Bypassing a firewall for authorized flows using software defined networking
地域:
Kawasaki-Shi, Kanagawa
摘要
Methods and systems for managing authorized data flows using software defined networking include receiving flow criteria sent from a firewall and extracted from a first data packet, determining whether flow criteria of the first data packet matches an entry in a master data flow list, inserting the flow criteria from the first data packet into the master data flow list on a software defined networking controller, and sending the flow criteria of the first data packet to the router. The router may forward a second data packet associated with the data flow toward a destination based on the validation of the first data packet by the firewall. The flow criteria may not match an entry in a router data flow list on the router and may include at least two of: a source IP address, a destination IP address, a destination port, and a protocol of transmission.
說明書
The present disclosure relates to communications systems and more specifically to bypassing a firewall for authorized flows using software-defined networking.
As more applications are provided as networked services (referred to as “cloud applications”) from data center infrastructure (referred to as “the cloud”), the cloud applications are executed on shared physical infrastructure and may be viewed as “tenants” in a multi-tenant cloud. For example, the cloud may represent distributed datacenter infrastructure that includes computing resources and intra-datacenter networks inside each datacenter, along with inter-datacenter optical networks connecting geographically dispersed datacenters. Virtualization of computing resources has emerged as a key technology for the cloud and may enable multiple tenants to efficiently share both computing and network resources.
Along with virtualization, software-based control of network services and functions has also become widespread using software controllers for implementing various network functionality. For example, software-defined networking (SDN) represents an important step towards network virtualization and abstraction and may allow for a logical network entity to be instantiated automatically using software instructions, rather than manually from user input. Due to complexities between software-based network control technologies and actual network provider operations, customization involved with each software controller may add complexity, cost, and delays for rolling out network services.
權(quán)利要求
What is claimed is:1. A method for managing authorized data flows using a software defined networking controller, the method comprising:receiving, at the software defined networking controller, flow criteria sent from a firewall and extracted from a first data packet associated with a data flow from a router, wherein the flow criteria does not match an entry in a router data flow list on the router and the flow criteria includes at least two of:a source IP address; a destination IP address; a destination port; and a protocol of transmission; determining, by the software defined networking controller, whether the flow criteria from the first data packet matches an entry in a master data flow list on the software defined networking controller; inserting the flow criteria from the first data packet into the master data flow list on the software defined networking controller based on the determination that the flow criteria does not match an entry; and sending the flow criteria of the first data packet from the software defined networking controller to the router to forward a second data packet associated with the data flow toward a destination based on the validation of the first data packet by the firewall. 2. The method of claim 1 , wherein the step of inserting the flow criteria further comprises inserting a timestamp associated with the flow criteria into the master data flow list. 3. The method of claim 1 , further comprising determining a timeout for the flow criteria and the step of sending the flow criteria to the router further comprises sending the timeout. 4. The method of claim 1 , further comprising:receiving at the software defined networking controller flow criteria sent from the firewall and extracted from a third data packet associated with the data flow from the router, wherein the third data packet is received by the router before the second data packet; determining whether the flow criteria of the third data packet was sent to the router within a router wait period; and discarding the flow criteria of the third data packet based on a determination that the flow criteria of the third data packet matches an entry in the master data flow list on the software defined networking controller and the determination that the flow criteria of the matching entry was sent to the router within the router wait period. 5. The method of claim 1 , further comprising sending the flow criteria of the first data packet from the software defined networking controller to a second router, the second router to receive the second data packet associated with the data flow and send the second data packet toward the destination. 6. The method of claim 1 , further comprising:determining whether a bandwidth of the data flow is greater than or equal to a threshold; and establishing an additional connection to bypass an additional network element for the data flow based on the determination that the bandwidth of the data flow is greater than or equal to a threshold. 7. The method of claim 1 , further comprising:receiving flow criteria extracted from a third data packet associated with the data flow, wherein the flow criteria extracted from the first data packet and the third data packet use a RESTful interface; determining whether the flow criteria from the third data packet matches an entry in the master data flow list; and updating the entry based on the determination that the flow criteria from the third data packet matches the entry. 8. The method of claim 7 , wherein the step of updating further comprises at least one of:updating a timestamp associated with the matching entry in the master data flow list; increasing a timeout associated with the matching entry in the master data flow list; and setting the destination IP address to at least one of: a wild-card value and a range of values. 9. The method of claim 7 , further comprising sending flow criteria from the updated entry to the router. 10. The method of claim 3 , wherein the step of determining a timeout for the flow criteria is based on a type of application associated with the flow criteria. 11. A network for managing authorized data flows comprising:a router with logic to:receive a first data packet; extract flow criteria from the first data packet, the flow criteria comprising at least two of:a source IP address; a destination IP address; a destination port; and a protocol of transmission; determine whether the flow criteria matches an entry in a router data flow list; route the first data packet to a firewall based on the determination that the flow criteria does not match an entry in the router data flow list; the firewall with logic to:validate the first data packet; send the first data packet toward a destination; send the flow criteria to a software defined networking controller; and the software defined networking controller with logic to:determine whether the flow criteria matches an entry in a master data flow list on the software defined networking controller; insert the flow criteria into the master data flow list on the software defined networking controller based on the determination that the flow criteria does not match an entry; and send the flow criteria to the router to forward a second data packet associated with the data flow toward a destination based on validation of the first data packet by the firewall. 12. The network of claim 11 , wherein the logic to insert the flow criteria into the master data flow list further comprises logic to insert a timestamp associated with the flow criteria. 13. The network of claim 11 , wherein the software defined networking controller further comprises logic to determine a timeout for the flow criteria and the logic to send the flow criteria to the router further comprises logic to send the timeout. 14. The network of claim 11 , wherein the software defined networking controller further comprises logic to:receive at the software defined networking controller flow criteria sent from the firewall and extracted from a third data packet associated with the data flow from the router; determine whether the flow criteria of the third data packet was sent to the router within a router wait period; and discard the flow criteria of the third data packet based on a determination that the flow criteria of the third data packet matches an entry in the master data flow list on the software defined networking controller and the determination that the flow criteria of the matching entry was sent to the router within the router wait period. 15. The network of claim 11 , wherein software defined networking controller further comprises logic to send the flow criteria of the first data packet to a second router, the second router to receive the second data packet associated with the data flow and to send the second data packet toward the destination. 16. The network of claim 11 , wherein the software defined networking controller further comprises logic to:determine whether a bandwidth of the data flow is greater than or equal to a threshold; and establish an additional connection to bypass an additional network element for the data flow based on the determination that the bandwidth of the data flow is greater than or equal to a threshold. 17. The network of claim 11 , wherein the software defined networking controller further comprises logic to:receive flow criteria extracted from a third data packet associated with the data flow, wherein the logic to receive the flow criteria extracted from the first data packet and third data packet uses a RESTful interface; determine whether the flow criteria from the third data packet matches an entry in the master data flow list; and update the entry based on the determination that the flow criteria from the third data packet matches an entry. 18. The network of claim 17 , wherein the logic to update the flow criteria further comprises at least one of:updating a timestamp associated with the matching entry in the master flow data list; increasing a timeout associated with the matching entry in the master data flow list; and setting the destination IP address to at least one of: a wild-card value and a range of values. 19. The network of claim 17 , wherein the software defined networking controller further comprises logic to send flow criteria from the updated entry to the router. 20. The network of claim 13 , wherein the logic to determine a timeout for the flow criteria is based on a type of application associated with the flow criteria.
意見反饋
使用該功能遇到問題