KR101746105B1 - Openflow switch capable of service chaining - Google Patents

Abstract

The present invention relates to a method for providing service chaining in a network based on SDN (Software Defined Network), which provides optimized network paths for each service, variably provides network functions according to traffic conditions, To a service chaining method capable of dynamically implementing service chaining, implementing automation of operation, reducing the size of a flow table of an open flow switch, and shortening an entry search time.

Description

[0001] OPEN FLOW SWITCH CAPABLE OF SERVICE CHAINING [0002]

The present invention relates to a method for providing service chaining in a network based on SDN (Software Defined Network), which provides optimized network paths for each service, variably provides network functions according to traffic conditions, To a service chaining method capable of dynamically implementing service chaining, implementing automation of operation, reducing the size of a flow table of an open flow switch, and shortening an entry search time.

In the case of an existing network, the network path is set to be static when the service is hosted, and the person must manually reconfigure the network manually according to the change of the network status. This series of processes is very complex. In particular, when a specialized network is configured and managed for each service, such as service chaining, the process is very complicated and it is almost impossible to provide an optimized network for each service.

If service chaining is provided for each user, the flow entry for each user must be managed. In this case, traffic to the controller (packet-in message) occurs every interval and vLAN swapping may be required if necessary. There is a problem in performance overhead and debugging when a problem occurs. Also, since the forwarding table (flow table) is managed by a combination of all users' IPs or vLANs, the size of the forwarding table has to be very large. If the table size of the open flow switch is limited, the number of users and services that can be supported may be limited. Also, when the number of available network functions (NF) increases, there is a limit to the number of services and users that can be provided by a single switch.

1. OpenFlow Switch Specification version 1.4.0 (Wire Protocol 0x05), October 14, 2013 [https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec- v1.4.0.pdf] 2. Software-Defined Networking: The New Norm for Netwrks, ONF White Paper, April 13, 2012 [https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn- newnorm.pdf] 3. ETSI GS NFV 002 v1.1.1 (2013-10) [http://www.etsi.org/deliver/etsi_gs/NFV/001_099/002/01.01.01_60/gs_NFV002v010101p.pdf]

An object of the present invention is to provide a service chaining providing method capable of minimizing the size of a table necessary for service chaining. In addition, the service chain rule is applied and managed to each service chain list (NF list: NFv list), rather than applying the service chain rule for each individual user, so that the service chaining rule functions more easily and efficiently.

In addition, the present invention provides a service chaining method of an SDN-based network that provides an optimized network path in accordance with a service level agreement (Service Level Agreement) between a service provider and a user utilizing an SDN.

Through this, it is possible to dynamically operate the network according to the change of the state of the network, service or SLA according to the user, thereby providing the optimal service to the user, enabling the system to be operated automatically by the network operator, It is possible to easily charge according to the type and usage of the service even if it is not used.

A method of providing service chaining according to the present invention is a service chaining providing method in an open flow switch for forwarding a packet to an NF group including an NF node providing NF (Network Function) Determining whether a packet to be processed by the switch includes flow information corresponding to a service chain ID; And processing the instruction corresponding to the flow information when there is flow information corresponding to the service chain ID of the packet to be processed, wherein the service chain ID includes an NF list .

In addition, the flow information corresponding to the service chain ID may further include an order ID that can be updated based on port information on which the packet to be processed flows, and the instruction processing step includes: And processing an action corresponding to the flow information corresponding to the order ID.

The method may further include updating the order ID when the port to which the packet to be processed flows is a port connected to another open flow switch directly connected to the NF group.

The order ID update step may include the step of excluding the order ID update when the NF service associated with the NF list is in one open flow switch.

In addition, at least one of the plurality of flow entries associated with at least one of the instruction and the order ID update may be present before the packet to be processed is received from the controller controlling the open flow switch.

In addition, the at least one flow entry may be deleted from the flow table only if it receives a delete command message from the controller.

The method may further include transmitting the low-use entry information to the controller when the flow entry has a lower utilization than a predetermined usage rate.

Receiving the low utilization rate flow change message from the controller; And discarding the low utilization flow entry if the low utilization flow entry corresponding to the low utilization processing flow entry change message does not match the incoming packet for a predetermined time or more.

In addition, when there is no flow information corresponding to the service chain ID, the packet to be processed can be forwarded to the controller that controls the open flow switch.

Also, the NF group may be connected to the logical port of the open flow switch so that the number of NF nodes may be adjusted based on at least a network state.

Also, the flow entry field corresponding to the service chain ID may be at least a part of a metadata field.

In addition, the service chain identity may be determined based on at least one of a user and a requested service type.

An open-flow switch according to the present invention is an open-flow switch for forwarding packets to an NF group including an NF node providing a NF (Network Function) service, A communicating port portion; A controller communicating with a controller that controls the open flow switch; A storage unit for storing a table having at least a flow table among a flow table, a group table, and a meter table; And processing the flow of the action according to the procedure described in the retrieved entry, and transmitting the packet processed by the flow processing module To the designated port, wherein the control unit comprises: a flow search module for determining whether there is flow information corresponding to a service chain ID for the received packet; And a flow processing module for processing an instruction corresponding to the flow information when there is flow information corresponding to the service chain ID of the packet to be processed, wherein the service chain ID includes an NF service type and an NF It can correspond to a list.

Further, the flow information corresponding to the service chain ID further includes an order ID that can be updated based on the port information on which the packet to be processed flows, and the instruction processing is performed based on the service chain ID of the packet to be processed, And processing an action corresponding to the flow information corresponding to the order ID.

The flow processing module may update the order ID when the port to which the packet to be processed flows is a port connected to another open flow switch directly connected to the NF group.

In addition, the order ID update may exclude the order ID update when the NF service associated with the NF list is in one open flow switch.

In addition, at least one of the plurality of flow entries associated with at least one of the instruction and the order ID update may be present before the packet to be processed is received from the controller controlling the open flow switch.

In addition, the at least one flow entry may be deleted from the flow table only if it receives a delete command message from the controller.

In addition, the controller may transmit the low-use entry information to the controller when the flow entry has a usage rate lower than a predetermined usage rate.

The method may further include a controller communication unit for receiving the low utilization rate flow change message from the controller, wherein the controller is configured to compare the low utilization rate flow entry message with the low utilization rate flow entry message, , The low utilization rate flow entry can be discarded.

In addition, when there is no flow information corresponding to the service chain ID, the control unit may forward the packet to be processed to the controller that controls the open flow switch.

Also, the NF group may be connected to the logical port of the open flow switch so that the number of NF nodes may be adjusted based on at least a network state.

In addition, the flow entry field corresponding to the service chain ID is at least a part of a metadata field.

In addition, the service chain ID is determined based on at least one of a user and a requested service type.

The port unit may further include a virtualized logical port, and the control unit may further include a packet processing module for outputting the packet processed by the flow processing module to at least one port of the port unit designated by the flow processing module , The NF group includes a plurality of NF nodes, and the packet processing module includes: a divergence unit for transmitting a packet received from the logical port to one of the plurality of NF nodes; And a convergence unit for transmitting a packet received from any one of the plurality of NF nodes to the logical port.

In addition, the diverting unit may transmit a packet received from the logical port to one of the plurality of NF nodes in consideration of at least one of a connection state and a traffic state of the port.

In addition, the number of the NF nodes may be adjusted according to the traffic state.

A control method according to the present invention is a control method of a controller for controlling at least one open flow switch for forwarding a packet to an NF group having an NF node providing an NF (Network Fuction) service, Constructing topology information of a plurality of NF groups connected to the open flow switch of the NF group; Generating a plurality of NF list groups having NF lists corresponding to the types and order of the plurality of NF groups and a plurality of service chain IDs respectively corresponding to NF lists of the NF list groups; And generating a plurality of entries such that the packet is moved to a path corresponding to the plurality of NF lists based on the topology information.

The method may further include generating a message to be registered in the open flow switch and transmitting the message to the open flow switch before at least one of the plurality of entries receives a packet inquiry message from the open flow switch.

Selecting one of the plurality of service chain IDs based on the information of the incoming packet included in the control request message for the packet received from the open flow switch; And associating the selected chain ID with the incoming packet.

In addition, at least one of the plurality of entries may have a timeout field of a maximum value or zero.

The controller according to the present invention is a controller for controlling at least one open flow switch for forwarding a packet to an NF group having an NF node providing an NF (Network Fuction) service, wherein the at least one open flow switch A switch communication unit for communicating with the switch; And a control unit for constructing topology information of a plurality of NF groups connected to the at least one open flow switch, wherein the control unit comprises: an NF list having NF lists corresponding to the types and order of the plurality of NF groups; And a plurality of service chain IDs corresponding to the respective NF lists of the NF list groups.

Also, the control unit generates a plurality of entries for moving the packet to a path corresponding to the plurality of NF lists based on the topology information.

Also, the control unit may generate a message to be registered in the open flow switch and transmit the generated message to the open flow switch before at least one of the plurality of entries receives the packet inquiry message from the open flow switch.

Also, the controller may select one of the plurality of service chain IDs based on the information of the incoming packet included in the control request message for the packet received from the open flow switch received from the open flow switch And associate the selected chain ID with the incoming packet.

The storage unit may further include a storage unit for storing data, and the storage unit may include an NF list DB for storing, as an entry, a list of a series of NF services for each service used by a user.

According to the present invention, the chaining rule and the traffic between the controller and the switch can be reduced because there is no need to create and apply the chaining rule every time the user's traffic comes in. In addition, since the service chaining rule (flow entry) is distributed in advance at the time of defining it, there is no need to inquire the processing method of the packet from the switch to the controller every time the user's traffic flows. In addition, by using a predefined service chain ID or the like, the size of the flow table can be minimized. Thus, it is possible to utilize the memory resources efficiently, and the flow entry is possible.

In addition, because it manages network automatically and dynamically, network design is free, logical port based network function is provided, efficient management of network function entries according to port connection state and traffic state is possible, and scalability and flexibility are high, If the link goes down, the alternate path can be easily and automatically recovered. In addition, in the case of mobile traffic, tunneling is performed between the access network and the core network so that the IP information of the user can not be known. However, according to the present invention, the encapsulated packet according to the tunneling can be informed of the encapsulated packet information using the network function By providing a service chain using the SDN network at the access terminal of the mobile network, the load on the mobile network can be lowered and the user experience can be improved.

1 is a block diagram of an SDN network system according to an embodiment of the present invention;
2 is a block diagram of a controller of the network system of FIG. 1;
FIG. 3 is a block diagram of a switch of the network system of FIG. 1,
4 is an operation table showing a field table of a flow entry and an operation type according to a flow entry,
5 shows the field table of the group and meter tables,
6 is a block diagram of an SDN network system according to another embodiment of the present invention.
7 is a block diagram of a controller according to another embodiment of the present invention;
8 is a block diagram of a switch according to another embodiment of the present invention.
9 is a block diagram of a port management unit according to an embodiment of the present invention;
10 is a flowchart illustrating a service chaining providing method of an open flow switch according to an embodiment of the present invention;
11 is a flowchart showing a service chaining providing method in a controller,
12 is a block diagram of a network system according to another embodiment of the present invention;
FIG. 13 illustrates an NFv list database table according to an embodiment of the present invention,
Figure 14 is an illustration of an ID packet according to an embodiment of the present invention,
Figure 15 is a flow table according to one embodiment of the present invention,
16 is a block diagram of a network system according to another embodiment of the present invention;
17 is a flow table according to another embodiment of the present invention,
18 is a flowchart of a service chain providing method of a switch according to another embodiment of the present invention;
FIG. 19 is a flow chart of a method for controlling an open flow switch of a controller according to an embodiment of the present invention, and FIG.
20 is a message flow diagram between the controller and the open flow switch.

Hereinafter, the present invention will be described in more detail with reference to the drawings.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Also, the fact that the first component and the second component on the network are connected or connected means that data can be exchanged between the first component and the second component by wire or wirelessly.

In addition, suffixes "module" and " part "for the components used in the following description are given merely for convenience of description, and do not give special significance or role in themselves. Accordingly, the terms "module" and "part" may be used interchangeably.

When such components are implemented in practical applications, two or more components may be combined into one component, or one component may be divided into two or more components as necessary. The same or similar elements are given the same throughout the drawings, and the detailed description of the elements having the same reference numerals can be omitted and replaced with the description of the above-described elements.

FIG. 1 is a block diagram of an SDN network system according to an embodiment of the present invention. FIG. 2 is a block diagram of a controller of the network system of FIG. 1. FIG. 3 is a block diagram of a switch of a network system of FIG. 4 is an operation table showing a field table of a flow entry and an operation type according to a flow entry, and Fig. 5 is a field table of a group and a meter table.

Referring to FIG. 1, an SDN network system according to an embodiment of the present invention may include a controller 10, a plurality of switches 20, and a plurality of network devices 30.

The network device 30 may include a user terminal device for exchanging data or information, or a physical device or a virtual device for performing a specific function. From a hardware standpoint, the network device 30 may be a PC, a client terminal, a server, a workstation, a supercomputer, a mobile communication terminal, a smart phone, a smart pad, or the like. The network device 30 may also be a virtual machine (VM) created on a physical device.

The network device 30 may be referred to as a network function that performs functions on various networks. Network features include anti-DDoS, intrusion detection / blocking (IDS / IPS), integrated security services, virtual private network services, anti-virus, anti-spam, security services, access management services, firewalls, load balancing, . ≪ / RTI > These network functions can be virtualized.

There is a network function virtualization (NFV) defined in a white paper on NFV issued by the European Telecommunications Standards Institute (ETSI) (see non-patent reference 3) as a virtualized network function. The network function (NF) may be used herein in combination with network function virtualization (NFV). NFV provides necessary network functions by dynamically generating necessary L4-7 service connection for each tenant, and provides firewall, IPS and DPI functions necessary for policy-based DDoS attacks quickly through a series of service chaining . NFVs can also easily turn on and off firewalls or IDS / IPS and provision them automatically. NFV can also reduce the need for overprovisioning.

A controller 10 is a kind of command computer that controls the SDN system and can perform various complex functions such as routing, policy declaration, and security check. The controller 10 can define the flow of packets occurring in the plurality of switches 20 in the lower layer. The controller 10 may calculate a path (data path) to be flowed by referring to a network topology or the like with respect to a flow allowed in the network policy, and then set an entry of the flow on a switch on the path. The controller 10 may communicate with the switch 20 using a specific protocol, e.g., an open flow protocol. The communication channel between the controller 10 and the switch 20 can be encrypted by SSL.

2, the controller 10 may include a switch communication unit 110, a control unit 100, and a storage unit 190, which communicate with the switch 20.

The storage unit 190 may store a program for processing and controlling the control unit 100. [ The storage unit 190 may perform a function for temporarily storing input or output data (packet, message, etc.). The storage unit 190 may include an entry database (DB) 191 for storing flow entries.

The controller 100 may control the overall operation of the controller 10 by controlling the operations of the respective units. The control unit 100 may include a topology management module 120, a path calculation module 125, an entry management module 135, and a message management module 130. Each module may be configured in hardware in the control unit 100 and may be configured in software separate from the control unit 100. [

The topology management module 120 can construct and manage network topology information based on the connection relationship of the switches 20 collected through the switch communication unit 110. [ The network topology information may include a topology between the switches and a network device topology connected to each switch.

The path calculation module 125 can obtain the data path of the packet received through the switch communication unit 110 and the action column to be executed in the switch on the data path based on the network topology information established in the topology management module 120.

The entry management module 135 can register an entry based on the result calculated by the route calculation module 125, a policy such as QoS, and a user instruction in the entry DB 191. The entry may be any one of a flow table, a group table, and a meter table. The entry management module 135 may proactively register an entry in each table in the switch 20 and react to an addition or update request of an entry from the switch 20. [ The entry management module 135 may change or delete entries in the entry DB 191 as needed or in accordance with an entry disappearance message of the switch 10. [

The message management module 130 may interpret a message received through the switch communication unit 110 or may generate a controller-switch message to be transmitted to the switch through the switch communication unit 110, which will be described later. The status change message, which is one of the controller-switch messages, may be generated based on the entry according to the entry management module 135 or the entry stored in the entry DB 191. [

The switch 20 may be a physical switch or a virtual switch supporting an open flow protocol. The switch 20 can process the received packet and relay the flow between the network devices 30. [ To this end, the switch 20 may comprise a single flow table or a multiple flow table for pipeline processing as described in non-patent document 1. [

The flow table may include a flow entry defining rules for how to handle the flow of network device 30. [

A flow may refer to a packet flow of a particular path according to a series of packets sharing a value of at least one header field from a single switch or a combination of multiple flow entries of multiple switches. The open-flow network can perform path control, fault recovery, load balancing and optimization on a flow-by-flow basis.

The switch 20 can be divided into a core switch between an ingress and egress edge switch and an edge switch between a flow according to the combination of multiple switches.

3, the switch 20 includes a port portion 205 for communicating with other switches and / or network devices, a controller communication portion 210 for communicating with the controller 10, a switch control portion 200, and a storage portion 290).

The port unit 205 may include a plurality of pairs of ports that are flown out from a switch or a network device. A pair of ports can be implemented as one port.

The storage unit 290 may store a program for processing and controlling the switch control unit 200. [ The storage unit 290 may perform a function for temporarily storing input or output data (packets, messages, etc.). The storage unit 290 may include a table 291 such as a flow table, a group table, and a meter table. An entry in the table 230 or table may be added, modified or deleted based on the message of the controller 10. [ The table entry can be destroyed by itself.

The flow table can be composed of multiple flow tables to handle the pipeline of open flows. 4, a flow entry of a flow table includes match fields describing conditions (matching rules) to match a packet, a priority, counters to be updated when there are packets to be matched, An instruction that is a collection of various actions that occur if there is a packet matched to the flow entry, timeouts describing the time to be discarded in the switch, and a tuple. A tuple is an opaque type that is selected by the controller and can be used by the controller to filter flow statistics, flow changes, and flow deletes, and is a cookie that is not used in packet processing .

An instruction may change pipeline processing such as forwarding a packet to another flow table. The instructions may also include a collection of actions to add an action to an action set, or a list of actions to apply directly to a packet. An action is an operation that modifies a packet, such as sending a packet to a specific port or decreasing the TTL field. The action may be part of an instruction set associated with the flow entry or belonging to an action bucket associated with the group entry. An action set is an aggregated set of actions indicated in each table. An action set can be performed when no table is matched. 5 illustrates various packet processing by a flow entry.

A pipeline is a sequence of packets between a packet and a flow table. When a packet is input to the switch 20, the switch 20 searches for a flow entry matching the packet in the order of higher priority of the first flow table. When the matching is performed, the instruction of the entry is executed. An instruction may be an apply-action that is immediately matched, a command to clear or add / modify an action set, a write-action, a write-metadata command, And a goto-table that moves packets along with metadata to a table. If there is no flow entry matched with the packet, the packet may be dropped according to the table setting, or the packet may be sent to the controller 10 in a packet-in message.

The group table may include group entries. The group table may be indicated by a flow entry to suggest additional forwarding methods. Referring to FIG. 5A, the group entry of the group table may include the following fields. A group identifier for identifying a group entry, a group type for specifying a rule for performing a select or all action buckets defined in the group entry, a counter for a flow entry , And action buckets, which are a set of actions associated with the parameters defined for the group.

A meter table is composed of meter entries and defines per-flow meters. The flow meter-party can allow open flows to be applied to various QoS operations. A meter is a kind of switch element that can measure and control the rate of packets. Referring to FIG. 5 (b), a meter table includes a meter identifier for identifying a meter, a rate specified in a band and meter bands indicating a method of packet operation, And counters fields that are updated when operated on the meter. Meter bands include a band type indicating how the packet is to be processed, a rate used to select the meter band by the meter, counters that are updated when the packets are processed by the meter band, ), And a type specific argument, which is a bad type with optional arguments.

The switch control unit 200 can control the overall operation of the switch 200 by controlling operations of the respective units. The control unit 200 may include a table management module 240 that manages the table 291, a flow search module 220, a flow processing module 230, and a packet processing module 235. Each module may be configured in hardware in the control unit 200 and may be configured in software separate from the control unit 200. [

The table management module 240 may add the entry received from the controller 10 to the appropriate table through the controller communication unit 210 or periodically remove the time-out entry.

The flow search module 220 may extract flow information from the received packet as user traffic. The flow information includes identification information of an ingress port as a packet inflow port of the edge switch, identification information of an incoming port of the switch of the switch, packet header information (IP address of the source and destination, MAC address, port, And VLAN information, etc.), metadata, and the like. The metadata may be optionally added in the previous table or may be data added in another switch. The flow search module 220 can search the table 291 for a flow entry for a received packet by referring to the extracted flow information. The flow search module 220 may request the flow processing module 260 to process the received packet according to the retrieved flow entry, if a flow entry is found. If the flow entry search fails, the flow search module 220 may transmit the minimum data of the received packet or the received packet to the controller 100 through the controller communication unit 210.

The flow processing module 230 may process an action, such as outputting a packet to a specific port or multiple ports, dropping it, or modifying a specific header field, in accordance with the procedure described in the entry retrieved from the flow search module 220 have.

The flow processing module 230 may execute an action set to execute a pipeline process of a flow entry, execute an instruction to change an action, or execute a set of actions when it is no longer possible to go to the next table in a multi-flow table.

The packet processing module 235 may actually output the packet processed by the flow processing module 230 to one or more ports of the port unit 205 designated by the flow processing module 230. [

Although not shown in FIG. 1, the SDN network system may further include an orchestrator for creating, changing, and deleting virtual network devices, virtual switches, and the like. When an orchestrator creates a virtual network device, the orchestrator generates a virtual network device such as a network device, such as identification information of a switch to be connected to the virtual network, port identification information connected to the switch, MAC address, IP address, tenant identification information, To the controller (10).

The controller 10 and the switch 20 exchange various information, which is called an open flow protocol message. Such an open flow message may be of a type such as a controller-to-switch message, an asynchronous message, and a symmetric message. Each message may have a transaction identifier (transaction id; xid) in the header that identifies the entry.

The controller-switch message is a message generated by the controller 10 and transmitted to the switch 20, which is mainly used for managing or checking the state of the switch 20. [ The controller-switch message may be generated by the controller 100 of the controller 10, and in particular by the message management module 130.

The controller-switch message includes features inquiring about the capabilities of the switch, configuration for inquiring and setting the settings of the configuration parameters of the switch 20, flow / group / meter of the open flow table, A modify state message for adding / deleting / modifying entries, a packet-out message for transmitting a packet received from the switch through a packet-in message to a specific port on the switch, and the like . The state change message includes a modify flow table message, a modify flow entry message, a modify group entry message, a prot modification message, and a meter entry change message. Message (meter modification message).

The asynchronous message is a message generated by the switch 20, and is used to update the state of the switch, the network event, and the like in the controller 10. The asynchronous message may be generated by the control unit 200 of the switch 20, in particular by the flow search module 220.

Asynchronous messages include packet-in messages, flow-removed messages, and error messages. The packet-in message is used by the switch 20 to send a packet to the controller 10 to receive control of the packet. The packet-in message includes all or part of the received packet, or a copy thereof, sent from the open flow switch 20 to the controller 10 to request the data path when the switch 20 receives an unknown packet Message. A packet-in message is used even when the action of the entry associated with the incoming packet is determined to be sent to the controller. The deleted flow-removed message is used to forward the flow entry information to the controller 10 to be deleted from the flow table. This message occurs when the controller 10 requests the switch 20 to delete the corresponding flow entry or in a flow expiry process by a flow timeout.

The symmetric message is generated in both the controller 10 and the switch 20, and is transmitted even when there is no request from the other party. A hello used to initiate the connection between the controller and the switch, an echo to confirm that there is no abnormality in the connection between the controller and the switch, and an error message used by the controller or switch to inform the other side of the problem an error message, and the like. The error message is mostly used in the switch to indicate a failure in response to a request initiated by the controller.

FIG. 6 is a block diagram of an SDN network system according to another embodiment of the present invention. FIG. 7 is a block diagram of a controller according to another embodiment of the present invention. FIG. 8 is a block diagram of a switch according to another embodiment of the present invention. FIG. 9 is a block diagram of a port management unit according to an embodiment of the present invention.

6, the network system according to the present embodiment includes a controller 10, a plurality of open flow switches 20 (SW1 to SW3), a plurality of network devices 35 (NF1 to NF6) 40 and an orchestrator (50). Reference is made to Figs. 1 to 5 for a detailed description of the same or similar components.

The network device may include a user terminal device 35 for exchanging data or information, and a network function group 40 (NF: NF1 to NF6) performing a specific function.

The network function group 40 is a device that provides each function of a series of service chaining, and is preferably a virtual device to ensure flexibility, scalability, and stability. The network function group may include one or more network function nodes. Preferably, the network function nodes are network function virtualization nodes. Hereinafter, the network function node is assumed to be a network function virtualization node.

Referring to FIG. 9, the network function group 40 is preferably composed of network function virtualization nodes (NFv) 301 to 304 having the same function. Preferably, the NFv nodes of the same function group are aggregated to be connected to the logical port of the open flow switch 20 to operate as a single network device. A detailed description will be given later.

The user terminal 35 is a device for requesting data or information, and may include a PC, a server, a client, various terminals capable of mobile communication, and the like.

7, the controller 10 includes a switch communication unit 110 for communicating with the switch 20, a topology management module 120, a path calculation module 125, a message management module 130, an entry management module 135 A control module 100 having an extraction module 140 and a billing module 145, and a storage unit 190. [ Reference is made to Fig. 2 for a description of components for the same reference numerals.

The controller 100 may control the overall operation of the controller 100 by controlling the operations of the respective units. Each module belonging to the control unit 100 may be constituted by hardware in the control unit 110 or software separate from the control unit 110. [

The extraction module 140 may extract a service identifier indicating the type of the requested service and a user identifier capable of identifying a user who has requested the service from a packet-in message received from the switch communication unit 110.

The service identifier indicates the type of service provided by the network. The service type may include web traffic, video traffic, social network service (SNS) traffic, and the like. The service identifier may be predefined in the user terminal device 35 requesting the service, or may define a service identifier in a request packet in an edge switch of a gateway or SDN network that transmits traffic to the SDN network. A method of defining a service identifier may include a method of assigning a service identifier to a field among preset fields of a service request packet or adding metadata indicating a service type to a service request packet. To indicate the type of service, the service identifier may be tagged in the vLAN field of the packet field. vLAN (Virtual Local Area Network) is a technology that can logically configure a LAN regardless of physical layout, and can set a network for each requested service. The vLAN can set up a separate network, which increases network resource security, reduces costs, facilitates network configuration for administrators, and reduces unnecessary traffic because it creates different network groups. To indicate the service type, the vxLAN (eXtendable vLAN) field of the packet field may be used.

vLAN tagging is preferably performed in the open flow switch 20, particularly in the edge switch SW1. The edge switch SW1 can perform vLAN tagging corresponding to the service type according to the user IP and the destination IP obtained from the packet. That is, the vLAN tagging as the service identifier must be executed before the packet is delivered to the controller 10, and the extraction module 140 may extract the service identifier.

The extraction module 140 may extract the user identifier from the user (source IP) of the packet (src IP).

Extraction module 145 may extract the service chain ID from the packet-in message. The service chain ID may correspond to or be the same as the service identifier and / or the user identifier.

The path calculation module 125 calculates the path of the packet received through the switch communication unit 110 and the action column to be executed by the open flow switch 20 on the transmission path based on the network topology information established in the topology management module 120, Can be obtained.

The entry management module 135 may register the result calculated by the path calculation module 125 in the entry DB 191 as a flow entry and respond to the addition or update request of the flow entry or entries from the switch 10 .

The billing module 145 may bill each user based on the data of the statistical DB 196 according to a policy.

The storage unit 190 may store a program for processing and controlling the control unit 110. The storage unit 190 may perform a function for temporarily storing input or output data (packet, message, etc.). The storage unit 190 may include an entry DB 191, an NFv list DB 192, a topology DB 193, a user DB 194, a service DB 195, and a statistics DB 196.

The topology DB 193 can store and manage switches and network device information by the topology management unit 130, and topology, which is connection information between switches. The topology may include connection information of network devices.

The service DB 195 can store and manage service entries. The service entry allows identification of the type of service provided by the SDN network and corresponds to the service identifier.

The user DB 194 may store and manage the user's entry. The user entry can manage the list of NFvs for each service used by the user. The user can be distinguished through the source IP.

The NFv list DB 192 can store and manage a series of NFv list entries for each service used by the user. That is, the network function order of the NFv list can be fixed or dynamically changed with reference to the topology state, the traffic processing state, and the like. The determination of the NFv list, NFv functions, for each service and user may be determined according to the service level agreement of the service provider and the user.

The NFv list DB 192 may further include a default NF list entry not associated with the service DB 195 and the user DB 194. [ The default NF list entry is preferably a list of NFs whose received packets are to be processed by the required NF of the SDN network.

The entry DB 191 can store and manage entries for an appropriate packet path based on the topology table 191, the service table 192, the user table 193, and the network function table 194.

The statistical DB 196 can store and manage statistics such as the amount of traffic for each flow, the processing speed, the number of NFs passed and the type thereof.

8, an open flow switch 20 (SW1, SW2, SW3) 27 (GW-SW) according to another embodiment of the present invention includes a port unit 205 for communicating with other switches and / or network devices, A controller communication unit 210 for communicating with the controller 10, a switch control unit 200, and a storage unit 290. See FIG. 3 for a detailed description.

The switch control unit 200 may further include an extraction module 245. The extraction module 245 may extract a service identifier indicating the type of the requested service and / or a user identifier capable of identifying the service requester (user) from the received packet or flow. The extraction module 245 may extract the service chain ID. The service chain ID may correspond to or be the same as the service identifier and / or the user identifier. In this embodiment, the switches 20 and 27 process the flow in which the service chain ID is inserted by the controller 10, so that the extraction module 245 can be implemented by the flow search module 220.

9, a port portion 205 of a portion (SW2, SW3, GW-SW) (hereinafter, referred to as a representative switch SW2) of the open flow switches according to another embodiment of the present invention, May include logical ports 205-1 and 205-2 and packet processing module 235 may include a diverging unit 236 and a converging unit 237. [

The diverging unit 236 can forward a packet flowing from the logical output port 205-1 of the switch SW2 to any one of the plurality of NFv nodes 301 to 304. [ As described above, a plurality of NFv nodes 301 to 304 provide the same network function. The convergence unit 237 can forward the packets coming from the plurality of NFv nodes 301 to 304 to the logical input port 205-2 of the switch SW2. The logic ports 205-1 and 205-2 of the switch SW2 and the aggregation function of the diverging and converging units 236 and 237 allow the plurality of NFvs 301-304 to function as one NFv node .

The packet processing module 235 controls the packet switching module 235 such that a packet received through the logical output port 205-1 of the switch SW2 is transferred to an appropriate NFv node among the plurality of NFvs 301 to 304 in consideration of the connection state, The diverging unit 236 can be controlled. An example of a suitable NFv node is an NFv node with a good connection or a NFv node with the least traffic.

Creation and deletion of the NFv connected to the switch SW2 can be executed by the orchestrator 50. [ The orchestrator 50 may adjust the number of NFVs connected to one logical port depending on traffic conditions and the like.

This logical port and aggregation function may allow the controller 10 and the switch SW2 to consider only the NFv type on the packet path. The packet path and the flow entry, etc. may be simply described as the logical port of the NFv group of the corresponding function.

The network system according to the present invention may further include a base station 25 relaying the user terminal 35 and the switch SW1. The base station 25 according to the present embodiment can provide a wireless connection between the user terminal device 35 and the switch SW1. The base station 25 may include an evolved Node B (eNB) in an LTE communication network.

The eNB that has received the IP packet from the user terminal (hereinafter referred to as 'UE') 35 transmits a GTP header, a UDP header, and an IP header for GTP tunneling to the encapsulation This happens. The encapsulated packet is sent to the extraction module 245 of the open flow switch 20 or the extraction module 140 of the controller 10 because the encapsulation causes the IP address of the UE 35, There is a problem that the user identification information can not be extracted. It is preferable that the switch SW1 is connected to the NF1 of the decap function which can decapsulate the packet received through the base station 25. The NF1 of the decap function can add the header including the user IP and the destination IP in the packet received by the switch SW1, add it as metadata, and transmit it to the switch SW1 again.

The switch SW1 may be connected to the mobile core network 80 and the public Internet network 90 in addition to the base station 25. The switch SW1 can operate as a relatively inexpensive public Internet network 90 without passing through the MOMA core network 80 and can operate the NF such as a firewall, an IDS, and a load balancer in the existing mobile core network 80 It is possible to reduce the load on the mobile core network by operating in the vicinity of the user.

The switch SW1 can be directly connected to the gateway switch 27. [ The gateway switch 27 allows the domain of the data center network 85 and the switch SW1 to appear as the same domain so that the service chain by the network functions NF4 to NF6 of the data center network 85 can be utilized.

10 is a flowchart illustrating a method of providing service chaining of an open flow switch according to an embodiment of the present invention. Please refer to Figs. 1 to 9.

Referring to FIG. 10, when the first open-flow switch SW1 of the edge switch stage receives the service request packet from the UE 35, it can know that a packet-in event has occurred (S510).

When the base station 25 is connected to the first open flow switch SW1, the first open flow switch SW1 may extract the source and destination IP addresses from the encapsulated packet (S515). In order to know the source and destination IP addresses of the encapsulated packet, it is preferable that the first open flow switch SW1 is connected to the NF of the decap function as described above.

The first open flow switch SW1 may analyze the service request packet and allocate a value corresponding to the service type to the vLAN of the service request packet according to the service type (S520).

The first open flow switch SW1 may search the flow table 0 for an entry matching the vLAN of the service request packet (S530). If there is a matching flow entry, the flow processing module 230 compares the packet with the next flow table 1 (S540), and determines whether there is a flow entry matching the IP of the source in the table 1 (S550). If there is a flow entry, the first open flow switch SW1 may execute the action or action set of the flow entry to forward the service request packet to the designated port (S560).

When the flow entry corresponding to the vLAN of the service request packet is not in the flow table 0, the first open flow switch SW1 transmits a packet-in message to the controller 10 of the upper layer (S570) (Step S580). The packet-out message includes information for transmitting a packet from the mobile station to the base station. The first open-flow switch SW1 may receive a flow change message (Flow Mod Msg.) In addition to the packet-out message. When receiving the flow change message, the first open flow switch SW1 may register the flow entry provided in the flow change message in the flow table.

Unlike the service chaining method of the first open flow switch SW1 having the internal block as shown in FIG. 3, the second open flow switch SW2 of the core network, when a packet-in event occurs (S510) It is possible to search for a matching entry (S520). Decapping and extraction and vLAN tagging were performed in the first open flow switch SW1. When the received flow is provided with the path identification information, the second open flow switch NF2 can determine whether the flow entry corresponding to the path identification information other than the vLAN or the source IP exists in the entry DB. A flow entry having the path identification information in the match field can be generated by the controller 10. [ It is preferable that the packet forwarding by the flow entry of the second open flow switch SW2 having the internal structure as shown in Fig. 7 is designated as a logical port.

11 is a flowchart illustrating a service chaining providing method in a controller. Please refer to Figs. 1 to 10.

Referring to FIG. 11, the controller 10 may receive a packet-in message from the open flow switch 20 (S610).

When receiving the packet-in message, the controller 10 may extract the vLAN and the source IP from the packet of the packet-in message for the service identifier and the user identifier (S615). However, when the path identification information exists in the packet-in message, the controller 10 does not extract the vLAN and the source IP, but searches the flow entry for assigning the path identification information to the packet, (S670).

The controller 10 may determine whether a service corresponding to the vLAN of the received packet exists in the service table 192 (S620). If there is no service corresponding to vLAN in the service table 192, the controller 10 can send a message-out to the lower switch to drop the packet (S). Thereafter, the controller 10 can report to the manager or manage the packet transmission failure by an error processing routine.

If the service corresponding to the vLAN is present in the service table 192, the controller 10 may determine whether the user (i.e., source IP) according to the service is in the user table 193 (S630). If there is a user associated with the service corresponding to the vLAN, the associated NF list is acquired (S635). Otherwise, the basic NF list can be obtained (S640). The controller 10 may determine whether a flow entry associated with the NF list is present in the database 190. [ If there is an associated flow entry, the database 190 can be upgraded (S660). Preferably, the flow entry associated with the NF list is a result of a packet path calculated according to an NF list, topology information, traffic conditions, and the like. The controller 10 may send a flow change message to forward the flow entry to the open flow switch 20 of the path.

FIG. 12 is a block diagram of a network system according to another embodiment of the present invention, FIG. 13 is an NFv list database table according to an embodiment of the present invention, FIG. 14 is an example of an ID packet according to an embodiment of the present invention Figure 15 is a flow table according to an embodiment of the present invention. Please refer to Figs. 1 to 11. Fig.

Referring to FIG. 12, the network system may include a client, a server, an open flow base switch 20, an open flow virtual switch 20 ', and a plurality of NFv groups G1 to G4.

The client and the server may correspond to the network devices of FIGS. 1 and 6. A client is an element that transmits a packet to an open-flow switch such as a terminal of the terminal end or a base station of the mobile communication network or an eNode. The server is an element for receiving a packet after the packet is churned in the base switch 20, and may be another switch, a router, a server computer, or the like.

The base switch 20 and the virtual switch 20 'are switches of the open flow protocol and can correspond to the open flow switch of FIG. 1 or 6. The base switch 20 is an open flow switch directly connected to a client and a server, and can provide an NFv service by itself. The virtual switch 20 'may be created by a virtual machine with an open flow switch connected directly to the base switch 20 or with another virtual switch, but it is not so limited and may be an actual physical switch. However, it is preferable to use a virtual switch for interworking with NFv. The base switch 20 and the virtual switch 20 'may be under the control of the controller 10 of FIG. 1 or 6.

The plurality of NFv groups G1 to G4 can provide different functions, that is, different services. A plurality of NFv groups G1 to G4 may be connected to the virtual switch 20 'to provide a series of services or service chains to the passing packets. Each NFv group may contain one or more NFv nodes. As shown in FIG. 9, it is preferable that the NFv nodes belonging to the first group of NFvs are aggregated and connected to one logical input / output port of the open flow switch. When NFv nodes belonging to the same group are connected to various input / output ports of an open flow switch, packet forwarding, traffic distribution, load balancing, and the like can be controlled or managed through a flow table. It is more advantageous in terms of traffic control or traffic efficiency to perform load balancing or the like on one logical input / output port rather than performing load balancing or the like by changing the flow table.

When the open flow switches 20 and 20 'are powered on, the controller 10 transmits the topology between the switches and the location information of the network devices NFv connected to the switches through the message of the open flow switch .

Referring to FIG. 13, the controller 10 may generate NFv lists by generating a list of all possible combinations according to the type and order of the NFv groups. The controller 10 may generate and associate a chain ID with each of the generated NFv lists. Such an NFv list group and a chain ID group can be stored in a controller as an NFv list database. FIG. 13 shows an example of the NFv list database. When the NFv list is service A, the chain ID is 100, and when the NFv list is service A, B, and C, the chain ID is 300.

The chain ID may be part of the packet flowing into the open flow switch or part of the metadata loaded into the packet by the flow table instruction in the open flow switch. The chain ID may be associated with the service identifier and / or the user identifier extracted from the extraction module 140 mentioned in FIG. That is, the chain ID may be generated based on at least one of the service identifier and the user identifier, or may have the same value or correspond to one of the service identifier and the user identifier.

The chain ID may use the vLAN field or the vxLAN field. Since the vxLAN size is larger than vLAN, it may be more advantageous to use the vxLAN field to pre-specify the service chain list. 14 (a) shows an example of using a 24-bit vxLAN field as a chain ID.

Based on the NFv list database and the switch topology, the controller 10 derives the data path of the packet according to each chain ID, generates an entry list of each open flow switch based on the derived data path, It is possible to transmit an entry change message according to the entry list to the open flow switches. It is preferable that such an entry change message is transmitted to the open flow switch in advance so that each open flow switch has the corresponding entry information. This is because the open flow switch can process packets immediately when they are received. In some cases, an entry corresponding to a flow with a low usage rate may not be proactive, but may distribute the entry when receiving a packet-in message from the open flow switch.

The controller 10 can designate the timeout value of the flow entry to be distributed as the maximum value or zero. When the timeout value is 0, the open flow switch can persist the entry irrespective of whether or not the hit of the corresponding entry is maintained, and thus it is possible to permanently distribute the entry. At the time of writing this specification, the OpenFlow Switch White Paper 1.4.0 defines two kinds of timeout values, idle_timeout and hard_timeout. It is desirable to designate both idle_timeout and hard_timeout to be 0 for the permanent persistence of the entry. If necessary, the controller 10 can transmit a message to the open flow switch to delete the flow entry designated as 0 or to change it to a non-zero timeout value.

Fig. 15 shows a flow table of the open-flow virtual switch 20 '. The virtual switch 20 'can operate a flow entry having a match field of only the incoming port information and the service chain ID of the incoming packet. Thus, the memory can be saved, and the time for searching for an entry matching the flow information can be shortened.

FIG. 16 is a block diagram of a network system according to another embodiment of the present invention, FIG. 17 is a flow table according to another embodiment of the present invention, FIG. 18 is a diagram illustrating a service chain providing method of a switch according to another embodiment of the present invention FIG. 19 is a flow chart of a method for controlling an open flow switch of a controller according to an embodiment of the present invention, and FIG. 20 is a message flow diagram between a controller and an open flow switch. 1 to 15.

16, the network system includes a client, a server, an open flow base switch 20, first and second open flow virtual switches 20'-1 and 20'-2, and a plurality of NFv groups G1- G4). Compared with the network system of FIG. 12, the network system according to the present embodiment illustrates a case where the number of open-flow virtual switches is two or more. When the virtual switch is 2 or more, an order ID is required in addition to the service chain ID as shown in FIG. 14 (b). A detailed description thereof will be described later.

The client and the server may correspond to the network devices of FIGS. 1 and 6. A client is an element that transmits a packet to an open-flow switch such as a terminal of the terminal end or a base station of the mobile communication network or an eNode. The server is an element for receiving a packet after the packet is churned in the base switch 20, and may be another switch, a router, a server computer, or the like.

The base switch 20 and the first and second virtual switches 20'-1 and 20'-2 are switches of the open flow protocol and can correspond to the open flow switch of FIG. 1 or 6. The base switch 20 is an open flow switch directly connected to a client and a server, and can provide an NFv service by itself. The first and second virtual switches 20'-1 and 20'-2 may be generated by a virtual machine as an open flow switch connected to the base switch 20 directly or to another virtual switch, It may be a physical switch. However, it is preferable to use a virtual switch for interworking with NFv. The base switch 20 and the first and second virtual switches 20'-1 and 20'-2 may be under the control of the controller 10 of FIG. 1 or 6.

The plurality of NFv groups G1 to G4 can provide different functions, that is, different services. A plurality of NFv groups G1 to G4 may be connected to the first and second virtual switches 20'-1 and 20'-2 to provide a series of services or a service chain to the packets passing therethrough. Each NFv group may contain one or more NFv nodes. As shown in FIG. 9, it is preferable that the NFv nodes belonging to the first group of NFvs are aggregated and connected to one logical input / output port of the open flow switch. When NFv nodes belonging to the same group are connected to various input / output ports of an open flow switch, packet forwarding, traffic distribution, load balancing, and the like can be controlled or managed through a flow table. It is more advantageous in terms of traffic control or traffic efficiency to perform load balancing or the like on one logical input / output port rather than performing load balancing or the like by changing the flow table.

19, when the open flow switches 20, 20'-1, and 20'-2 are powered on, the controller 10 sends a message of the open flow switch, The location information of the network devices NFv connected to the respective switches can be known (S410).

The controller 10 may generate NFv lists by generating a list of all possible combinations according to the type and order of the NFv groups (S420). The controller 10 may generate and associate a service chain ID with each of the generated NFv lists. The NFv list group of these NFv lists and the service chain ID group of service chain identities can be databaseized. Such a database may be stored in the controller as an NFv list database. FIG. 13 shows an example of the NFv list database. When the NFv list is service A, the chain ID is 100, and when the NFv list is service A, B, and C, the chain ID is 300.

The service chain ID may be part of the packet flowing into the open flow switch or part of the metadata loaded into the packet by the flow table instruction in the open flow switch. The chain ID may be associated with the service identifier and / or the user identifier extracted from the extraction module 140 mentioned in FIG. That is, the chain ID may be generated based on at least one of the service identifier and the user identifier, or may have the same value or correspond to one of the service identifier and the user identifier.

The chain ID may use the vLAN field or the vxLAN field. Since the vxLAN size is larger than vLAN, it may be more advantageous to use the vxLAN field to pre-specify the service chain list. FIG. 14A is an example of using a 24-bit vxLAN field as a chain ID, and FIG. 14B is an example of using a part of 24-bit vxLAN fields as a chain ID.

Based on the NFv list database and switch topology, the controller 10 may derive the data path of the packet according to each chain ID and then generate an entry list of each open flow switch based on the derived data path ( S430). The generated entries may be stored in the database of the controller 10 and stored in the entry DB. The controller 10 may transmit an entry change message according to the entry list to the open flow switches of the corresponding path (S440). It is preferable that such an entry change message is transmitted to the open flow switch in advance so that each open flow switch has the corresponding entry information. In other words, it is desirable to distribute the entries before the open flow switch performs operations such as switching or routing. This is because the open flow switch can process packets immediately when they are received. In some cases, an entry corresponding to a flow with a low usage rate may not be proactive, but may distribute the entry when receiving a packet-in message from the open flow switch.

The controller 10 can designate the timeout value of the flow entry to be distributed in advance as the maximum value or zero. When the timeout value is 0, the open flow switch can persist the entry irrespective of whether or not the hit of the corresponding entry is maintained, and thus it is possible to permanently distribute the entry. At the time of writing this specification, the OpenFlow Switch White Paper 1.4.0 defines two kinds of timeout values, idle_timeout and hard_timeout. It is desirable to designate both idle_timeout and hard_timeout to be 0 for the permanent persistence of the entry. If necessary, the controller 10 can transmit a message to the open flow switch to delete the flow entry designated as 0 or to change it to a non-zero timeout value.

Referring to FIG. 18, each of the open flow switches 20, 20'-1, and 20'-2 distributes the flow entry from the controller 10 in advance and stores the flow entry as a flow table (S310). An example of each flow table is shown in Fig. 17 (a), 17 (b), and 17 (c) show the base switch 20, the first virtual switch 20'-1, ) Illustrate a flow table of the second virtual switch 20'-2.

Referring to FIG. 13, the service list when the service chain ID is 350 is A -> C -> B. When the match field of the flow table is composed of only the service chain ID and the incoming port, the following problems may occur. When a packet flows from the third port of the base switch 20 to the port 11 of the first virtual switch 20'-1, the packet is transferred to any one of the NFv group G1 (service A) and G2 (service B) I do not know if I should send it. Accordingly, when the present invention passes through an open flow switch or an NFv group associated with an NFv, the updated value is inserted into the metadata related to a packet or a table so that an accurate output port can be specified. This packet structure is the same as the packet structure in Fig. 14 (b). As described above, part of the vxLAN field is composed of the service chain ID and the remainder is the order ID so that the flow of packets does not interfere even if there are two or more open flow switches directly connected to the NFv group.

The order ID update is performed when a packet is flowed out to any port of the open flow switch, when a packet is received at an arbitrary port, and when a packet is received at a port connected to another open flow switch directly connected to the NFv group And can be executed in any one or a combination of them. However, the present invention is not limited to this and can be applied to the present invention as long as the order ID update requirement for accurately specifying a port through which a packet is to be delivered. It is desirable to update the order ID when the packet is updated on a port connected to another open flow switch directly connected to the NFv group, in order to save memory, minimize the number of times of order ID update execution, and the like. In addition, when service chaining occurs in one open flow switch, such as the service chain ID 100 or 200 in FIG. 13, it is preferable to prevent the update of the order ID from reducing resource consumption.

Specifically, the case where the ID of the service chain of the packet flowing into the base switch 20 is 350 is illustrated according to the flow of the packet. The initial value of the order ID is 0. The controller 10 has the base switch 20, the first virtual switch 20'-1, and the second virtual switch 20'-1 as shown in Figs. 17A to 17C based on the packet path to be described later. 2), and send an entry creation (change) message to each switch.

First, the base switch 20 forwards the packet to the port # 1 to the port # 3. Since this is the initial path of the service chain ID, it is independent of the order ID. It is possible to omit the matching of the order ID. By omitting the order ID matching, the search time can be shortened. The order ID of the corresponding flow entry can be implemented by masking.

The first virtual switch 20'-1 forwards the packet, which has arrived at port 11, whose order ID is 0, to the port 1. The first virtual switch 20'-1 forwards the packet to the port # 2 to the port # 12. In the case of the corresponding service chain ID, all packets coming from the NFv group are forwarded to the port 12 of the base switch 20, so that the order ID is masked, and the in port is the port 2 or 4, .

The base switch 20 updates the order ID of the packet that has arrived at the port No. 4 whose order ID is 0 (by one step), and forwards the packet to the port No. 5. This is because it is an incoming packet from an open-flow switch that is directly connected to the NFv group.

The second virtual switch 20'-2 forwards the packet, which has flowed into the port 21, to the port 1, and then forwards the packet flowing into the port 2 to the port 22. In the case of the service chain ID, packet forwarding can be performed irrespective of the order ID. However, as a requirement for determining whether there is an error in the packet flow, the order ID may not be masked to determine whether the order ID is correct. Referring to FIG. 17 (c), the order ID is matched with the flow entry related to the packet flowing into the port 21 of the flow table of the second virtual switch 20'-2 so that the error search can be performed.

The base switch 20 forwards the packet to the port # 3 to the port # 3. In this case, since the order ID is irrelevant, the order ID field can be masked. However, the base switch 20 must update the order ID of the packet before forwarding the packet to port 3.

The first virtual switch 20'-1 forwards the packet, which has entered the 11th port with the order ID of 2, to the third port. The first virtual switch 20'-1 forwards the packet to the port # 4 to the port # 12. In this case, since the order ID is irrelevant, the masking can be performed. As described above, the flow entry may be merged with the port whose incoming port is 2 times.

The base switch 20 forwards the packet to the port # 2 and forwards the packet to the server. Since the Order ID is no longer used, it is not necessary to update the Order ID.

As described above, each open flow switch can distribute the corresponding flow entry from the controller 10 in advance and store it in the entry table. The flowchart of FIG. 18 is applied to the base switch 20 among the open flow switches as follows. When a packet is input from the client to the base switch 20 (S315), it can be determined whether there is a service chain ID in the incoming packet (S320). The service chain ID can be assigned to the packet on the client side or through the flow table of the open flow switch. A field associated with the service chain ID may be pre-specified in the packet at the client. If there is a field value corresponding to a service chain ID in the incoming packet itself or there is no corresponding value, the base switch 20 can search an entry capable of giving a service chain ID to the flow table. If there is no service chain ID entry, the base switch 20 can send the packet to the controller 10 in a packet-in message. Upon receipt of the packet-in message, the controller 10 can determine the user information and the requested service type through a combination of the source IP address, the destination IP address, and the source MAC address of the packet. The controller 10 may send an action to give the identified user information and / or the service chain ID corresponding to the requested service to the base switch 20 as a packet-out message. The controller 10 may transmit a flow change message so that subsequent packets can be applied to the flow table. If there is a flow entry for assigning a service chain ID to the flow table of the base switch 20, the flow table may be composed of multiple flow tables and pipelined. The service chain ID assignment flow entry may be distributed before the packet-in message and exist as an entry in the flow table of the base switch 20.

The base switch 20 may assign the service chain ID to the incoming packet by a packet entry of the controller 10 requesting the service chain ID or a flow entry for giving the service chain ID (S325). The base switch 20 searches the flow table to see if there is a flow entry corresponding to a packet with or without a service chain ID (S330). It is determined whether the order ID should be updated in the matching entry (S335), and if there is an action to update the order ID, the order ID is updated (S340). Thereafter, the packet is forwarded according to the packet forwarding action of the entry (S345).

The controller 10 may designate the timeout value of the entry related to the NFv service as 0 or a maximum value so that the entry exists permanently or as long as possible in the flow table of the open flow switch. However, it is advantageous in terms of memory management to delete a flow entry having a low usage rate. With respect to management of low utilization entries, refer to FIG. Any open flow switch may check the usage rate of the entry associated with the NFv service and find the used entry (S510). This can be found in the open flow switch when the timeout value is set to a non-zero value, the timeout value is decreased by a preset value without entry heating, or a method of using a separate timer or the like. If a low use entry is found, the low use entry information can be transmitted to the controller 10 (S520). The controller 10 transmits a message for deleting the low use entry to the corresponding open flow switch (S530), and transmits a message for changing the timeout value of the low use entry (S540) to open the low use entry It can be immediately deleted from the flow switch or after an arbitrary time has elapsed.

The present invention can be implemented in hardware or software. The present invention can also be embodied as computer readable code on a computer readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like, and may be implemented in the form of a carrier wave (for example, transmission via the Internet) . The computer readable recording medium may also be distributed over a networked computer system so that computer readable code can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

Embodiments of the present invention may include a carrier wave having electronically readable control signals, which may be operated with a programmable computer system in which one of the methods described herein is implemented. Embodiments of the present invention may be implemented as a computer program product having program code, wherein the program code is operated to execute one of the methods when the computer program is run on a computer. The program code may be stored on, for example, a machine readable carrier. One embodiment of the invention may be a computer program having program code for executing one of the methods described herein when the computer program is run on a computer. The present invention may include a computer, or programmable logic device, for performing one of the methods described above. A programmable logic device (e.g., a field programmable gate array, a complementary metal oxide semiconductor based logic circuit) may be used to perform some or all of the functions described above.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes and modifications may be made by those skilled in the art without departing from the spirit and scope of the present invention.

Claims (15)

An open flow switch for forwarding packets to an NF group that includes an NF node providing NF (Network Function) services,
A port portion for communicating with at least one of the other switch and the network device;
A controller communicating with a controller that controls the open flow switch;
A storage unit for storing a table having at least a flow table among a flow table, a group table, and a meter table; And
Extracts flow information from the received packet, searches for an entry in which the extracted flow information exists, processes the action of the flow according to the procedure described in the retrieved entry, and specifies the packet processed by the flow processing module And outputting to the port,
Wherein,
A flow retrieval module for determining whether there is flow information corresponding to a predefined service chain ID for the received packet; And
And a flow processing module for processing an instruction corresponding to the flow information when flow information corresponding to the service chain ID of the received packet is present,
The service chain ID corresponds to an NF list in which the types and order of NF services are defined,
The flow information corresponding to the service chain ID further includes an order ID that can be updated based on the port information into which the received packet is inputted,
Wherein the instruction processing includes processing an action corresponding to the service ID of the received packet and the flow information corresponding to the order ID,
Wherein the flow processing module updates the order ID when the port to which the received packet is input is a port connected to another open flow switch directly connected to the NF group. delete delete The method according to claim 1,
Wherein the order ID update is service chaining enabled except for the order ID update when the NF service associated with the NF list is in one open flow switch. The method according to claim 1,
Wherein at least one of the plurality of flow entries associated with at least one of the instruction and the order ID update is present before the incoming packet is received from a controller that controls the open flow switch. 6. The method of claim 5,
Wherein the at least one flow entry is deleted from the flow table only when it receives a delete command message from the controller. 6. The method of claim 5,
Wherein the controller transmits low usage entry information having a usage rate lower than the predetermined usage rate to the controller when the flow entry has a usage rate lower than a predetermined usage rate. 8. The method of claim 7,
Further comprising a controller communication unit for receiving a low utilization flow entry change message from the controller,
Wherein the controller discards the low utilization flow entry if the low utilization flow entry corresponding to the low utilization flow entry change message is not matched with the incoming packet for a predetermined period of time or longer. The method according to claim 1,
Wherein the control unit forwards the received packet to a controller that controls the open flow switch when there is no flow information corresponding to the service chain ID. The method according to claim 1,
Wherein the NF group is connected to a logical port of the open flow switch so that the number of NF nodes is adjusted based on at least a network state. The method according to claim 1,
Wherein the service entry field and the corresponding flow entry field are at least a part of a metadata field. The method according to claim 1,
Wherein the service chain identity is determined based on at least one of a user and a requested service type. The method according to claim 1,
Wherein the port further comprises a virtualized logical port,
Wherein the control unit further comprises a packet processing module for outputting the packet processed by the flow processing module to at least one port of the port unit designated by the flow processing module,
Wherein the NF group includes a plurality of NF nodes,
The packet processing module includes:
A divergence unit for transmitting a packet received from the logical port to one of the plurality of NF nodes; And
And a convergence unit for delivering a packet received from any one of the plurality of NF nodes to the logical port. 14. The method of claim 13,
Wherein the diverting unit transfers the packet received from the logical port to one of the plurality of NF nodes in consideration of at least one of a connection state and a traffic state of the port. 14. The method of claim 13,
Wherein the number of NF nodes is adjusted according to a traffic state.

Images