Design And Implementation Of Multi-tenant Isolation Mechanism For Identifier-based Space-air-ground Integrated Networks

With the rapid development of communication technology and aerospace technology,it is a current research hotspot to combine ground network,air-based network and space-based network to establish space-air-ground integrated networks.The space-air-ground integrated networks have the characteristics of limited node resources and dynamic changes of network topology.Therefore,terrestrial network technology cannot be directly applied to the space-air-ground integrated networks.The identifier network adopts the idea of separation of identity and location,so it has the advantages of security and mobility when constructing space-air-ground integrated networks.As an important national infrastructure,only one set of space-air-ground integrated networks can be deployed,so it is impossible to establish physical private networks for the diverse needs of tenants.Therefore,it is necessary to establish a sliced network,which divides the physical network into isolated logical virtual private networks with different functions and different characteristics according to the needs of different tenants.In this network where satellite nodes move at high speed,how to create and manage the virtual private networks required for different tenants and implement security isolation between different tenant networks is an important issue.In response to this problem,the thesis designs and implements a multi-tenant isolation mechanism in the identifier based space-air-ground networks scenario,which divides the physical network into multiple sets of isolated virtual private networks,and solve the business continuity problem of inter-satellite handover.The specific work of the thesis is as follows:Firstly,aiming at the creation and management of virtual private network,the thesis realizes the creation of virtual private network instance on the access satellite based on Linux Bridge.The ground control center can control the network equipment on the satellite through the interaction of control signaling to realize effective management of the virtual private network.Secondly,aiming at the isolation problem between virtual private networks,the user authentication table and identification mapping table supporting multi-tenancy,as well as the corresponding receiving and forwarding processing modules,are designed on the access satellite.Implement isolation of user data packets during user access and mapping forwarding.Thirdly,a set of pre-switch mechanism is designed for the connection interruption problem caused by the high-speed movement of satellites.When the satellite judges that the user is about to switch based on information such as motion laws and communication signal strength,it will send the user information to be switched to the next satellite in advance.After the next satellite receives it,the user information and mapping information will be updated to ensure communication continuity.Finally,a test environment based on Linux system is built to test the management function of the virtual private network and the isolation between the virtual private networks.The test results show that the scheme designed in this paper can flexibly create and manage virtual private networks on the basis of the existing physical network,the tenants of different private networks are isolated from each other,and can well support the business continuity of inter-satellite handover.