig. 1 is a schematic flowchart of a configuration verification method for a multi-domain software defined network according to an embodiment of the present invention, where as shown in the figure, the generation method includes:
and 110, extracting configuration information from the software-defined network subnet equipment of the multi-domain software-defined network, and constructing a software-defined network subnet formal model according to the configuration information.
And 120, extracting configuration information from the core network equipment of the multi-domain software defined network, and constructing a core network formalized model according to the configuration information.
And 130, combining the software defined network subnet formalization model and the core network formalization model into a multi-domain software defined network formalization model.
Step 140, checking whether the multi-domain software defined network formalization model has violation of reachability and absolute blocking network rules.
If there is a violation of the network rule in the model, outputting a flow element in the multi-domain software defined network formalization model corresponding to the violation, as shown in step S141.
If there is no violation of the network rules, the multi-domain software defined network formalization model is validated, as shown in step S142.
Specifically, in step S110, the multi-domain software defined network is a network formed by combining a plurality of software defined network subnets and a core network, and includes:
each software-defined network subnet is a software-defined network, and the software-defined network is a network formed by one or more software-defined network controllers for running software-defined network applications and a plurality of software-defined network forwarding devices, wherein the forwarding devices comprise software-defined network switches, software-defined network wireless network access points and the like.
The core network is the software defined network or a traditional network, and the traditional network is a network formed by a plurality of routers running a routing protocol.
Each software-defined network subnet is connected to the core network, and the core network performs routing and switching among the plurality of software-defined network subnets.
In step S110, the extracting configuration information from the software-defined network subnet device of the multi-domain software-defined network, and constructing a software-defined network subnet formalization model according to the configuration information includes:
establishing a connection with a software-defined network controller of a software-defined network subnet of the multi-domain software-defined network;
acquiring configuration information of all devices of the software-defined network subnet, including link information, topology information and flow table information, through a representation state transition application programming interface of the software-defined network controller;
constructing a software-defined network subnet formal model according to the configuration information of the software-defined network subnet equipment, wherein the software-defined network subnet formal model comprises a point element for representing the forwarding equipment, an edge element for representing a link between the forwarding equipment and the connection equipment in the forwarding equipment, and a flow element for representing a flow table entry;
and repeating the steps for each software-defined network subnet of the multi-domain software-defined network to establish a plurality of software-defined network subnet formal models.
The prior art for acquiring the configuration information of all the devices of the software-defined network subnet through the characterization state transition application programming interface of the software-defined network controller is not described herein again. In addition, the model and the type of the network subnet equipment defined by the software and the modeling language adopted when the formal model is established are not limited in the embodiment of the invention, and can be selected in the prior art according to actual conditions.
In step S120, extracting configuration information from the core network device of the multi-domain software defined network, and constructing a core network formalized model according to the configuration information, includes:
if the core network is a software-defined network, establishing a core network formal model by using the method for constructing a software-defined network subnet formal model;
if the core network is a traditional network consisting of a plurality of routers, acquiring configuration information of each router by using a router configuration extraction tool, wherein the configuration information comprises equipment information, link information and routing information; and constructing a core network formalized model, wherein the core network formalized model comprises a point element for representing the routing equipment, an edge element for representing a link between the connection and the forwarding equipment in the routing equipment, and a flow element for representing the starting point and the end point of the route.
The use of a router configuration extraction tool to obtain configuration information of each router belongs to the prior art, and is not described herein again. In addition, the model and the type of the core network equipment and the modeling language adopted when the formal model is established are not limited in the embodiment of the invention, and can be selected in the prior art according to actual conditions.
In step S130, the step of combining the software-defined network subnet formal model and the core network formal model into a multi-domain software-defined network formal model includes adding necessary edge elements and flow elements in the software-defined network subnet formal model and the core network formal model respectively according to the actual connection condition between a plurality of software-defined network subnets and a core network in the multi-domain software-defined network, so as to form a complete multi-domain software-defined network formal model.
In step S140, the checking whether the multi-domain software defined network formal model has violations of reachability and absolute blocking network rules includes:
selecting flow elements needing to be verified in the formal model;
starting from the starting point of the flow element, traversing flow table information or routing information of equipment corresponding to a first point element in the formal model, and if the flow table information or the routing information matched with the flow element exists, marking the next point element according to the information;
repeating the foregoing steps, the reachability rule being satisfied if the end point of the stream element is marked, the reachability rule being violated if the next point element matching the stream element cannot be found.
In step S140, the checking whether the multi-domain software defined network formal model meets the requirement of absolute blocking includes:
selecting flow elements needing to be verified in the formal model;
starting from the starting point of the stream element, traversing the formalized model through breadth-first search and depth-first search, and searching for a path capable of reaching the end point of the stream element;
if said path is present, said absolute blocking rule is violated, and if said path is not present, said absolute blocking rule is satisfied.
Breadth-first search and depth-first search are prior art and are not described herein in detail.
In addition, in step S140, the multi-domain software defines the flow elements in the network formal model, including the source IP address, the destination IP address, and other information.
The source IP address and the destination IP address belong to the prior art, and are not described herein again.
The following describes a configuration verification framework for a multi-domain software defined network by taking the configuration verification of the multi-domain software defined network as an example with reference to fig. 2.
As shown in fig. 2, the multi-domain software defined network to be verified is composed of a plurality of software defined network subnets and a conventional network core network. Verification is initiated according to the following steps: step 11, connecting to a software-defined network subnet controller through a representation state transition application programming interface; step 12, acquiring configuration information of each software defined network subnet device; step 13, connecting to the core network equipment through a router configuration extraction tool; and step 14, acquiring configuration information of each core network device. The steps 11 and 12 are sequentially performed, the step 13 and the step 14 are sequentially performed, and the steps 11 and 12 are not in fixed sequence with the steps 13 and 14.
The embodiment of the invention provides a configuration verification method for a multi-domain software defined network, which supports configuration verification aiming at the multi-domain software defined network and is beneficial to the deployment and management of the multi-domain software defined network.
Although the embodiments of the present invention have been described above, the above descriptions are only for the convenience of understanding the present invention, and are not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (5)
1. A configuration verification method for a multi-domain software defined network comprises the following steps:
extracting configuration information from software-defined network subnet equipment of a multi-domain software-defined network, and constructing a software-defined network subnet formalization model according to the configuration information, wherein the method specifically comprises the following steps:
establishing a connection with a software-defined network controller of a software-defined network subnet of the multi-domain software-defined network;
acquiring configuration information of all devices of the software-defined network subnet, including device information, link information and flow table information, through a representation state transition application programming interface of the software-defined network controller;
constructing a software-defined network subnet formal model according to the configuration information of the software-defined network subnet equipment, wherein the software-defined network subnet formal model comprises a point element for representing the forwarding equipment, an edge element for representing a link between the connection in the forwarding equipment and the forwarding equipment, and a flow element for representing a flow table entry,
repeating the step of constructing a software-defined network subnet formalization model for each software-defined network subnet of the multi-domain software-defined network, and establishing a plurality of software-defined network subnet formalization models;
extracting configuration information from core network equipment of a multi-domain software defined network, and constructing a core network formalized model according to the configuration information, wherein the method specifically comprises the following steps:
if the core network is a software defined network, establishing a core network formal model by using a method for constructing a software defined network subnet formal model;
if the core network is a traditional network consisting of a plurality of routers, acquiring configuration information of each router by using a router configuration extraction tool, wherein the configuration information comprises equipment information, link information and routing information; constructing a core network formalized model, wherein the core network formalized model comprises a point element for representing a routing device, an edge element for representing a link between a connection device and a forwarding device in the routing device, and a flow element for representing the starting point and the end point of a route;
combining the software-defined network subnet formalization model and the core network formalization model into a multi-domain software-defined network formalization model, which specifically comprises:
according to the actual connection condition of a plurality of software-defined network subnets and a core network in the multi-domain software-defined network, respectively adding necessary edge elements and flow elements in a plurality of software-defined network subnet formal models and a plurality of core network formal models to form a complete multi-domain software-defined network formal model;
checking the multi-domain software defined network formalization model for violations of reachability network rules and absolute blocking network rules,
if there is a violation of the network rule in the multi-domain software-defined network formal model, outputting a flow element in the multi-domain software-defined network formal model corresponding to the violation,
if there is no violation of the network rules, the multi-domain software defined network formalization model is validated.
2. The authentication method according to claim 1, wherein the multi-domain software defined network is a network composed of a plurality of software defined network subnets and a core network, wherein:
each software-defined network subnet is a software-defined network, and the software-defined network is a network formed by one or more software-defined network controllers for running software-defined network applications and a plurality of software-defined network forwarding devices, wherein the forwarding devices comprise software-defined network switches and software-defined network wireless network access points;
the core network is the software defined network or a traditional network, and the traditional network is a network formed by a plurality of routers running a routing protocol;
each software-defined network subnet is connected to the core network, and the core network performs routing and switching among the plurality of software-defined network subnets.
3. The validation method according to claim 1 or 2, wherein said checking whether said multi-domain software defined network formal model has violations of reachability network rules and absolute blocking network rules comprises:
selecting flow elements needing to be verified in the formal model;
starting from the starting point of the flow element, traversing flow table information or routing information of equipment corresponding to a first point element in the formal model, and marking the next point element according to forwarding information in the information if the flow table information or the routing information matched with the flow element exists;
repeating the step of marking a next point element according to forwarding information in the information, the reachability network rule being satisfied if an end point of the stream element is marked, the reachability network rule being violated if a next point element matching the stream element cannot be found.
4. The validation method of claim 3, further characterized in that said checking whether said multi-domain software defined network formalization model has violations of reachability network rules and absolute blocking network rules comprises:
selecting flow elements needing to be verified in the formal model;
starting from the starting point of the stream element, traversing the formalized model through breadth-first search and depth-first search, and searching for a path capable of reaching the end point of the stream element;
if said path is present, said absolute blocking network rule is violated, and if said path is not present, said absolute blocking network rule is satisfied.
5. The authentication method according to claim 2 or 4, wherein the flow elements in the multi-domain software defined network formalization model comprise source IP address and destination IP address information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210024228.9A CN114338378B (en) | 2022-01-11 | 2022-01-11 | Configuration verification method for multi-domain software defined network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210024228.9A CN114338378B (en) | 2022-01-11 | 2022-01-11 | Configuration verification method for multi-domain software defined network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338378A CN114338378A (en) | 2022-04-12 |
| CN114338378B true CN114338378B (en) | 2023-01-10 |
Family
ID=81027434
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210024228.9A Active CN114338378B (en) | 2022-01-11 | 2022-01-11 | Configuration verification method for multi-domain software defined network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338378B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106063203A (en) * | 2014-02-26 | 2016-10-26 | 华为技术有限公司 | Software defined networking (SDN) specific topology information discovery |
| CN111371644A (en) * | 2020-02-28 | 2020-07-03 | 山东工商学院 | Multi-domain SDN network traffic situation prediction method and system based on GRU |
| CN111382066A (en) * | 2019-11-17 | 2020-07-07 | 海南大学 | Software defined network application security attribute testing method in development |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9621968B2 (en) * | 2013-11-11 | 2017-04-11 | Infinera Corporation | Multi layer, multi vendor, multi domain, applications for software defined networking enabled networks |
| US10812315B2 (en) * | 2018-06-07 | 2020-10-20 | Cisco Technology, Inc. | Cross-domain network assurance |
-
2022
- 2022-01-11 CN CN202210024228.9A patent/CN114338378B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106063203A (en) * | 2014-02-26 | 2016-10-26 | 华为技术有限公司 | Software defined networking (SDN) specific topology information discovery |
| CN111382066A (en) * | 2019-11-17 | 2020-07-07 | 海南大学 | Software defined network application security attribute testing method in development |
| CN111371644A (en) * | 2020-02-28 | 2020-07-03 | 山东工商学院 | Multi-domain SDN network traffic situation prediction method and system based on GRU |
Non-Patent Citations (1)
| Title |
|---|
| 基于MapReduce的OpenFlow网络属性验证技术;刘艺等;《计算机研究与发展》;20161115(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338378A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111343021B (en) | Method, device, equipment and medium for generating network topology structure | |
| CN111835532B (en) | Network authentication method and device | |
| CN102420765B (en) | Method and device for determining physical link between switchboard and terminal | |
| CN105765946A (en) | A method and system of supporting service chaining in a data network | |
| CN113347059B (en) | In-band network telemetering optimal detection path planning method based on fixed probe position | |
| CN108462587A (en) | A kind of network topology treating method and apparatus | |
| CN109861861A (en) | Rapid configuration method and system for network communication equipment | |
| CN109039788A (en) | Port configuration method, device and the storage medium of the network equipment | |
| CN110855464A (en) | Network topology structure adjusting method and device | |
| US20090207756A1 (en) | Network configuration management method | |
| CN107896165A (en) | The method, apparatus and automated test device of locating network fault | |
| CN113938378A (en) | Method, device and medium for verifying network device configuration in cloud network environment | |
| CN109412955A (en) | IPRAN LA Management Room linking relationship determines method and device | |
| CN103312765B (en) | The accessibility of the node of the network of checking industrial automation and control system | |
| CN114338378B (en) | Configuration verification method for multi-domain software defined network | |
| CN105376197A (en) | Method of realizing hierarchical network abstraction and system | |
| TW201803314A (en) | Server, switch, communication system, communication method, and recording medium | |
| CN112087322B (en) | Method, device and equipment for configuring basic information of network element and readable storage medium | |
| CN115766252A (en) | Flow abnormity detection method and device, electronic equipment and storage medium | |
| CN114301775B (en) | Method and device for managing stock service and computer readable storage medium | |
| CN111355599B (en) | Hybrid network topology discovery method and device | |
| Li et al. | A general approach to generate test packets with network configurations | |
| CN110096297A (en) | For the method for internet of things equipment mass upgrade, update device under controllable environment | |
| CN114221808B (en) | Security policy deployment method and device, computer equipment and readable storage medium | |
| US11743066B2 (en) | Reachability verification method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |