CN104394090B

Movatterモバイル変換

Info

Publication number: CN104394090B
Application number: CN201410645536.9A
Authority: CN
Inventors: 李云春; 付容; 曹凯
Original assignee: Beihang University
Current assignee: Beihang University
Priority date: 2014-11-14
Filing date: 2014-11-14
Publication date: 2017-08-25
Anticipated expiration: 2034-11-14
Also published as: CN104394090A

Abstract

本发明公开了一种采用DPI对数据包进行网络流分类的SDN控制器，是在现有SDN控制器中增加了采用并行处理方式的DPI模块，DPI模块包括有去消息头模块、包－流转换模块、分组线程调度模块、多个线程模块和流表构建模块；所述流表构建模块中包括有以表格形式存在的协议表和流表。本发明设计的控制器通过修改OpenFlow协议实现与网络交换机通信来获取数据包，一方面应用流连接的分组调度，另一方面采用正则匹配将数据包分发给处理线程，最后下发流表到交换机来控制后续数据包的转发。本发明设计的基于DPI的SDN控制器能够实现SDN网络下的较好的DPI部署，减少数据包处理速度，提升吞吐量。

The present invention discloses an SDN controller that adopts DPI to classify data packets on the network flow. A DPI module adopting a parallel processing mode is added to the existing SDN controller. The DPI module includes a message header removal module, a packet-flow A conversion module, a group thread scheduling module, a plurality of thread modules and a flow table construction module; the flow table construction module includes a protocol table and a flow table in the form of a table. The controller designed by the present invention obtains data packets by modifying the OpenFlow protocol to communicate with the network switch. On the one hand, it applies flow-connected packet scheduling, and on the other hand, it uses regular matching to distribute the data packets to the processing threads, and finally sends the flow table to the switch. To control the forwarding of subsequent data packets. The DPI-based SDN controller designed in the present invention can realize better DPI deployment under the SDN network, reduce data packet processing speed, and improve throughput.

Description

Translated fromChinese

一种采用DPI对数据包进行网络流分类的SDN控制器An SDN controller that uses DPI to classify data packets on network streams

技术领域technical field

本发明涉及一种SDN控制器，更特别地说，是指一种利用深度包检测技术来进行数据包快速分类的SDN控制器，特别是基于SDN框架下的深度包检测技术的实现方案，并在分组调度和流表下发方面进行优化。The present invention relates to an SDN controller, more particularly, refers to an SDN controller that uses deep packet detection technology to quickly classify data packets, especially an implementation scheme based on deep packet detection technology under the SDN framework, and Optimize group scheduling and flow table delivery.

背景技术Background technique

2013年9月第1次印刷，电子工业出版社，《SDN核心技术剖析和实战指南》雷葆华等编著。在第15页图1-6公开的SDN核心技术体系图中(记为图1)，介绍了在SDN架构的每一层次上都具有很多核心技术，其目标是有效地分离控制层面与转发层面，支持逻辑上集中化的统一控制，提供灵活的开发接口等。其中，控制层是整个SDN的核心，系统中的南向接口与北向接口也是以它为中心进行命名的。转发层面通过一个Packet_in消息将数据包(Packet，也称为报文)发送给控制层面。SDN(Sofeware Defined Networking,软件定义网络)是一种新兴的基于软件的网络架构及技术，其最大的特点在于具有松耦合的控制平面与数据平面、支持集中化的网络状态控制、实现底层网络设施对上层应用的透明。正如SDN的名字所言，它具有灵活的软件编程能力，使得网络的自动化管理和控制能力获得了空前的提升，能够有效地解决当前网络系统所要面临的资源规模扩展受限、组网灵活性差、难以快速满足业务需求等问题。The first printing in September 2013, Electronics Industry Press, "SDN Core Technology Analysis and Practical Guide" edited by Lei Baohua and others. In the SDN core technology system diagram disclosed in Figure 1-6 on page 15 (denoted as Figure 1), it is introduced that there are many core technologies at each level of the SDN architecture, and its goal is to effectively separate the control plane and the forwarding plane , support logically centralized unified control, provide flexible development interfaces, etc. Among them, the control layer is the core of the entire SDN, and the southbound and northbound interfaces in the system are also named around it. The forwarding layer sends a data packet (Packet, also called message) to the control layer through a Packet_in message. SDN (Sofeware Defined Networking, software-defined network) is an emerging software-based network architecture and technology. Its biggest feature is that it has a loosely coupled control plane and data plane, supports centralized network status control, and implements the underlying network facilities. Transparency to upper application. As the name of SDN says, it has flexible software programming capabilities, which makes the automatic management and control capabilities of the network unprecedentedly improved, and can effectively solve the problems faced by current network systems, such as limited resource expansion, poor networking flexibility, It is difficult to quickly meet business needs and other issues.

2013年10月北京第1次印刷，人民邮电出版社出版发行，《网络流量分类方法与实践》汪立东，钱丽萍主编。在第116页中，DPI(Deep Packet Inspection)深度包检测其概念来自于包检测，之所以称为深度，是由于早期的包检测方法主要检测IP包头和TCP/UDP包头，而DPI方法不仅检测单个数据包的包头，还会对数据包的部分或全部载荷内容进行检测，一般情况下至少要检测超过64字节的载荷内容才能够称得上深度包检测，在匹配技术上则要求支持位于载荷中非固定偏移位置起始点的浮动关键词匹配。First printing in Beijing in October 2013, published by People's Posts and Telecommunications Publishing House, "Network Traffic Classification Method and Practice" edited by Wang Lidong and Qian Liping. On page 116, the concept of DPI (Deep Packet Inspection) comes from packet inspection. It is called depth because the early packet inspection methods mainly detect IP headers and TCP/UDP headers, while the DPI method not only detects The header of a single data packet will also detect part or all of the payload content of the data packet. Generally, at least the payload content exceeding 64 bytes can be called deep packet inspection. In terms of matching technology, it is required to support the A floating keyword match for the starting point of a non-fixed offset position in the payload.

DPI在SDN网络中的位置可能有三种情况：The position of DPI in the SDN network may have three situations:

(1)嵌入到应用层：DPI软件可像其他网络应用一样嵌入到网络应用层，但是这样做深度包检测的瓶颈可能存在于通信路径的长度。因为若要做DPI，则节点需要将包经过控制器传输然后送到应用层。考虑到延迟因素，这类DPI部署方式最好应用于对延时不敏感的应用，如统计分析。(1) Embedded into the application layer: DPI software can be embedded into the network application layer like other network applications, but the bottleneck of deep packet inspection may exist in the length of the communication path. Because if DPI is to be done, the node needs to transmit the packet through the controller and then send it to the application layer. Considering the latency factor, this type of DPI deployment is best applied to applications that are not sensitive to latency, such as statistical analysis.

(2)嵌入到控制层：DPI软件可嵌入到SDN控制器中，分类信息可用于网络智能化部署也可通过北向API传输到应用层以供使用。节点把第一个非空包递交给SDN控制器用来做L4到L7分析。但即使这样，仍有大概不大于10％的流量需要在SDN控制器和Switch之间传输才能实现DPI。(2) Embedded in the control layer: DPI software can be embedded in the SDN controller, and the classification information can be used for network intelligent deployment or transmitted to the application layer through the northbound API for use. The node submits the first non-null packet to the SDN controller for L4 to L7 analysis. Even so, no more than 10% of the traffic needs to be transmitted between the SDN controller and the Switch to achieve DPI.

(3)嵌入到数据层：网络节点也可运行DPI软件，在得到APP ID和metadata(元数据)后可以将其直接应用到预先定义的策略发送给SDN控制器和网络应用，并接受返回信息通过SDN控制器返回的控制信息，节点做相应Action(指令)，如此相同类型的其他流不需要再做DPI。这种实现方式延迟最少，但成本最高，因为基于状态机的匹配算法由于其多模式匹配特性、快速的处理速度、与正则表达式的完美兼容，逐渐成为现在研究最热的匹配算法。研究表明，DPI性能取决于模式匹配速度。(3) Embedded in the data layer: network nodes can also run DPI software. After obtaining the APP ID and metadata (metadata), they can be directly applied to the pre-defined strategy and sent to the SDN controller and network application, and receive the returned information Through the control information returned by the SDN controller, the node performs the corresponding Action (command), so that other flows of the same type do not need to perform DPI. This implementation has the least delay, but the highest cost, because the state machine-based matching algorithm has gradually become the most popular matching algorithm due to its multi-pattern matching characteristics, fast processing speed, and perfect compatibility with regular expressions. Studies have shown that DPI performance depends on pattern matching speed.

网络流，在一段时间内，一个源IP地址和目的IP地址之间传输的单向报文流，所有报文具有相同的源端口号srcPort、目的端口号dstPort、协议号tran、源IP地址srcIP和目的IP地址dstIP，即五元组内容相同。Network flow, within a period of time, a one-way packet flow transmitted between a source IP address and a destination IP address, all packets have the same source port number srcPort, destination port number dstPort, protocol number tran, source IP address srcIP It is the same as the destination IP address dstIP, that is, the content of the five-tuple.

目前设计的SDN控制器不具有对网络流进行流量分类，也不能对网络数据包进行控制，因此不能应用于基于流量分类的网络服务。The currently designed SDN controller does not have the ability to classify network flows, nor can it control network data packets, so it cannot be applied to network services based on traffic classification.

发明内容Contents of the invention

为了实现SDN控制器对接收到的网络设备输出的数据包进行流分类，本发明设计了一种采用DPI架构对数据包进行流分类的SDN控制器。In order to realize that the SDN controller performs flow classification on the received data packets output by the network equipment, the present invention designs an SDN controller that uses a DPI architecture to perform flow classification on the data packets.

本发明的目的是提供一种基于软件定义网络架构的深度包检测技术的连接级并行部署方式，实现对网络数据包进行快速流分类。本发明设计的基于DPI的SDN控制器是在现有SDN控制器中增加了DPI模块，所述DPI模块采用并行处理方式，即通过修改OpenFlow协议，基于DPI的SDN控制器和网络交换机通信获取数据包，基于连接的分组调度将数据包分发给处理线程，做正则匹配，并下发流表到交换机来控制后续数据包的转发。本发明设计的基于DPI的SDN控制器能够实现SDN网络下的较好的DPI部署，减少数据包处理速度，提升吞吐量。The purpose of the present invention is to provide a connection-level parallel deployment method of deep packet detection technology based on software-defined network architecture, so as to realize fast flow classification of network data packets. The DPI-based SDN controller designed by the present invention adds a DPI module to the existing SDN controller, and the DPI module adopts a parallel processing method, that is, by modifying the OpenFlow protocol, the DPI-based SDN controller communicates with the network switch to obtain data Packets, connection-based packet scheduling distributes data packets to processing threads, performs regular matching, and sends flow tables to switches to control the forwarding of subsequent data packets. The DPI-based SDN controller designed in the present invention can realize better DPI deployment under the SDN network, reduce data packet processing speed, and improve throughput.

本发明设计了一种采用DPI对数据包进行网络流分类的SDN控制器，是在现有SDN控制器中增加了采用并行处理方式的DPI模块，所述的DPI模块包括有去消息头模块、包－流转换模块、分组线程调度模块、多个线程模块和流表构建模块；所述流表构建模块中包括有以表格形式存在的协议表和流表；The present invention has designed a kind of SDN controller that adopts DPI to carry out network stream classification to data packet, is to increase the DPI module that adopts parallel processing mode in existing SDN controller, described DPI module includes message header module, Packet-flow conversion module, packet thread scheduling module, multiple thread modules and flow table construction module; the flow table construction module includes a protocol table and a flow table in the form of a table;

去消息头模块用于将接收到的OFPAK协议数据包OFPAK＝{(head,op₁),(head,op₂),…,(head,op_Z)}进行去除OpenFlow协议头head，得到原始数据包OP＝{op₁,op₂,…,op_Z}；The message header module is used to remove the head of the OpenFlow protocol header from the received OFPAK protocol data packet OFPAK={(head, op₁ ),(head, op₂ ),...,(head, op_Z )} to obtain the original data Packet OP = {op₁ ,op₂ ,...,op_Z };

包－流转换模块对接收到的任意一个数据包op_Z进行相同五元组内容的拾取，找出所述任意一个数据包op_Z对应的流的流连接ct_B；The packet-stream conversion module picks up the same quintuple content for any received data packet op_Z , and finds out the flow connection ct_B of the flow corresponding to any one data packet op_Z ;

分组线程调度模块依据线程权重qw_C用于对所述流连接ct_B进行处理，得到符合所述ct_B的处理线程；The grouping thread scheduling module is used to process the stream connection ct_B according to the thread weight qw_C , and obtain a processing thread conforming to the ct_B ;

多个线程模块从接收到的流连接ct_B中提取出数据包op_Z，然后采用正则表达式方法对所述数据包op_Z进行处理，输出所述数据包op_Z携带的协议信息PR和模式信息RE；Multiple thread modules extract the data packet op_Z from the received stream connection ct_B , and then process the data packet op_Z by using a regular expression method, and output the protocol information PR and mode carried by the data packet op_Z Information RE;

流表构建模块包括有协议表和流表；所述协议表是将接收到的协议信息PR和模式信息RE按照协议表形式填入相关项，得到协议结果；然后对协议结果应用策略表得到对应模式名PA^CT的执行动作PB^CT，最后将执行动作PB^CT填入流表的指令项中；The flow table construction module includes a protocol table and a flow table; the protocol table is to fill in the received protocol information PR and mode information RE in the form of the protocol table to obtain the agreement result; then apply the policy table to the agreement result to obtain the corresponding The execution action PB^CT of the pattern name PA^CT , and finally fill the execution action PB^CT into the instruction item of the flow table;

写流表是将接收到的协议信息PR和模式信息RE按照流表形式填入相关项的动作，进而得到流表，然后将流表输出给网络设备。Writing the flow table is the action of filling the received protocol information PR and mode information RE into the relevant items in the form of the flow table, and then obtain the flow table, and then output the flow table to the network device.

本发明的优点：Advantages of the present invention:

①本发明将DPI部署到SDN架构中的控制层中则流量分类信息可用于网络智能化部署也可通过北向API传输到应用层以供使用。①The present invention deploys DPI to the control layer in the SDN architecture, so the traffic classification information can be used for network intelligent deployment, and can also be transmitted to the application layer through the northbound API for use.

②本发明通过更改OpenFlow协议，使得DPI能够在SDN控制层部署，而无需在各个交换机节点部署DPI，降低成本。② The present invention enables DPI to be deployed at the SDN control layer by changing the OpenFlow protocol without deploying DPI at each switch node, thereby reducing costs.

③本发明中基于流连接(connection-level)并行DPI方法使得各个处理线程负载均衡，数据流的分组调度更加结合实际流量特点，提高常用规则集的命中率。③ In the present invention, based on the stream connection (connection-level) parallel DPI method, the load of each processing thread is balanced, and the packet scheduling of the data stream is more combined with the characteristics of the actual traffic to improve the hit rate of the common rule set.

④在数据包处理模块利用多数据包的多线程同时处理，根据数据流局部性原理调度流，能够更快的处理网络数据包，提高SDN控制器流量分类的处理速度，增大系统吞吐量。④ In the data packet processing module, multi-thread simultaneous processing of multiple data packets is used, and flow is scheduled according to the principle of data flow locality, which can process network data packets faster, improve the processing speed of SDN controller traffic classification, and increase system throughput.

附图说明Description of drawings

图1是传统的SDN控制器的体系结构图。Fig. 1 is an architecture diagram of a traditional SDN controller.

图2是本发明的基于DPI的SDN控制器中DPI模块的结构框图。Fig. 2 is a structural block diagram of a DPI module in the DPI-based SDN controller of the present invention.

图3是本发明的DPI模块流程图。Fig. 3 is a flow chart of the DPI module of the present invention.

图4是本发明的包－流转换与分组线程调度的流程图。Fig. 4 is a flow chart of packet-flow conversion and packet thread scheduling in the present invention.

图5是本发明中流表构建的流程图。Fig. 5 is a flowchart of flow table construction in the present invention.

具体实施方式detailed description

下面将结合附图和实施例对本发明做进一步的详细说明。The present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments.

参见图1所示，本发明是一种采用DPI对数据包进行网络流分类的SDN控制器，该基于DPI的SDN控制器是在现有SDN控制器中增加了DPI模块，所述DPI模块采用并行处理方式，即通过修改OpenFlow协议，基于DPI的SDN控制器和网络交换机通信获取数据包，基于连接的分组调度将数据包分发给处理线程做正则匹配，并下发流表到交换机来控制后续数据包的转发。Referring to shown in Fig. 1, the present invention is a kind of SDN controller that adopts DPI to carry out network flow classification to data packet, this SDN controller based on DPI is to increase DPI module in existing SDN controller, described DPI module adopts Parallel processing mode, that is, by modifying the OpenFlow protocol, the DPI-based SDN controller communicates with the network switch to obtain data packets, and the packet scheduling based on the connection distributes the data packets to the processing threads for regular matching, and sends the flow table to the switch to control the subsequent packet forwarding.

参见图2所示，在本发明中，DPI模块包括有去消息头模块、包－流转换模块、分组线程调度模块、多个线程模块(第一线程模块、第二线程模块、第C线程模块)和流表构建模块，所述流表构建模块中包括有以表格形式存在的协议表和流表。第一线程模块、第二线程模块和第C线程模块的结构相同。Referring to shown in Fig. 2, in the present invention, DPI module comprises and removes message header module, packet-stream conversion module, grouping thread scheduling module, a plurality of thread modules (the first thread module, the second thread module, the C thread module ) and a flow table construction module, the flow table construction module includes a protocol table and a flow table in the form of a table. The structures of the first thread module, the second thread module and the Cth thread module are the same.

为了更好地理解本发明及其优点，下面结合附图以及具体的示例对本发明做进一步详细的说明。In order to better understand the present invention and its advantages, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific examples.

(一)去消息头模块(1) Remove message header module

去消息头模块用于将接收到的OFPAK协议数据包OFPAK＝{(head,op₁),(head,op₂),…,(head,op_Z)}进行去除OpenFlow协议头head，得到原始数据包OP＝{op₁,op₂,…,op_Z}。The message header module is used to remove the head of the OpenFlow protocol header from the received OFPAK protocol data packet OFPAK={(head, op₁ ),(head, op₂ ),...,(head, op_Z )} to obtain the original data Packet OP={op₁ , op₂ , . . . , op_Z }.

op₁表示去除了OpenFlow协议头的第一个数据包；op₁ indicates that the first packet with the OpenFlow protocol header removed;

op₂表示去除了OpenFlow协议头的第二个数据包；op₂ means the second packet with the OpenFlow protocol header removed;

op_Z表示去除了OpenFlow协议头的最后一个数据包，为了普识性说明，op_Z也称为任意一个数据包，Z表示数据包的标识号。op_Z represents the last data packet with the OpenFlow protocol header removed. For general explanation, op_Z is also referred to as any data packet, and Z represents the identification number of the data packet.

在本发明中，任意一个数据包op_Z包含有源端口号srcPort、目的端口号dstPort、协议号tran、源IP地址srcIP和目的IP地址dstIP的五元组内容op_Z＝{srcPort,dstPort,tran,srcIP,dstIP}。In the present invention, any data packet op_Z includes five-tuple content op_Z ={srcPort, dstPort, tran of active port number srcPort, destination port number dstPort, protocol number tran, source IP address srcIP and destination IP address dstIP ,srcIP,dstIP}.

(二)包－流转换模块(2) Packet-stream conversion module

包－流转换模块对接收到的任意一个数据包op_Z进行相同五元组内容的拾取，找出所述任意一个数据包op_Z对应的流的流连接ct_B。The packet-stream conversion module picks up the content of the same quintuple for any received data packet op_Z , and finds out the flow connection ct_B of the flow corresponding to the arbitrary data packet op_Z.

在本发明中，SDN控制器中存在有多个的流连接，所述流连接采用集合形式表达为CT＝{ct₁,ct₂,…,ct_B}，ct₁表示SDN控制器中的第一条流连接，ct₂表示SDN控制器中的第二条流连接，ct_B表示SDN控制器中的最后一条流连接，为了普识性说明，ct_B也称为任意一条流连接，B表示流连接的标识号。所述的任意一条流连接ct_B中包含有流连接标识号ID、数据包的个数packetnum、流连接的长度flen、源IP地址srcIP、目的IP地址dstIP、源端口号srcPort、目的端口号dstPort和协议号tran，采用集合形式表达为ct_B＝{ID,packetnum,flen,srcIP,srcPort,dstIP,dstPort,tran}。In the present invention, there are multiple stream connections in the SDN controller, and the stream connections are expressed as CT={ct₁ ,ct₂ ,...,ct_B } in the form of a set, where ct₁ represents the first stream connection in the SDN controller A flow connection, ct₂ means the second flow connection in the SDN controller, ct_B means the last flow connection in the SDN controller, for general explanation, ct_B is also called any flow connection, B means The identification number of the streaming connection. The arbitrary flow connection ct_B includes the flow connection identification number ID, the number of data packets packetnum, the length flen of the flow connection, the source IP address srcIP, the destination IP address dstIP, the source port number srcPort, and the destination port number dstPort and the protocol number tran are expressed as ct_B = {ID, packetnum, flen, srcIP, srcPort, dstIP, dstPort, tran} in a set form.

在本发明中，SDN控制器中可能存在多个原始数据包OP＝{op₁,op₂,…,op_Z}对应同一条流连接ct_B，也可能一个数据包op_Z对应一条流连接ct_B。In the present invention, there may be multiple original data packets OP={op₁ , op₂ ,..., op_Z } corresponding to the same flow connection ct_B in the SDN controller, or one data packet op_Z may correspond to a flow connection ct_B.

在本发明中，每一条流连接ct_B对应一个流连接的长度flen_B，流连接长度采用集合形式表达为FLEN＝{flen₁,flen₂,…,flen_B}，flen₁表示ct₁的长度，flen₂表示ct₂的长度，flen_B表示ct_B的长度。In the present invention, each flow connection ct_B corresponds to the length flen_B of a flow connection, and the flow connection length is expressed as FLEN={flen₁ ,flen₂ ,...,flen_B } in a set form, and flen₁ represents the length of ct₁ , flen₂ represents the length of ct₂ , and flen_B represents the length of ct_B.

(三)分组线程调度模块(3) Group thread scheduling module

分组线程调度模块用于对任意一条流连接ct_B依据线程权重qw_C进行处理，得到符合所述ct_B的处理线程。The grouping thread scheduling module is used to process any flow connection ct_B according to the thread weight qw_C , and obtain the processing thread conforming to the ct_B.

在本发明中，其中LEN_min为任务队列长度LEN＝{len₁,len₂,…,len_C}中的最小值，g(B,C)为固定哈希函数，则常数a＝1103515245，常数b＝12345。In the present invention, Where LEN_min is the minimum value of the task queue length LEN={len₁ ,len₂ ,…,len_C }, g(B,C) is a fixed hash function, then Constant a=1103515245, constant b=12345.

在本发明中，SDN控制器包括有多个线程MT＝{mt₁,mt₂,…,mt_C}，并且每一个线程mt_C对应一个任务队列qe_C，每一个任务队列qe_C对应一个任务队列长度len_C。SDN控制器中的每一个线程mt_C对应一个线程权重qw_C。In the present invention, the SDN controller includes multiple threads MT={mt₁ , mt₂ ,...,mt_C }, and each thread mt_C corresponds to a task queue qe_C , and each task queue qe_C corresponds to a task Queue length len_C . Each thread mt_C in the SDN controller corresponds to a thread weight qw_C .

线程采用集合形式表达为MT＝{mt₁,mt₂,…,mt_C}，mt₁表示第一个处理线程，mt₂代表第二个处理线程，mt_C代表最后一个处理线程，为了方便下文说明，mt_C也称为任意一个处理线程，C表示处理线程的标识号。Threads are expressed as MT={mt₁ , mt₂ ,...,mt_C } in the form of a collection, mt₁ represents the first processing thread, mt₂ represents the second processing thread, mt_C represents the last processing thread, for the convenience of the following Note that mt_C is also called any processing thread, and C represents the identification number of the processing thread.

任务队列采用集合形式表达为QE＝{qe₁,qe₂,…,qe_C}，qe₁表示mt₁对应的任务队列，qe₂表示mt₂对应的任务队列，qe_C表达mt_C对应的任务队列。The task queue is expressed as QE={qe₁ ,qe₂ ,…,qe_C } in the form of a set, qe₁ represents the task queue corresponding to mt₁ , qe₂ represents the task queue corresponding to mt₂ , and qe_C represents the task corresponding to mt_C queue.

任务队列长度采用集合形式表达为LEN＝{len₁,len₂,…,len_C}，len₁表示qe₁的长度，len₂表示qe₂的长度，len_C表示qe_C的长度。The length of the task queue is expressed as LEN={len₁ ,len₂ ,...,len_C } in the form of a set, where len₁ represents the length of qe₁ , len₂ represents the length of qe₂ , and len_C represents the length of qe_C.

线程权重采用集合形式表达为QW＝{qw₁,qw₂,…,qw_C}，qw₁表示mt₁对应的线程权重，qw₂表示mt₂对应的线程权重，qw_C表达mt_C对应的线程权重。The thread weight is expressed as QW={qw₁ ,qw₂ ,…,qw_C } in the form of a set, qw₁ represents the thread weight corresponding to mt₁ , qw₂ represents the thread weight corresponding to mt₂ , and qw_C represents the thread corresponding to mt_C Weights.

(四)线程模块(4) Thread module

线程模块第一方面用于接收流连接ct_B；The first aspect of the thread module is used to receive the stream connection ct_B ;

线程模块第二方面从流连接ct_B中提取出数据包op_Z；The second aspect of the thread module extracts the data packet op_Z from the stream connection ct_B ;

线程模块第三方面采用正则表达式方法对数据包op_Z进行处理，输出所述数据包op_Z携带的协议信息PR和模式信息RE。The third aspect of the thread module is to use a regular expression method to process the data packet op_Z , and output the protocol information PR and mode information RE carried by the data packet op_Z.

在本发明中，正则表达式方法请参考《网络流量分类方法与实践》汪立东，钱丽萍主编，2013年10月第1版，第125-132页的内容。In the present invention, for the regular expression method, please refer to "Network Traffic Classification Method and Practice", edited by Wang Lidong and Qian Liping, first edition in October 2013, pages 125-132.

在本发明中，所有流连接CT＝{ct₁,ct₂,…,ct_B}对应的协议信息记为PR＝{pr₁,pr₂,…,pr_B}，pr₁表示ct₁的协议信息，pr₂表示ct₂的协议信息，pr_B表示ct_B的协议信息。In the present invention, the protocol information corresponding to all flow connections CT={ct₁ , ct₂ ,...,ct_B } is recorded as PR={pr₁ ,pr₂ ,...,pr_B }, and pr₁ represents the protocol of ct₁ information, pr₂ indicates the protocol information of ct₂ , and pr_B indicates the protocol information of ct_B.

在本发明中，所有流连接CT＝{ct₁,ct₂,…,ct_B}对应的模式信息记为RE＝{re₁,re₂,…,re_F}，re₁表示第一个模式信息，re₂代表第二个模式信息，re_F代表最后一个模式信息，为了方便下文说明，re_F也称为任意一个模式信息，F表示模式信息的标识号。In the present invention, the mode information corresponding to all stream connections CT={ct₁ , ct₂ ,…,ct_B } is recorded as RE={re₁ ,re₂ ,…,re_F }, and re₁ represents the first mode information, re₂ represents the second mode information, and re_F represents the last mode information. For the convenience of the following description, re_F is also called any mode information, and F represents the identification number of the mode information.

(五)流表构建模块(5) Flow table building blocks

在本发明中，流表构建模块包括有协议表和流表；所述协议表是将接收到的协议信息PR和模式信息RE按照协议表形式填入相关项，得到协议结果；然后对协议结果应用策略表得到对应模式名PA^CT的执行动作PB^CT，最后将执行动作PB^CT填入流表的指令项中。In the present invention, the flow table construction module includes a protocol table and a flow table; the protocol table is to fill in the received protocol information PR and mode information RE into the relevant items according to the protocol table form to obtain the protocol result; then the protocol result The application policy table obtains the execution action PB^CT corresponding to the pattern name PA^CT , and finally fills the execution action PB^CT into the instruction item of the flow table.

在本发明中，写流表是将接收到的协议信息PR和模式信息RE按照流表形式填入相关项的动作，进而得到流表，然后将流表输出给网络设备。In the present invention, writing the flow table is an action of filling the received protocol information PR and mode information RE into related items in the form of the flow table, and then obtain the flow table, and then output the flow table to the network device.

(一)协议结果(1) Agreement result

标识号ID^CTIdentification number ID^CT模式名PA^CTschema name PA^CT

在本发明中，协议结果表示出了哪个流属于哪个模式名(参考《网络流量分类方法与实践》汪立东，钱丽萍主编，2013年10月第1版，第126-132页的L7-Filter模式总结)。In the present invention, the protocol result shows which flow belongs to which mode name (refer to "Network Traffic Classification Method and Practice" Wang Lidong, edited by Qian Liping, first edition in October 2013, L7-Filter on pages 126-132 mode summary).

(二)策略表(2) Strategy table

模式名PA^CTschema name PA^CT执行动作PB^CTExecute action PB^CT

在本发明中，策略表是用来约束模式名PA^CT所对应的流是否转发、丢弃的处理手段，即执行动作PB^CT。In the present invention, the policy table is a processing means for constraining whether the flow corresponding to the pattern name PA^CT is forwarded or discarded, that is, the execution action PB^CT .

(三)流表的格式如下：(3) The format of the flow table is as follows:

本发明中引用的流表主体请参考《SDN核心技术剖析和实战指南》，第42页内容，“Cookie”注文为储存在用户本地终端上的数据。不同之处在于：增加了“标记”，所述“标记”是指进入交换机中的流量是否传送到控制器，是一种标记为传送或者不传送的指定。For the main body of the flow table cited in the present invention, please refer to "SDN Core Technology Analysis and Practical Guide", page 42, "Cookie" is the data stored on the user's local terminal. The difference is that a "mark" is added, and the "mark" refers to whether the traffic entering the switch is transmitted to the controller, which is a designation of marking as transmission or not.

本发明提出的一种采用DPI对数据包进行网络流分类的SDN控制器，其接收来自多个交换机(即网络设备)递送的OpenFlow数据包，交换机将没有对应流表的数据包作为数据封装在OpenFlow协议数据包中，去除OpenFlow协议头，得到原始数据包，并对其进行预处理；利用五元组信息将数据包封装为流以建立流连接，若当前流连接为新的，则为其分配空间并将其加入连接队列CT，并调用数据包调度程序将其分配给系统选定的处理线程MT，进入MT处理队列中。流表构建收集所有MT处理结果，对每个流连接根据其处理后的模式名得到关联的策略表，然后利用丢弃、转发等方式对流表中相应的指令字段进行更改，并下发流表到所有交换机。The present invention proposes an SDN controller that adopts DPI to classify data packets into network streams. It receives OpenFlow data packets delivered from multiple switches (i.e., network devices), and the switches encapsulate data packets without corresponding flow tables as data in In the OpenFlow protocol data packet, remove the OpenFlow protocol header to obtain the original data packet, and preprocess it; use the quintuple information to encapsulate the data packet into a flow to establish a flow connection, if the current flow connection is new, set it as Allocate space and add it to the connection queue CT, and call the packet scheduler to assign it to the processing thread MT selected by the system, and enter the MT processing queue. The flow table construction collects all MT processing results, obtains the associated policy table for each flow connection according to its processed mode name, and then uses discarding, forwarding, etc. to change the corresponding instruction field in the flow table, and sends the flow table to All switches.

在本发明中，DPI技术在SDN网络架构下具有重要意义。主要表现在以下几个方面：In the present invention, the DPI technology is of great significance under the SDN network architecture. Mainly manifested in the following aspects:

(1)SDN和DPI技术结合可以实现集中策略和安全控制。改进的DPI技术可以为SDN控制器提供网络状态和流量的详细数据。这样SDN就可以将网络看作是一个整体的资源，而不是一系列单个设备(如交换机、安全性和其它4-7层元素)。DPI可以为所有相关功能(控制器、策略、安全性等)提供信息帮助，而不是目前各个性能设备的系统各自拥有其专属DPI技术。(1) The combination of SDN and DPI technology can realize centralized policy and security control. Improved DPI technology can provide SDN controllers with detailed data on network status and traffic. This allows SDN to view the network as a monolithic resource rather than a series of individual devices (such as switches, security and other layer 4-7 elements). DPI can provide information assistance for all related functions (controller, policy, security, etc.), instead of the current system of each performance device having its own exclusive DPI technology.

(2)DPI和SDN技术结合以提高网络安全性。DPI技术确保IT管理员和安全官员可以制定打击恶意软件和其它威胁的策略，并将其在所有层级实施，包括应用层和用户层。DPI和SDN技术的结合能使网络安全遍布在整个网络，而不仅仅是特定的端点，比如防火墙。(2) The combination of DPI and SDN technology to improve network security. DPI technology ensures that IT administrators and security officers can develop strategies to combat malware and other threats and enforce them at all levels, including the application and user levels. The combination of DPI and SDN technology can enable network security to spread throughout the entire network, not just specific endpoints, such as firewalls.

(3)DPI和SDN技术结合可以在网络管理方面应用大数据。DPI在为网络健康和性能提供关键信息方面扮演着重要的角色。结合SDN的DPI技术将引领当前网络走向更容易管理、更安全、运营成本更低的自动化网络。(3) The combination of DPI and SDN technology can apply big data in network management. DPI plays an important role in providing critical information on network health and performance. The DPI technology combined with SDN will lead the current network to an automated network that is easier to manage, safer, and lower in operating costs.

实施例1Example 1

以下给出本发明的一个实施例，说明本发明数据包调度的过程(如图3、图4、图5所示)，具体数据包调度步骤如下：Provide an embodiment of the present invention below, illustrate the process (shown in Fig. 3, Fig. 4, Fig. 5) of the present invention's packet scheduling, concrete packet scheduling steps are as follows:

S1步骤：支持OpenFlow协议的交换机接受到来自网络中设备发送的数据包封装成OpenFlow协议数据包记为OFPAK＝{(head,op₁),(head,op₂),…,(head,op_Z)}，然后将OFPAK＝{(head,op₁),(head,op₂),…,(head,op_Z)}发送给本发明改进的控制器，即基于DPI的SDN控制器；Step S1: The switch supporting the OpenFlow protocol receives the packet sent by the device in the network and encapsulates it into an OpenFlow protocol packet, which is recorded as OFPAK={(head, op₁ ),(head, op₂ ),...,(head, op_Z )}, and then send OFPAK={(head, op₁ ), (head, op₂ ),..., (head, op_Z )} to the improved controller of the present invention, namely the SDN controller based on DPI;

S2步骤：在基于DPI的SDN控制器中，将OFPAK＝{(head,op₁),(head,op₂),…,(head,op_Z)}中的每个协议数据包的包头去除，得到OP＝{op₁,op₂,…,op_Z}；Step S2: In the DPI-based SDN controller, remove the header of each protocol data packet in OFPAK={(head, op₁ ), (head, op₂ ),..., (head, op_Z )}, Get OP={op₁ ,op₂ ,...,op_Z };

根据任意一个数据包op_Z的五元组信息，得到具有相同五元组信息的数据包所属的连接记为CT＝{ct₁,ct₂,…,ct_B}，且B≤Z，其中ct_B＝{ID,packetnum,flen,srcIP,srcPort,dstIP,dstPort,tran}；According to the five-tuple information of any data packet op_Z , the connection to which the data packet with the same five-tuple information belongs is recorded as CT={ct₁ ,ct₂ ,…,ct_B }, and B≤Z, where ct_B = {ID, packetnum, flen, srcIP, srcPort, dstIP, dstPort, tran};

ID表示连接标识号；ID represents the connection identification number;

packetnum表示数据包的个数；packetnum indicates the number of data packets;

flen表示连接的长度；flen indicates the length of the connection;

srcIP表示源IP地址；srcIP represents the source IP address;

dstIP表示目的IP地址；dstIP indicates the destination IP address;

srcPort表示源端口号；srcPort indicates the source port number;

dstPort表示目的端口号；dstPort indicates the destination port number;

tran表示传输层协议；tran represents the transport layer protocol;

根据ID将流CT分配给数据包处理模块的处理线程Assign the flow CT to the processing thread of the packet processing module according to the ID

MT＝{mt₁,mt₂,…,mt_C}，连接CT进入MT运行队列中,计算对应任务队列QE＝{q₁,q₂,…,q_D}的长度LEN＝{len₁,len₂,…,len_E}。MT＝{mt₁ ,mt₂ ,...,mt_C }, connect CT to enter MT running queue, calculate the length of corresponding task queue QE＝{q₁ ,q₂ ,...,q_D } LEN＝{len₁ ,len₂ ,...,len_E }.

图4中展示步骤S2中的关于包－流转换模块和分组线程调度模块具体的步骤如下：The specific steps about the packet-flow conversion module and the packet thread scheduling module in step S2 are shown in Fig. 4 as follows:

S201：从步骤S1获得原始数据包op_Z后，提取数据包op_Z的头部五元组信息srcPort,dstPort,tran,srcIP,dstIP；所述五元组包括源IP地址、源端口、目的IP地址、目的端口和传输层协议；然后根据五元组信息找到该数据包op_Z信息对应的流连接ct_B；S201: After obtaining the original data packet op_Z from step S1, extract the header quintuple information srcPort, dstPort, tran, srcIP, dstIP of the data packet op_Z ; the quintuple includes source IP address, source port, and destination IP Address, destination port and transport layer protocol; then find the flow connection ct_B corresponding to the data packet op_Z information according to the five-tuple information;

S202：判断流连接表CT中是否存在步骤S201中生成的流连接标识的条目ct_B，如果已经存在该流连接条目ct_B，则转入执行步骤S203，如果流连接表中不存在该标识流连接条目，转入执行步骤S204；S202: Determine whether the stream connection identifier entry ct_B generated in step S201 exists in the stream connection table CT, if the stream connection entry ct_B already exists, then go to step S203, if the stream connection table does not exist the stream To connect the entry, proceed to step S204;

S203：在流连接表中将数据包信息添加到对应流连接条目ct_B下，存储数据包信息完成，转入执行步骤S205；S203: Add the data packet information to the corresponding flow connection entry ct_B in the flow connection table, complete storing the data packet information, and proceed to step S205;

S204：在流连接中建立该连接标识的条目，并保存该流连接信息，转入执行步骤S205；S204: Create an entry of the connection identifier in the stream connection, save the stream connection information, and proceed to step S205;

S205：获取当前所有处理线程MT的任务队列长度LEN，对每个mt_C，获取最小任务长度LEN_min，当前mt_C的任务队列长度len_C和连接ct_B的数据包长度信息flen_B，转入执行步骤S206；S205: Obtain the task queue length LEN of all current processing threads MT, and for each mt_C , obtain the minimum task length LEN_min , the task queue length len_C of the current mt_C and the packet length information flen_B of the connection ct_B , and transfer to Execute step S206;

S206：依据线程权重计算当前mt_C的权重qw_C，选择具有最大权重的线程mt_C，转入执行步骤S207；S206: According to the thread weight Calculate the weight qw_C of the current mt_C , select the thread mt_C with the largest weight, and proceed to step S207;

S207：，将连接ct_B加入到具有最大权重的线程mt_C的任务队列qe_C中，转入执行步骤S3；S207: Add the connection ct_B to the task queue qe_C of the thread mt_C with the maximum weight, and transfer to step S3;

S3步骤：处理线程MT从运行队列中取出连接ct_B，得到连接中所有数据包OP＝{op₁,op₂,…,op_Z}，将数据包op_Z应用层数据和系统的规则集RE＝{re₁,re₂,…,re_F}用正则匹配来进行协议检测，得到连接CT对应的模式名。将连接所属协议结果PR递送给流表下发模块。Step S3: the processing thread MT takes out the connection ct_B from the running queue, obtains all data packets OP={op₁ , op₂ ,...,op_Z } in the connection, and combines the data packets op_Z with the application layer data and the system rule set RE ＝{re₁ ,re₂ ,...,re_F } Use regular matching to perform protocol detection, and obtain the schema name corresponding to the connection CT. Deliver the protocol result PR to which the connection belongs to the flow table delivery module.

图5中展示步骤S3中的关于数据包处理模块具体的协议检测步骤如下：The specific protocol detection steps about the packet processing module in step S3 shown in Fig. 5 are as follows:

S301：处理线程mt_C获取其任务队列中的连接ct_B,得到mt_C中所有数据包OP＝{op₁,op₂,…,op_Z}，执行步骤302；S301: the processing thread mt_C obtains the connection ct_B in its task queue, obtains all data packets OP={op₁ , op₂ ,..., op_Z } in mt_C , and executes step 302;

S302：判断ct_B的传输层协议tran字段是否是属于TCP、UDP或者ICMP，若三者都不是，则丢弃该流连接；若属于其中之一，则进入步骤S304；S302: judge whether the transport layer protocol tran field of ct_B belongs to TCP, UDP or ICMP, if the three are not, then discard the stream connection; if it belongs to one of them, then enter step S304;

S304：判断ct_B的包的个数packetnum是否大于10，若packetnum＞10，则丢弃该流连接，若packetnum≤10，则进入步骤S306；S304: Determine whether the packet number packetnum of ct_B is greater than 10, if packetnum>10, then discard the flow connection, if packetnum≤10, then enter step S306;

S306：获取数据包op_Z的应用层数据进入步骤S307；S306: Obtain the application layer data of the data packet op_Z and enter step S307;

S307：从规则集RE中取一个规则re_F,将其编译进入步骤S308；S307: Take a rule re_F from the rule set RE, compile it and enter step S308;

S308：将编译后的re_F和op_Z应用层数据进行正则匹配，若结果为不匹配，则进入步骤S307，若能够匹配，则进入步骤S309；S308: Regularly matching the compiled re_F and op_Z application layer data, if the result is no match, then enter step S307, if they can match, then enter step S309;

S309：将协议结果以结果集PR＝{pr₁,pr₂,…,pr_B}形式返回给流表下发模块，并进行流表处理。S309: Return the protocol result to the flow table delivery module in the form of a result set PR={pr₁ ,pr₂ ,...,pr_B }, and perform flow table processing.

S4步骤：流表下发模块收到所有处理线程MT协议检测结果PR，根据协议结果PR和系统设定的策略表，得到当前流的执行动作PB^CT，将执行动作PB^CT填入流表的指令项中，将1填入流表的标记字段中，并下发流表到所有交换机。Step S4: The flow table delivery module receives the MT protocol detection results PR of all processing threads, obtains the execution action PB^CT of the current flow according to the protocol result PR and the policy table set by the system, and fills the execution action PB^CT into the flow table In the instruction item, fill in 1 in the tag field of the flow table, and deliver the flow table to all switches.