Method to enable deep packet inspection (DPI) in openflow-based software defined network (SDN)

摘要

The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically separate from the controller and the firewall. The invention may include a plurality of physically distinct network switches communicating with one or more controllers and firewalls. In certain instances, communications between the network switch, the controller, and the firewall are performed using the Open Flow standard communication protocol.

主权项

1. A method of deep packet inspection in a Software Defined Networking environment, the method comprising:
receiving a set configuration command from a controller by a network switch, wherein the set configuration command sets an operational mode for deep packet inspection; receiving an address of a firewall; establishing communications with the firewall; receiving a get configuration request from the firewall; sending a configuration reply to the firewall, wherein the configuration reply includes the operational mode for deep packet inspection; receiving a first packet; determining, by hardware processor, whether information contained in the first packet does not match any entry in a flow table; and forwarding at least a portion of the first packet to the controller, and then forwarding at least a portion of the first packet to the firewall if the controller determines to DPI scan this flow, wherein the firewall performs deep packet inspection on the portion of the first packet; sending the first packet through a port to an address identified in the flow table without looking for a message from the firewall when the operational mode of the network switch is an observation mode; receiving a second packet; determining that information contained in the second packet matches an entry in the flow table and DPI scan is configured on this flow; forwarding at least a portion of the second packet to the firewall when it is determined that the information contained in the second packet matches an entry in the flow table when a number of bytes forwarded from the first packet is less than a pre-determined number of bytes, wherein the firewall performs deep packet inspection on the portion of the second packet forwarded to the firewall; and sending the second packet through a port to an address identified in the flow table without looking for a message from the firewall when the operational mode of the network switch is in the observation mode.