A Method Of Detection And Resolution Of Access Policy Conflict For SDN Network

SDN is a new kind of network architecture and technology based on the software,whose strongest characteristic is its loose coupling control plane and data plane.It separated the forwarding plane and control plane.Due to the statelessness of the OpenFlow,the data packet can be modified easily.It can cause the conflict with the known firewall policy,which makes the flow data bypass the established strategy.The network security reduced and can be attacked.This thesis made good use of the forward principle and the characteristics of the flow table,in addition to the MPLS thought,solved the conflict in a double-labeled way.This thesis studies the structure and the forward policies of the flow table.By using the head space analysis,each path integration of IP addresses is found in the beginning and the end.Compared with the established strategy in the network,it can be judged if the strategy conflicted.And then the controller track the double marking of the data packets.If both tags appear simultaneously,the data packets will be processed uniformly.Finally,the firewall security strategy change the deployment,using the access control list to optimize.It avoided the data flow reduced the controller burden.In certain circumstances,it optimized the network Settings and Improve the efficiency of the controller This thesis realizes the discovery and solution of policy conflict by defining 4 modules in application layer.Each module is divided into:topology establishment module,conflict detection and discovery module,tagging module,and flow table module.And this thesis use the simulation tool Mininet and Floodlight controller is tested by compareing the simple network and complex network,detect whether can effectively prevent the occurrence of conflict and intuitive judgment increase access control list to the controller to improve the efficiency rate by using CPU controller.This thesis is based on the application layer development,which defined four modules to implement policy conflict detection and solution.Each module is the topology building module,the conflict detection and discovery module,the triggering mechanism module,and the flow table transmitting module.It was tested by the Mininet and Floodlight controller,comparing the simple network and complex network,to test whether it would prevent the strategy conflict.And we can tell if the efficiency of the controller is increased from the using of the CPU utilization of the controller.