軟件定義網(wǎng)絡(luò)中基于流量管理的分布式防火墻策略

史久根; 王繼; 張徑; 徐皓

doi:10.11999/JEIT180223

軟件定義網(wǎng)絡(luò)中基于流量管理的分布式防火墻策略

doi: 10.11999/JEIT180223 cstr: 32379.14.JEIT180223

合肥工業(yè)大學(xué)計(jì)算機(jī)與信息學(xué)院 ??合肥 ??230009

基金項(xiàng)目: 國(guó)家重大科學(xué)儀器設(shè)備開發(fā)專項(xiàng)(2013YQ030595)

詳細(xì)信息

作者簡(jiǎn)介:
史久根：男，1963年生，副教授，研究方向?yàn)榍度胧较到y(tǒng)、計(jì)算機(jī)網(wǎng)絡(luò)和無(wú)線傳感器網(wǎng)絡(luò)

王繼：男，1992年生，碩士生，研究方向?yàn)檐浖x網(wǎng)絡(luò)、網(wǎng)絡(luò)功能虛擬化

張徑：男，1993年生，碩士生，研究方向?yàn)檐浖x網(wǎng)絡(luò)、網(wǎng)絡(luò)功能虛擬化和嵌入式系統(tǒng)

徐皓：男，1994年生，碩士生，研究方向?yàn)檐浖x網(wǎng)絡(luò)和嵌入式系統(tǒng)

通訊作者:
王繼　jiwang@mail.hfut.edu.cn

中圖分類號(hào): TP393
計(jì)量
- 文章訪問數(shù): 2031
- HTML全文瀏覽量: 644
- PDF下載量: 80
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2018-03-09
- 修回日期: 2018-07-26
- 網(wǎng)絡(luò)出版日期: 2018-08-06
- 刊出日期: 2019-01-01

Distributed Firewall Policy Based on Traffic Engineering in Software Defined Network

School of Computer and Information, Hefei University of Technology, Hefei 230009, China

Funds: The National Major Scientific Instruments Development Project (2013YQ030595)

摘要

摘要:
在軟件定義網(wǎng)絡(luò)中將防火墻策略定義為訪問控制型規(guī)則，并將其分布式地部署在網(wǎng)絡(luò)中能夠提高會(huì)話的服務(wù)質(zhì)量。為了減少放置在網(wǎng)絡(luò)中規(guī)則的數(shù)量，文中提出多路復(fù)用和合并的啟發(fā)式規(guī)則放置算法(HARA)。算法考慮到了商品交換機(jī)TCAM存儲(chǔ)空間和端點(diǎn)交換機(jī)相連鏈路的流量負(fù)載，通過建立以最小化規(guī)則放置數(shù)量為目標(biāo)的混合整數(shù)線性規(guī)劃模型，解決不同吞吐量的多路由單播會(huì)話的規(guī)則放置問題。實(shí)驗(yàn)結(jié)果表明，與nonRM-CP算法相比，在保證不同會(huì)話服務(wù)質(zhì)量的前提下，該算法最多能節(jié)省56%的TCAM空間，平均能減少13.1%的帶寬資源利用率。
- 軟件定義網(wǎng)絡(luò) /
- 分布式防火墻策略 /
- 規(guī)則放置 /
- TCAM /
- 流量負(fù)載
Abstract:
Firewall policy is defined as access control rules in Software Definition Network (SDN), and distributing these ACL (Access Control List) rules across the networks, it can improve the quality of service. In order to reduce the number of rules placed in the network, the Heuristic Algorithm of Rules Allocation (HARA) of rule multiplexing and merging is proposed in this paper. Considering TCAM storage space of commodity switches and connected link traffic load of endpoint switches, a mixed integer linear programming model which minimize the number of rules placed in the network is established, and the algorithm solves the rules placement problem of multiple routing unicast sessions of different throughputs. Compared with the nonRM-CP algorithms, simulations show that HARA can save 18% TCAM at most and reduce the bandwidth utilization rate of 13.1% at average.
- Software Defined Network (SDN) /
- Distributed firewall policy /
- Rules allocation /
- Ternary Content Addressable Memory (TCAM) /
- Traffic load

HTML全文

圖 1 單播會(huì)話流場(chǎng)景1

下載: 全尺寸圖片幻燈片

圖 2 單播會(huì)話流場(chǎng)景2

下載: 全尺寸圖片幻燈片

圖 3 ACL規(guī)則數(shù)量對(duì)比

下載: 全尺寸圖片幻燈片

圖 4 選擇的路徑數(shù)對(duì)比

下載: 全尺寸圖片幻燈片

圖 5 帶寬利用率對(duì)比

下載: 全尺寸圖片幻燈片

圖 6 路由花銷對(duì)比

下載: 全尺寸圖片幻燈片

表 1 多路由選取算法

算法1　多路由選取算法(MRSA)

輸入：網(wǎng)絡(luò)拓?fù)?G = (V,E)$，路由花銷$w(i,j)$ ，單播會(huì)話集$K$

輸出：$\widetilde {{P}}_k$

(1)　$\widetilde {{P}}_k,A,B \leftarrow \varnothing $, $\varOmega _{ab}^k \leftarrow \{ a,b\} $, ${\rm{inf}} \leftarrow \infty $, $n,m \leftarrow 0$

(2)　for each single session $k \in K$ in $G(V,E)$ do

(3)　　$A \leftarrow $ the nodes of connecting to $a$

(4)　　$B \leftarrow $ the nodes of connecting to $b$

(5)　　$\deg _a^{\rm{ + }},\deg _b^ - \leftarrow $ compute the degree of $a$ and $b$ in $G(V,E)$

(6)　　while $n \ne \deg _a^{\rm{ + }}$ in $G(V,E)$ do

(7)　　　$\widetilde {{P}}_k \leftarrow $ Dijkstra $(a,b)$

(8)　　　$n \leftarrow $ count the number of node $a$ in $\widetilde {{P}}_k$

(9)　　　the first link routing cost of previous candidate path in　　　　 $G(V,E) \leftarrow {\rm{inf}}$

(10)　　end while

(11)　　while $n \ne \deg _b^ - $ in $G(V,E)$ do

(12)　　　$n \leftarrow $ count the number of different nodes connecting　　　　　　 to $b$ in $\widetilde {{P}}_k$

(13)　　　$\widetilde {{P}}_k \leftarrow $ Dijkstra $(a,B) \cup \{ b\} $

(14)　　end while

(15)　　$\deg_i^{\rm{ + }} \leftarrow $ compute the degree of $i$ from $A$ in $G(V,E)$

(16)　　while $m \ne \deg _i^{\rm{ + }}$ in $G(V,E)$ do

(17)　　　$m \leftarrow $ count the number of different nodes connecting $i$　　　　 in $\widetilde {{P}}_k$

(18)　　　the second link routing cost of previous candidate path　　　　 in$G(V,E)$

(19)　　　$\widetilde {{P}}_k \leftarrow $ Dijkstra $(A,b) \cup \{ a\} $

(20)　　end while

(21)　end for

(22)　return $\widetilde {{P}}_k$

下載: 導(dǎo)出CSV

表 2 分布式防火墻部署算法

算法2：分布式防火墻部署算法(DPAA)

輸入：?jiǎn)尾?huì)話集$K$，會(huì)話集的吞吐量${d_k}$，候選路徑集$\widetilde {{P}}_k$，規(guī)則子　　　集${R_k}$

輸出：規(guī)則數(shù)量${R_{\rm{all}}}$，帶寬利用率${B_{\rm{use}}}$，路由花銷${L_{\rm{cost}}}$

(1)　${R_{\rm{all}}},{B_{\rm{use}}},{L_{\rm{cost}}} \leftarrow {\rm{0}}$

(2)　${P_k} \leftarrow $ sort $\widetilde {{P}}_k$ from algorithm 1 into a two-dimension array

(3)　for each single session $k \in K$ in $G(V,E)$ do

(4)　　for $p \in {P_k}$ do

(5)　　　${B_{\min }} \leftarrow $ sort the minimum bandwidth of all paths

(6)　　　if　$\sum\nolimits_{i \in V} {{r_u}} \le {C_i}$ and ${R_k} \subseteq {\forall _{i \in V}}\left\{ i \right\}$ do

(7)　　　　if ${d_k} < {B_{{\rm{min}}}}$ do

(8)　　　　　${l^p} \leftarrow 1$, $x_i^{up} \leftarrow 1$

(9)　　　　else

(10)　　　　　${l^p} \leftarrow 1$, $l_{(i,j)}^p \leftarrow 1$, $x_i^u \leftarrow 1$, $x_i^{up} \leftarrow 1$

(11)　　　　end if

(12)　　　end if

(13)　　end for

(14)　end for

(15)　for all nodes do

(16)　　if each node satisfy $(12)$ do

(17)　　　$x_{ui}^m \leftarrow 1$

(18)　　end if

(19)　end for

(20)　return ${R_{\rm{all}}}$, ${B_{\rm{use}}}$, ${L_{\rm{cost}}}$

下載: 導(dǎo)出CSV

表 3 不同場(chǎng)景下規(guī)則放置的節(jié)點(diǎn)及數(shù)量

典型會(huì)話場(chǎng)景	選擇的節(jié)點(diǎn)：規(guī)則數(shù)量	規(guī)則總數(shù)量
場(chǎng)景1	會(huì)話流A: 0: 7, 8: 7, 11: 6 會(huì)話流B: 2: 4, 7: 6, 8: 10	[33, 40]
場(chǎng)景2	會(huì)話流A: 0: 7, 8: 7, 11: 6 　會(huì)話流C: 3: 4, 4: 3, 6: 7, 8: 6	[34, 40]

下載: 導(dǎo)出CSV

參考文獻(xiàn)(17)

MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. OpenFlow: Enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2): 69–74. doi: 10.1145/1355734.1355746

NGUYEN X N, SAUCEZ D, BARAKAT C, et al. Rules placement problem in openflow networks: A survey[J]. IEEE Communications Survey & Tutorials, 2016, 18(2): 1273–1286. doi: 10.1109/COMST.2015.2506984

KANG Nanxi, LIU Zhenming, REXFORD Jennifer, et al. Optimizing the " one big switch” abstraction in software-defined networks[C]. Proceedings of the Ninth ACM Conference on Emerging Networking Experiments and Technologies, Santa Barbara, California, USA, 2013: 13–24.

KANIZO Y, HAY D, and KESLASSY I. Palette: distributing tables in software-defined networks[C]. 2013 Proceedings IEEE INFOCOM, Turin, Italy, 2013: 545–549.

HUANG Jenfeng, CHANG Gueyyun, WANG Chunfeng, et al. Heterogeneous flow table distribution in software-defined networks[J]. IEEE Transactions on Emerging Topics in Computing, 2016, 4(2): 252–261. doi: 10.1109/TETC.2015.2457333

NGUYEN X, SAUCEZ D, BARAKAT C, et al. OFFICER: A general optimization framework for openflow rule allocation and endpoint policy enforcement[C]. 2015 IEEE Conference on Computer Communications (INFCOM), Kowloon, China, 2015: 478–486.

HUANG Huawei, GUO Song, LI Peng, et al. Joint optimization of rule placement and traffic engineering for QoS provisioning in Software Defined Network[J]. IEEE Transactions on Computers, 2015, 64(12): 3488–3499. doi: 10.1109/TC.2015.2401031

ASHRAF U. Rule minimization for traffic evolution in software-defined networks[J]. IEEE Communications Letters, 2017, 21(4): 793–796. doi: 10.1109/LCOMM.2016.2636212

GIROIRE F, MOULIERAC J, and PHAN T K. Optimizing rule placement in software-defined networks for energy-aware routing[C]. 2014 IEEE Global Communications Conference, Austin, USA, 2014: 2523–2529.

ZHANG Shuyuan, IVANCIC F, LUMEZANU C, et al. An adaptable rule placement for software-defined networks[C]. 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Atlanta, USA, 2014: 88–99.

NGUYEN X, SAUCEZ D, BARAKAT C, et al. Optimizing rules placement in openflow networks: Trading routing for better efficiency[C]. Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, 2014: 127–132.

GARG N and KONEMANN J. Faster and simpler algorithms for multicommodity flow and other fractional packing problems[C]. Proceedings 39th Annual Symposium on Foundations of Computer Science, Palo Alto, USA, 2007: 630–652.

OPTIMIZATION G. Gurobi Optimizer Reference Manual[M]. 2013.

Sndlib: Library of test instance for survivable fixed telecommunication network design[OL]. http://sndlib.zib.de/home.action, 2006.

史久根, 許輝亮, 陸立鵬. 軟件定義網(wǎng)絡(luò)中數(shù)據(jù)中心虛擬機(jī)遷移序列問題的研究[J]. 電子與信息學(xué)報(bào), 2017, 39(5): 1193–1199. doi: 10.11999/JEIT160792

SHI Jiugen, XU Huiliang, and LU Lipeng. Research on the migration queue of data center’s virtual machine in software defined networks[J]. Journal of Electronics &Information Technology, 2017, 39(5): 1193–1199. doi: 10.11999/JEIT160792

伊鵬, 劉洪, 胡宇翔. 一種可擴(kuò)展的軟件定義數(shù)據(jù)中心網(wǎng)絡(luò)流調(diào)度策略[J]. 電子與信息學(xué)報(bào), 2017, 39(4): 825–831. doi: 10.11999/JEIT160623

YI Peng, LIU Hong, and HU Yuxiang. A scalable traffic scheduling policy for software defined data center network[J]. Journal of Electronics &Information Technology, 2017, 39(4): 825–831. doi: 10.11999/JEIT160623

KATTA N, ALIPOURFARD O, REXFORD J, et al. CacheFlow: Dependency-aware rule-caching for software-defined networks[C]. Proceedings of the Symposium on SDN Research, Santa Clara, USA 2016: 1–12.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計(jì)