层次型多中心的SDN控制器部署

软件定义网络(SDN)通过转发与控制分离,借助控制面的集中化实现网络的灵活性和开放性.控制器部署是SDN部署运行的基础和前提.针对层次型多中心SDN的控制器部署问题,该文采用多层k路划分方法实现大规模SDN网络的区域划分,将传统的SDN多控制器直接部署转化为区域划分和域内控制器部署,同时通过减少图划分的域间割边数以降低SDN跨域流数量以提高流表构建效率.通过实验验证,较其他传统方法,该文提出的层次型多中心控制器部署方法可有效减少网络通信代价,降低流表构建代价.     

SDN组网关键技术及标准化研究

本文首先介绍了软件定义网络(SDN)逻辑层次、网络结构和组网特性.对SDN网络建模、路由算法、可编程转发平面技术、控制器技术、扩展技术等关键技术进行简要介绍,调研并分析SDN发展趋势和标准化进程,以及SDN技术在各领域的应用场景,最后对SDN可扩展技术等关键技术的发展趋势进行了展望分析,提出SDN面对日益复杂的网络环境亟需解决的问题.     

基于SDN和NFV的业务链管理系统研究

首先针对目前业务链系统拓扑固化、扩展难的问题,分析业务链系统SDN化以及NFV化的需求。SDN的基本特征是转发与控制分离,集中的软件控制以及开放的编程接口,通过使用SDN技术,可以使得业务链系统具有灵活、拓扑可视、扩展方便等特性。然后,分析基于SDN技术实现业务链管理系统的技术架构,基于SDN的业务链系统主要由业务链管理系统、策略管理系统、SDN控制器、流分类器、SDN交换机等主要组件组成。文章对其中的关键技术进行了研究分析,最后,对业务链应用场景进行了研究,目前业务链系统在数据中心、Gi-LAN、接入网等场景有大量的应用需求。     

SDN中基于KMOBPSO的高可靠性控制器部署算法

针对SDN中控制器系统的单节点故障问题,兼顾系统成本和系统时延,应用N+1冗余备份模型来提高SDN控制器部署的可靠性,并将其抽象为多目标优化问题.同时,提出了一种融合K-means聚类算法和遗传算子的多目标二进制粒子群算法——KMOBPSO算法,以求解SDN控制器高可靠性部署问题的解.仿真结果表明,所提算法具有求解精度高、分布均匀、沿Pareto前沿面覆盖广的特点,能够显著提高SDN中控制器部署的可靠性.     

基于OVS的SDN移动自组网络架构设计及实现

在SDN移动自组网络中,控制转发策略集中于控制器中,使得基于流表匹配的数据转发变得简单高效。但是,由于移动自组网环境复杂多变、无线信号不稳定和网络拓扑多变等原因,容易出现数据层面失去控制器控制和流表学习老化等问题,这严重制约网络性能。针对以上问题,设计了一种基于Open v Switch的SDN移动自组网络架构,架构包含状态处理与应用感知等核心功能。状态处理服务实现控制器与交换机连接状态的跟踪检测、Open Flow协议的状态匹配字段拓展和数据包在不同状态场景下进行感知处理等功能,应用感知服务实现转发策略在数据层面被灵活调度的功能。在Open v Switch和Ryu开源控制器上进行协议开发和原型系统搭建。实验结果表明,控制器连发生接故障后,业务恢复时延低于100 ms,流表项可以及时更新,这可以保障网络吞吐量的稳定性。因此,设计的架构有效减小控制器失连故障对通信的影响,增强了基于SDN的移动自组网络的稳定性和可靠性。     

V330OpenFlow：交换机参考系统

盛科网络（苏州）有限公司推出V330OpenFlow交换机参考系统,提供从核心芯片、标准ToR交换机硬件到系统软件设计的完整解决方案。V330OpenFlow交换机参考系统基于盛科自主研发的TransWarpTM系列核心交换芯片,采用了成熟的ToR交换产品硬件平台,整合开源的OVS,在此基础上优化和开放SDK源代码以支持更开放的网络环境。在与网络控制器的接口上,采用开源OVS协议栈作为SDN北向接口,     

SDN多控制器一致性的量化研究

针对SDN网络中多控制器的一致性问题,提出了一种量化的研究方法,为控制层的东西向扩展提供更为精准有效的共享网络视图方法。首先,结合SDN的特性,给出了控制器之间一致性、性能以及可用性的度量指标,建立通用的量化分析模型。其次,针对其中3类典型的一致性问题进行了量化研究,明确了其取得最优值的条件,为一致性参数的配置提供了参考。最后,通过仿真实验对该量化方法进行验证。实验结果表明,该量化方法能够有效提高SDN控制层的性能和可用性。     

基于SDN和集成学习的工业控制网络安全防护系统

针对工业控制网络通信信息安全与稳定问题,设计一种基于SDN和集成学习的工业控制网络安全防护系统。该系统采用SDN技术,分为物理层、现场层、转发层、控制层和应用层等5个层次。物理层包含现场终端设备;现场层通过控制模块与操作员站实现对现场终端的控制;转发层使用SDN交换机进行通信数据传输,并将数据镜像传输至应用层进行安全分析;控制层中的SDN控制器管理和控制SDN交换机,并执行应用层下发的安全防护策略;应用层利用集成学习算法对工业控制网络进行入侵行为检测,通过安全响应模块分析入侵信息并选择相应的防御机制。实验结果表明,所设计系统满足工业控制网络通信的实时性要求,能准确地实施入侵检测,从而保障工业控制网络的安全性和正常通信。     

运营商SDN/NFV实践落地有声

在4月13日的中国SDN/NFV大会上,三大运营商的SDN/NFV演讲与往年最大的区别是在试点进展的介绍上更侧重实际问题. 运营商批SDN接口封闭:不利于开放合作 中国移动研究院网络所所长段晓东在介绍中国移动SDN引入进展时,特别提到了目前网络SDN改造过程中的几大问题. 一个问题是“软件定义网络,把网络未曾遇到的问题扩展了”,例如数据库不同步、控制器消息队列满并充斥大量无用新消息,以至于影响VM执行DHCP流程并获取IP地址、异常情况处理不完善等.     

一种大象流两级识别方法

基于大象流的识别准确度高且开销低,对于解决SDN流量管理过程中控制器单点故障问题具有重要意义.针对现有大象流识别方法识别开销大的问题,提出一种大象流两级识别方法.该方法在第一阶段提出基于TCP发送队列的可疑大象流识别算法,在第二阶段提出基于流持续时间的真实大象流识别算法;第一阶段是在端系统中识别可疑大象流,用于降低第二阶段真实大象流识别过程中SDN控制器所需监测的网络流数量.实验分析表明,在保证大象流识别的高准确度前提下,大象流两级识别方法较基于采样的大象流识别方法可以降低约85％的控制器识别开销.     

一种SDN中基于熵值计算的异常流量检测方法

摘要：软件定义网络（software defined networking,SDN）是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。     

Survey of controller placement problem in software defined network

In order to change situation of high management complexity in current Internet,software defined network (SDN) was proposed,which mainly aimed to directly control forwarding behaviors of data-flow by using flow strategies generated by controllers.With the deployment and applications of SDN,research communities found that the controller placement in SDN network could directly affect network performance.In recent years,controller placement problem (CPP) has become a hot topic,where performance metric and searching algorithms are important research areas.Based on current researches,the existing controller placement problem was systematically analyzed and summarized,which was expected to be helpful for the follow-up research.     

A genetic algorithm‐based flow update scheduler for software‐defined networks

Software‐defined networking (SDN) facilitates network programmability through a central controller. It dynamically modifies the network configuration to adapt to the changes in the network. In SDN, the controller updates the network configuration through flow updates, ie, installing the flow rules in network devices. However, during the network update, improper scheduling of flow updates can lead to a number of problems including overflowing of the switch flow table memory and the link bandwidth. Another challenge is minimizing the network update completion time during large‐network updates triggered by events such as traffic engineering path updates. The existing centralized approaches do not search the solution space for flow update schedules with optimal completion time. We proposed a hybrid genetic algorithm‐based flow update scheduling method (the GA‐Flow Scheduler). By searching the solution space, the GA‐Flow Scheduler attempts to minimize the completion time of the network update without overflowing the flow table memory of the switches and the link bandwidth. It can be used in combination with other existing flow scheduling methods to improve the network performance and reduce the flow update completion time. In this paper, the GA‐Flow Scheduler is combined with a stand‐alone method called the three‐step method. Through large‐scale experiments, we show that the proposed hybrid approach could reduce the network update time and packet loss. It is concluded that the proposed GA‐Flow Scheduler provides improved performance over the stand‐alone three‐step method. Also, it handles the above‐mentioned network update problems in SDN.     

Circuit‐based logical layer 2 bridging in software‐defined data center networking

With the expansion of the size of data centers, software‐defined networking (SDN) is becoming a trend for simplifying the data center network management with central and flexible flow control. To achieve L2 abstractions in a multitenant cloud, Open vSwitch (OVS) is commonly used to build overlay tunnels (eg, Virtual eXtensible Local Area Network [VXLAN]) on top of existing underlying networks. However, the poor VXLAN performance of OVS is of huge concern. Instead of solving the performance issues of OVS, in this paper, we proposed a circuit‐based logical layer 2 bridging mechanism (CBL2), which builds label‐switched circuits and performs data‐plane multicasting in a software‐defined leaf‐spine fabric to achieve scalable L2 without overlay tunneling. Our evaluations indicate that direct transmission in OVS improves throughput performance by 58% compared with VXLAN tunneling, and data‐plane multicasting for ARP reduces address resolution latency from 149 to 0.5 ms, compared with control‐plane broadcast forwarding. The evaluation results also show that CBL2 provides 0.6, 0.4, and 11‐ms protection switching time, respectively, in the presence of switch failure, link failure, and port shutdown in practical deployment.     

Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment

For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering (CBF) method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate.     

基于深度学习的软件定义网络应用策略冲突检测方法

在基于OpenFlow的软件定义网络（SDN）中,应用被部署时,相应的流表策略将被下发到OpenFlow交换机中,不同应用的流表项之间如果产生冲突,将会影响交换机的实际转发行为,进而扰乱特定应用的正确部署以及SDN的安全。随着SDN规模的扩大以及需要部署应用的数量的剧增,交换机中的流表数量呈现爆炸式增长。此时若采用传统的流表冲突检测算法,交换机将会耗费大量的系统计算时间。结合深度学习,首次提出了一种适合SDN中超大规模应用部署的智能流表冲突检测方法。实验结果表明,第一级深度学习模型的AUC达到97.04%,第二级模型的AUC达到99.97%,同时冲突检测时间与流表规模呈现线性增长关系。     

Method for Overflow Attack Defense of SDN Network Flow Table Based on Stochastic Differential Equation

In order to avoid the overflow problem of network flow table caused by hackers attacking the network in the process of using the network, a method for overflow attack defense of SDN network flow table based on stochastic differential equation is proposed. In this method, the stochastic differential equation is first proposed, and the drift coefficient and diffusion coefficient of the equation are expanded and adjusted by Taylor. By using the limit theorem, the spillover attack of SDN network is weakly converged to an approximate two-dimensional Markov diffusion process, and the improved stochastic differential equation is obtained. Then, according to the stochastic nature of SDN network attack, the stochastic differential equation is transformed into an amplitude equation, which is based on the amplitude. The equation establishes a SDN attack detection scheme based on flow table statistics, which detects the spillover attacks of SDN network flow tables. Finally, according to the test results, it is proposed to use other switches instead of network flow table overflow switches to control the data upload rate, thus reducing the possibility of network crash and meeting the attack defense requirements of flow table overflow. The simulation results show that the proposed method has better detection performance and shorter running time, and can provide help for network security related work.

     

Balanced multiple controllers placement with latency and capacity bound in software-defined network

Software-defined network (SDN) used a network architecture which separates the control plane and data plane. The control logic of SDN was implemented by the controller. Because controller's capacity was limited, in large scale SDN networks, single controller can not satisfy the requirement of all switches. Multiple controllers were needed to han-dle all data flows. By the reason that the latency between controller and switch would significantly affect the forwarding of new data flow, the rational placement of controllers would effectively improve the performance of entire network. By partition the network into multiple sub domains, on the base of spectral clustering, a method that added a balanced de-ployment object function into k-means was given and a balanced multiple controllers placement algorithm in SDN net-works which has the latency and capacity limitations was proposed. In this approach, a penalty function was introduced in the algorithm to avoid isolation nodes appearing. The simulations show that this algorithm can balance partition the net-work, keep the latency between controller and switch small and keep loads balancing between controllers.     

面向软件定义广域网的路径可编程性保障研究综述

软件定义网络(SDN)被誉为下一代网络的关键技术。近年来，SDN已经成为学术界与工业界的热点。广域网是SDN应用到工业界的一个重要的场景。基于SDN的广域网被称为软件定义广域网(SD-WAN)。在SD-WAN中，SDN控制器通过控制流转发路径上的SDN交换机来实现流的路径可编程性。然而，控制器失效是SD-WAN中一种常见的现象。当控制器失效时，流转发路径上的交换机会失去控制，流的路径可编程性将无法得到保障，从而无法实现对网络流量的灵活调度，导致网络性能下降。该文对SD-WAN控制器失效场景下保证路径可编程性的研究工作进行了综述。该文首先阐述了当控制器失效时，SD-WAN中路径可编程性保障研究的背景及意义。随后，在查阅分析了国内外相关文献的基础上，介绍了当前在控制器失效时SD-WAN对交换机的主流控制方案。最后，对现有研究成果可能的进一步提高之处进行了总结，并对此研究的未来发展与研究前景进行了展望。