Research And Implementation Of Policy Conflict Detection For Intent-based Networking

As the network environment becomes more and more complex,network management becomes more and more difficult.To get rid of manual configuration by administrators,a new network paradigm called intent-based networking(IBN)emerges.IBN is based on software-defined network(SDN)and proposes the concept of intent layer.IBN takes the process from the translation of network intent to network policy to the final release of the flow table,and realizes the closed-loop operation of intent translation,policy verification,automatic implementation and automatic repair.Policy verification is a key step in the automatic deployment of IBN,which directly affects the stability of networks.At present,the policy conflict of IBN mainly performs linear detection in units of flow rules sent to the switch.If a conflict is detected,the flow rule is withdrawn,and if no conflict is detected,it is issued.However,the realization of an intent requires multiple flow rules to work together.If a single flow rule is used as the detection unit,some flow rules may be issued without the network intent taking effect.In addition,most of the existing methods detect conflict in real time without considering time constraints.However,network administrators may issue intentions to take effect delayed or periodically,so time constraints need to be considered during detection.For IBN,this thesis proposes a policy conflict detection method in units of network intent and adding time constraints,and designs and implements a policy conflict detection system.The system can receive network intents sent by administrators and automatically detect conflicts and install flow rules.The work of this thesis consists of two parts.1)This thesis proposes a conflict detection method based on SMT(Satisfiability Modulo Theories)solver.In this thesis,three logical expressions are designed to analyze the relationship between policies,combined with the action field to determine the type of policy conflict.Finally,whether the intention is conflicting can be determined.This method realizes the conflict detection in units of network intentions.When a conflict is detected,no flow rules translated by conflicting intents will be delivered to the data plane.This method also solves the problem that the existing methods do not consider time constraints,and can effectively detect delayed intentions and periodic intentions.Experiments show that this method can effectively detect hundreds of pairs of network policies within Is without excessive CPU consumption.2)This thesis designs and implements a policy conflict detection system based on IBN,including presentation layer,control layer,data forwarding layer and data layer.The system can receive the network intent sent by the administrator,automatically translate and detect conflicts,and finally send the flow rules to the data plane.The administrator can learn the relevant information of the issued intent through the browser.The experimental results show that this system can perform conflict detection on network intentions before the flow rules is issued,and adopts different processing methods for different conflict types.