TCAM快更新高速路由查找算法与实现

常用的单步TCAM路由查找方案要求转发表的存储必须按前缀长度相对地址降序排列，这种与地址关联的排序操作影响表项的更新速度和路由查找流程的连续性。本文提出并实现了一种独特的对前缀范围对分搜索的IPv4五步TCAM流水查找方法。突出特点是转发表不需排序，查找速率高，表覆更新快，查表连续性好，可满足IPv4核心路由器双OC-768（40Gbps）端口、48B包的线速转发。     

基于深度学习的软件定义网络应用策略冲突检测方法

在基于OpenFlow的软件定义网络(SDN)中,应用被部署时,相应的流表策略将被下发到OpenFlow交换机中,不同应用的流表项之间如果产生冲突,将会影响交换机的实际转发行为,进而扰乱特定应用的正确部署以及SDN的安全.随着SDN规模的扩大以及需要部署应用的数量的剧增,交换机中的流表数量呈现爆炸式增长.此时若采用传统的流表冲突检测算法,交换机将会耗费大量的系统计算时间.结合深度学习,首次提出了一种适合SDN中超大规模应用部署的智能流表冲突检测方法.实验结果表明,第一级深度学习模型的AUC达到97.04％,第二级模型的AUC达到99.97％,同时冲突检测时间与流表规模呈现线性增长关系.     

IPv4/IPv6双栈四分搜索路由查找算法与实现

IPv4／IPv6双协议栈核心路由器需要高性能一体化路由查找。传统的前缀长度二分查找算法完成一次IPv6路由查找需多达7步搜索，而核心路由器常用的单级TCAM方案要求转发表的存储必须按前缀长度相对地址降序排列，这种降序操作严重影响表项更新速度和路由查找连续性。与对前缀长度二分查找和单级TCAM方案不同，作者提出了一种独特的对前缀范围四分搜索路由查找算法，并用3级TCAM实现了IPv4／IPv6双栈一体化QSPE查找方案。一次查找仅需3步搜索、转发表无需排序、表项更新快、查找速率高且连续性好，满足IPv4／IPv6双栈核心路由器OC-768（40Gbit/s）端口的线速率转发。     

中国公用分组交换数据网

分组交换也称为包交换。分组交换机将用户要传送的数据按一定长度分割成若干个数据段,这些数据段叫作“分组”(或称“包”)。传输过程中,需在每个分组前加上控制信息和地址标识(即分组头),然后在网络中以“存储——转发”的方式进行传送。到目的地,交换机将分组头去掉,将     

面向软件定义核心网的OpenFlow分组转发优先制排队模型研究

软件定义网络（Software-Defined Networking,SDN）作为一种数据转发与控制逻辑相解耦、并开放底层编程接口的创新网络架构,为降低核心网的部署运营成本、提升应用业务性能提供了全新的解决思路.然而,在SDN架构下,逻辑上集中的控制平面容易出现性能瓶颈,进而加大分组转发时延,因此有必要理解其分组转发性能特性.为此,本文首先介绍了软件定义核心网的典型部署场景,分析了控制平面的Packet-in消息到达过程和数据平面的分组到达过程,进而应用M/M/n/m和M/M/1/m排队模型分别刻画控制器集群的Packet-in消息处理过程和OpenFlow交换机的分组处理过程.在此基础上,建立OpenFlow分组转发优先制排队模型,进而推导出不同优先级的分组转发时延及其累积分布函数CDF.最后,借助控制器性能测量工具OFsuite_Performance进行实验评估,结果表明：与现有模型相比,本文所提的M/M/n/m模型更能准确估计控制器集群的实际性能.同时,采用数值分析的方法对比了多种情况下不同优先级的分组转发时延及CDF曲线,为软件定义核心网的实际应用部署提供有效参考.     

基于地址重载的SDN分组转发验证

针对软件定义网络(SDN)中现有转发验证机制大多通过加入新的安全通信协议实现分组逐跳转发验证,出现通信与计算开销的问题,提出了一种基于地址重载的SDN分组转发验证机制.入口交换机通过重载分组地址信息将流运行时间划分为连续随机的时间间隔,各后继节点基于重载的地址信息转发分组;控制器采样间隔内流入口与出口交换机的转发分组,...     

宽带数据网基础知识讲座第5讲数据通信技术(下)

(上接第 17期 )5　分组交换数据网5 .1　数据报和虚电路分组交换的基本原理(1)数据报分组交换的概念如图 4所示 ,由数据终端设备Ａ发出的数据信息[ＡＢＣ],通过用户线送到交换机ａ(又称为节点机 )暂时存储并分成具有一定长度的分组 [Ａ][Ｂ][Ｃ],并在每一分组前边加上指明该分组发送端地址、接收端地址及分组序号的分组标题。图 4　数据报分组交换概念示意图交换机ａ为了把该分组转发给接收局交换机ｒ,就需要选择空闲路由。可以根据交换网的状态给每个分组选择不同路由 ,一般不会出现仅仅因为某一路由过忙而不能转发的情况。分组数据到达终…     

软件定义网络抗拒绝服务攻击的流表溢出防护

针对拒绝服务攻击导致软件定义网络交换机有限的流表空间溢出、正常的网络报文无法被安装流表规则、报文转发时延、丢包等情况，提出了抗拒绝服务攻击的软件定义网络流表溢出防护技术Flood Mitigation，采用基于流表可用空间的限速流规则安装管理，限制出现拒绝服务攻击的交换机端口的流规则最大安装速度和占用的流表空间数量，避免了流表溢出。此外，采用基于可用流表空间的路径选择，在多条转发路径的交换机间均衡流表利用率，避免转发网络报文过程中出现网络新流汇聚导致的再次拒绝服务攻击。实验结果表明，Flood Mitigation在防止交换机流表溢出、避免网络报文丢失、降低控制器资源消耗、确保网络报文转发时延等方面能够有效地缓解拒绝服务攻击的危害。     

一种针对SSM的二层转发方法

以太网交换机仅依据目的介质访问控制(Media Access Control,MAC)子层地址进行数据转发,指定源组播(Source Specific Multicast,SSM)数据进入交换机后可能被转发至其他频道的订阅用户。针对此问题,在分析了SSM协议模型的以太网交换问题的基础上,提出了SSM数据标识及源标识的加入方法,详细设计了SSM转发表的建立过程,给出了SSM数据的转发流程,并对方法的可行性进行了仿真验证。     

一种新的基于区域编码的标记交换及网络性能分析

提出一种新的基于区域编码的标记交换网实现方案，描述了标记交换网的组成、工作原理、体系结构及主要特点．该方案将整个互联网按地理区域进行划分，并为每个区域分配唯一的长度固定的区域编码，在链路层帧头和IP分组头之间插入相应的区域编码标记，则分组在区域标记交换网中传输时，标记交换机将定长的目的区域编码作为分组的转发标记完成分组的转发．理论分析和仿真结果表明，区域标记交换网通过采用分层区域编码结构，极大地减少了骨干交换机的路由表项数，降低了路由存储空间和路由查找复杂度，同时也大幅度地降低了维护路由表项的处理开销和链路传输开销，使网络具有良好的扩展性．该方案能有效地克服现有互联网地址空间不足、路由表过大、不能提供良好的服务质量等缺点，简化骨干网交换设备的实现复杂度，提高网络的吞吐率．并能提供良好的服务质量保证．     

OpenFlow table lookup scheme integrating multiple-cell Hash table with TCAM

In OpenFlow networks,switches accept flow rules through standardized interfaces,and perform flow-based packet processing.To facilitate the lookup of flow tables,TCAM has been widely used in OpenFlow switches.However,TCAM is expensive and consumes a large amount of power.A hybrid lookup scheme integrating multiple-cell Hash table with TCAM was proposed for flow table matching to simultaneously reduce the cost and power consumption of lookup structure without sacrificing the lookup performance.By theoretical analysis and extensive experiments,optimal capacity configuration of Hash table and TCAM was achieved with the optimized cost of flow table lookup.The experiment results also show that the proposed lookup scheme can save over 90% cost and the power consumption of flow table matching can be reduced significantly compared with the pure TCAM scheme while keeping the similar lookup performance.     

Decision Tree-Based Entries Reduction scheme using multi-match attributes to prevent flow table overflow in SDN environment

The software-defined networking is used extensively in data centers that provide centralized control for the widely deployed networking resources. The traffic is shaped by rules created by the controller dynamically without modifying the individual switch. The key component that stores rules which are used to process the flows is the flow table which resides in the ternary content addressable memory. The current commercial OpenFlow appliances accommodate limited entries up to 8000 due to its high cost and high power consumption. There are two issues to be considered, where (1) flow table's inability to provide rules during flow table overflow leads to dropping of incoming packets and (2) the significant amount of rule replacement occurs when the traffic in data centers increases which creates massive route requests to controller creating overhead. The proposed scheme prevents flow table overflow using the robust machine learning algorithm called decision tree (Iterative Dichotomiser 3) that allows the flow table to learn its high prioritized fine-grained entries by means of multiple matching attributes. The entries are classified, and the usual eviction process is replaced by pushing the low important entries into counting bloom filter which acts as a cache to prevent flow entry miss. The simulations were carried out using real-time network traffic datasets, and the comparisons with the various existing schemes prove that the proposed approach reduces 99.99% of the controller's overhead and the entries are minimized to 99% providing extra space for new flows.     

面向软件定义网络（SDN）的新型交换技术实验研究

本文主要内容是基于Mininet分别搭配POX和Floodlight的Linux实验测试平台,采用Python编程控制网络结构与控制器,并模拟多数据中心网络进行实验,通过Python编写网络拓扑结构,测试主机终端的带宽性能,最终使用Python脚本实现自动化测试节点、链路以及带宽等参数;使用FloodLight控制器对主机间的流表进行分析,深入理解OpenFlow协议。优化扩展了传统胖树结构的数据中心,测试数据结果相比传统结构测试更好;抓包分析建立OpenFlow流表的过程来更好的理解控制转发分离的思想。     

New delay measurement method based on accurate timestamp in OpenFlow

At present,delay measurement methods in OpenFlow network have the disadvantage of excessive network resources and poor measurement accuracy.DeMon,an active mechanism to measure the delay of multiple paths between any two switch based on the controllable feature of individual traffic flow provided in OpenFlow was proposed.DeMon required only one probe packet to be send from controller,which was excepted to reduce the operational cost.Moreover,DeMon used OpenFlow switch instead of controller to get the timestamp of probe packet,making the measurement accuracy and stability have been greatly improved compared with other monitoring techniques in the OpenFlow network.     

软件定义无人机自组网高效自适应路由维护机制

为解决软件定义无人机自组网路由维护存在的控制开销和数据包延迟偏大的问题,基于现有的OpenFlow协议提出了一种高效自适应的软件定义无人机自组网路由维护机制(Efficient and Adaptive Software-defined Unmanned Aerial Vehicle Ad Hoc Network Routing Maintenance Mechanism Based on OpenFlow Protocol, OpenFlow-EARM)。新机制采用基于距离估计的自适应转发策略,根据无人机节点的历史流表项信息估算并选择时延最低的方式转发流表项缺失数据包,降低数据包传输时延;同时在路由维护过程中采用了基于周期恢复的消息聚合策略,减少控制包的发包次数,从而降低网络控制开销。仿真结果表明,新机制的平均端到端时延、网络控制开销和丢包率等方面性能优于现有的最优化链路状态路由(Optimal Link State Routing, OLSR)协议和OpenFlow协议。     

基于图卷积神经网络的软件定义电力通信网络路由控制策略

传输时延和数据包丢失率是电力通信业务可靠传输重点关注的问题,该文提出一种面向软件定义电力通信网络的最小路径选择度路由控制策略。结合电力通信网络软件定义网络(SDN)集中控制架构的特点,利用图卷积神经网络构建的链路带宽占用率预测模型(LBOP-GCN)分析下一时刻路径带宽占用率。通过三角模算子(TMO)融合路径的传输时延、当前时刻的路径带宽占用率和下一时刻的路径带宽占用率,计算出从源节点到目的节点间不同传输路径的选择度(Q),然后将Q值最小的路径作为SDN控制器下发的流表项。实验结果表明,该文所提出的路由控制策略能有效减小业务传输时延和数据包丢失率。     

一种基于数据平面可编程的软件定义网络报文转发验证机制

针对软件定义网络(SDN)中OpenFlow协议匹配字段固定且数量有限,数据流转发缺少有效的转发验证机制等问题,该文提出一种基于数据平面可编程的软件定义网络报文转发验证机制。通过为数据报文添加自定义密码标识,将P4转发设备加入基于OpenFlow的软件定义网络,在不影响数据流正常转发的基础上,对网络业务流精确控制和采样。控制器验证采样业务报文完整性,并针对异常报文下发流规则至OpenFlow转发设备,对恶意篡改、伪造等异常数据流进行转发控制。最后,构建基于开源BMv2的P4转发设备和基于OpenFlow的Open vSwitch转发设备的转发验证原型,并构建仿真网络进行实验。实验结果表明,该机制能够有效检测业务报文篡改、伪造等转发异常行为,与同类验证机制相比,在安全验证处理开销保持不变的情况下,能够实现更细粒度的业务流精确控制采样和更低的转发时延。     

SDI: a multi-domain SDN mechanism for fine-grained inter-domain routing

Software-defined networking (SDN) scheme decouples network control plane and data plane, which can improve the flexibility of traffic management in networks. OpenFlow is a promising implementation instance of SDN scheme and has been applied to enterprise networks and data center networks in practice. However, it has less effort to spread SDN control scheme over the Internet to conquer the ossification of inter-domain routing. In this paper, we further innovate to the SDN inter-domain routing inspired by the OpenFlow protocol. We apply SDN flow-based routing control to inter-domain routing and propose a fine-granularity inter-domain routing mechanism, named SDI (Software Defined Inter-domain routing). It enables inter-domain routing to support the flexible routing policy by matching multiple fields of IP packet header. We also propose a method to reduce redundant flow entries for inter-domain settings. And, we implement a prototype and deploy it on a multi-domain testbed.     

一种低开销自适应SD­­­－UANET流表下发机制

软件定义无人机自组网场景下,相较于软件定义有线网络,其网内节点数量更多导致各节点流表数量爆发式增长。针对原OpenFlow v1.5协议中主动下发流表的机制与flow_mod消息结构对于无线环境与多跳流表下发的不兼容,导致无人机自组网场景下流表下发开销过大以及收包率降低。对于无人机自组网场景下OpenFlow v1.5协议中的问题,通过组播切包组包去尾策略与流表源、目的地址自适应压缩策略,减少了头部开销,提升了无线资源利用率,并减少了冗余的流表项部分,在保证功能不缩减的情况下较显著地减少了开销。OPENET 14.5仿真验证显示,此机制大幅减少了网络控制开销,提高了网络吞吐量,降低了端到端时延与丢包率。     

DDoS attack detection and defense based on hybrid deep learning model in SDN

Software defined network (SDN) is a new kind of network technology,and the security problems are the hot topics in SDN field,such as SDN control channel security,forged service deployment and external distributed denial of service (DDoS) attacks.Aiming at DDoS attack problem of security in SDN,a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed.In this method,when a deep learning model was constructed,the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types.The experimental results show that the method has high accuracy,it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods.At the same time,the proposed method can also shorten the processing time of classification detection.The detection model is deployed in SDN controller,and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack.