| With the wide spread and development of the Internet,networks are becoming more complex and difficult to manage.The traditional network architecture can not meet the requirements of network performance,which seriously hinders the innovation and development of the network,Software Defined Network as a new network architecture is expected to change the existing network pattern.Although Software Defined Network with many traditional networks do not have the characteristics,it also has many hidden dangers worth the attention of network administrators.When the application layer sends update rule to the controller frequently,how to ensure the consistency update of the rules(avoid the forwarding errors caused by the old and new rules mixed),and effectively detect whether the updated rules conflict with the security application are the main research direction of this paper.In order to ensure the accuracy and security of the network configuration rules in real-time updating,this paper focuses on the consistency update of configuration rules and the conflict detection between the configuration rules and security applications.To solve the problem of consistency update of configuration rules,this paper firstly introduces a two-phase update algorithm based on version number.This algorithm marks the same version number for packets belonging to a set of rules and switch flow table items.When a packet with a tagged version number is passed in the network,it matches the same version number as the version number to prevent the data from being forwarded incorrectly due to the mixed use of the old and new rules.However,when the configuration of the algorithm is updated,the load of the switch is excessively increased due to the redundancy of rules.To solve this problem,this paper proposes an optimization algorithm based on the two-phase update of version number,which redefines the version mark to eliminate the redundancy of rules to reduce the switch load when the rule update occurs.Finally,the comparison experiment proves that the performance of the optimization algorithm is also improved when the rule redundancy is eliminated.In this paper,we firstly introduce a aliasing set rule reduction algorithm,which is mainly used to aggregate the traffic flow of a switch in the same path as a set of rules.The source address and the destination address are matched with the set of source address and destination address of the security application.If the match succeeds,a conflict occurs.In this paper,an optimization algorithm based on aliasing set rule reduction is proposed,which is also based on the form of rule aggregation.The difference is obtained by headspace analysis model(HSA)after the network real-time trails,a set of two-tuples consisting of the source address and the destination address of the switch's flow table entry is formed and matched with the two-tuple set of the firewall drop rule.If the match succeeds,there is a conflict.At the same time,a variety of conflict resolution methods are proposed to deal with the complicated and changeable policy update scenarios according to the different ways of conflict when configuration rules are updated.Finally,the comparison experiment proves that the optimization algorithm can avoid the conflict and the conflict detection performance is also considerable. |
PDF Full Text Request