WO2015136585A1 - Control apparatus, control method and control program - Google Patents

Control apparatus, control method and control program Download PDF

Info

Publication number
WO2015136585A1
WO2015136585A1 PCT/JP2014/006207 JP2014006207W WO2015136585A1 WO 2015136585 A1 WO2015136585 A1 WO 2015136585A1 JP 2014006207 W JP2014006207 W JP 2014006207W WO 2015136585 A1 WO2015136585 A1 WO 2015136585A1
Authority
WO
WIPO (PCT)
Prior art keywords
processing
flow
packet
rule
processing rule
Prior art date
Application number
PCT/JP2014/006207
Other languages
French (fr)
Japanese (ja)
Inventor
暢彦 伊藤
淳 西岡
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2016507133A priority Critical patent/JPWO2015136585A1/en
Publication of WO2015136585A1 publication Critical patent/WO2015136585A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the present invention relates to a control device, a control method, and a control program for controlling a packet processing device that processes packets.
  • OpenFlow captures communication as an end-to-end flow and performs path control, failure recovery, load balancing, and optimization on a per-flow basis.
  • An OpenFlow switch that functions as a packet processing device includes a secure channel with an OpenFlow controller that is positioned as a path control device. The OpenFlow switch operates in accordance with a flow entry that is appropriately added or rewritten by the OpenFlow controller. The flow entry is information defining processing for a packet for each flow.
  • a table in the OpenFlow switch that stores flow entries is called a flow table.
  • a set of identification information for identifying a flow and a processing method for a packet of a flow that matches the identification information is referred to as a processing rule.
  • the flow entry in the open flow also corresponds to the processing rule.
  • An object of the present invention is to provide a control device, a control method, and a control program that can reduce the number of processing rules stored in a packet processing device.
  • a control device is a control device that controls a packet processing device that processes a packet, and defines flow identification information creating means for creating flow identification information for identifying a flow, and a processing method for a packet of the flow.
  • the processing rule creation means for creating the processing rule including the flow identification information and the processing method the processing rule of the flow, and the processing rule of the other flow can be aggregated, the processing rule of the flow and the other flow And a notifying means for notifying the packet processing apparatus of the processing rule.
  • the control method according to the present invention is a control method for controlling a packet processing apparatus that processes a packet.
  • the control method creates flow identification information for identifying a flow, defines a processing method for the packet of the flow, and sets the flow identification information. If the processing rule of the flow and the processing rule of the other flow can be aggregated, the processing rule of the flow and the processing rule of the other flow are aggregated and processed. The rule is notified to the packet processing device.
  • a control program is a control program installed in a computer that controls a packet processing apparatus that processes packets, and a flow identification information creation process for creating flow identification information for identifying a flow in the computer. If a processing rule creation process that defines a processing method for a flow packet and creates a processing rule including flow identification information and a processing method, and the processing rule of the flow and the processing rule of another flow can be aggregated, the flow And a notification processing for notifying the packet processing device of the processing rule.
  • the number of processing rules stored in the packet processing device can be reduced.
  • FIG. FIG. 1 is a block diagram showing an example of a control device of the present invention.
  • the control device 1 of the present invention includes a control unit 10, a processing rule granularity determination unit 11, and a management database (hereinafter simply referred to as DB) storage unit 12.
  • DB management database
  • the control device 1 controls a packet processing device (not shown in FIG. 1) that processes packets. There are a plurality of packet processing devices, and a network is formed by the plurality of packet processing devices. The control device 1 controls the packet processing device by notifying the packet processing device of the processing rule.
  • FIG. 2 is a schematic diagram showing processing rules.
  • the processing rule is a set of identification information for identifying a flow (hereinafter referred to as an identification rule) and a processing method for a packet of a flow that matches the identification rule (see FIG. 2). ).
  • the packet processing device searches for a processing rule corresponding to the flow of the packet. If the processing rule cannot be searched, the packet processing device inquires of the control device 1 about the processing rule. Upon receiving this inquiry, the control device 1 notifies the processing rule to each packet processing device to which the packet is to be transferred. As a result, the packets are sequentially transferred by the packet processing device.
  • the protocol by which the control device 1 controls the packet processing device may be an open flow protocol. In that case, the processing rule corresponds to the flow entry in the open flow. Further, the protocol for controlling the packet processing device by the control device 1 may be other than the open flow protocol.
  • the control unit 10 receives a processing rule inquiry from the packet processing device.
  • the processing rule granularity determination unit 11 determines the granularity of the processing rule in response to the processing rule inquiry from the packet processing device, and notifies the packet processing device of the processing rule of the granularity.
  • a control policy is input to the processing rule granularity determination unit 11.
  • the control policy is information that defines a packet processing method for each flow in each packet processing device through which the flow passes.
  • the processing rule granularity determination unit 11 determines a packet processing method in each packet processing device through which the flow passes according to the control policy. If one packet processing apparatus has the same processing method and processing rules corresponding to different flows, the processing rules corresponding to these flows are set to 1 corresponding to the plurality of flows. It aggregates into one processing rule (in other words, it summarizes). In this embodiment, the case where a control policy is input from the outside is described as an example. However, the control device 1 may hold the control policy inside.
  • the management DB storage unit 12 is a storage device that stores processing rules to be notified to the packet processing device.
  • the processing rules stored in the management DB storage unit 12 can be updated when a new processing rule query is generated from the packet processing device.
  • the control unit 10 and the processing rule granularity determination unit 11 are realized by, for example, a CPU of a computer that operates according to a control program.
  • the CPU is, for example, from a program recording medium such as a program storage device (not shown) of the computer. What is necessary is just to read a control program and operate
  • the control unit 10 and the processing rule granularity determination unit 11 may be realized by separate hardware.
  • FIG. 3 is a schematic diagram showing an example of a flow.
  • packet processing apparatuses 2a, 2b, and 2c When the packet processing devices 2a, 2b, and 2c are not particularly distinguished, they are simply referred to as “packet processing device 2”.
  • the number of packet processing devices 2 is not limited to three.
  • FIG. 3 illustrates the case where the three flows A to C pass through the packet processing devices 2a, 2b, and 2c, respectively.
  • the same processing method is defined in the control policy as the processing method for the flow A packet and the processing method for the flow C packet.
  • this processing method is referred to as processing method (1).
  • the processing method (2) is defined in the control policy as a processing method for the packet of the flow B.
  • flows occur in the order of flow A, flow B, and flow C.
  • FIG. 4 is a flowchart showing an example of processing progress of the control device 1.
  • the packet processing device 2a searches for the processing rule corresponding to the flow A from the processing rules stored in the packet processing device 2a.
  • the packet processing device 2a transmits a processing rule inquiry (in this example, a processing method inquiry for the packet of the flow A) to the control device 1.
  • the packet processing device 2a also transmits the packet (in this example, the packet of the flow A) to the control device 1.
  • the control unit 10 of the control device 1 receives the processing rule inquiry and the packet (step S51).
  • the processing rule granularity determination unit 11 creates an identification rule for identifying the flow A based on the packet (step S52). For example, the processing rule granularity determination unit 11 creates an identification rule by combining the header field information of the received packet.
  • the processing rule granularity determination unit 11 determines a processing method corresponding to the flow A for each packet processing device through which the flow A passes based on the control policy.
  • the processing rule for each packet processing device through which the flow A passes is determined by this processing method and the identification rule created in step SS52.
  • the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which processing rules corresponding to this flow A and processing rules corresponding to other flows can be created (step S53). If the control policy of a plurality of flows is the same, the processing rule granularity determination unit 11 determines that a processing rule in which the processing rules of the plurality of flows are aggregated can be created.
  • the processing rule granularity determination unit 11 aggregates processing rules corresponding to a plurality of flows when the processing method is the same and there are processing rules corresponding to different flows.
  • the processing rules corresponding to different flows are aggregated into one processing rule.
  • the processing rule granularity determination unit 11 performs this determination for each packet processing device 2. In this example, since only the processing rule for the flow A is created, the processing rule granularity determination unit 11 determines that the processing rules corresponding to a plurality of flows cannot be aggregated into one processing rule.
  • the processing rule granularity determination unit 11 registers the processing rule obtained in step S53 in the management DB storage unit 12 (step S54).
  • the processing rule for the flow A obtained for each packet processing device through which the flow A passes is registered in the management DB storage unit 12.
  • the processing rule granularity determination unit 11 determines each processing rule for each packet processing device 2 registered in step S54 (in this example, the processing rule for the flow A obtained for each packet processing device through which the flow A passes). And notifies the corresponding packet processing device 2 (step S55).
  • the packet processing device 2a receives the flow B packet. Then, the packet processing device 2a does not store the processing rule corresponding to the flow B, and transmits a processing rule inquiry (in this example, a processing method inquiry for the packet of the flow B) to the control device 1. Shall. At this time, the packet processing device 2a also transmits the packet (in this example, the packet of the flow B) to the control device 1. The control device 1 receives this inquiry and performs the operation shown in FIG.
  • a processing rule inquiry in this example, a processing method inquiry for the packet of the flow B
  • control unit 10 of the control device 1 receives the processing rule inquiry and the packet (step S51). Then, the processing rule granularity determination unit 11 creates an identification rule for identifying the flow B based on the packet (step S52).
  • the processing rule granularity determination unit 11 determines a processing method corresponding to the flow B for each packet processing device through which the flow B passes based on the control policy. With this processing method and the identification rule created in step SS52, the processing rule for each packet processing device through which the flow B passes is determined. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the processing rules of this flow B and the processing rules of other flows are aggregated (step S53). At this time, the processing rule corresponding to the flow A is stored in the management DB storage unit 12, but the processing method (1) for the flow A packet is different from the processing method (2) for the flow B packet. Therefore, the processing rule granularity determination unit 11 determines that each processing rule corresponding to the plurality of flows A and B cannot be integrated into one processing rule in each packet processing device 2.
  • the processing rule granularity determination unit 11 registers the processing rule obtained in step S53 in the management DB storage unit 12 (step S54).
  • the processing rule for the flow B obtained for each packet processing device through which the flow B passes is registered in the management DB storage unit 12.
  • FIG. 5 is a schematic diagram showing processing rules registered in the management DB storage unit 12 at this point.
  • the processing rules corresponding to the flow A and the processing rules corresponding to the flow B are registered in the management DB storage unit 12 as the processing rules in each of the packet processing devices 2a, 2b, and 2c.
  • “processing method (1)” and “processing method (2)” are shown, but the specific contents of processing method (1) are different for each packet processing device 2. May be. The same applies to the processing method (2).
  • the processing rule granularity determination unit 11 determines each processing rule registered in step S54 for each packet processing device 2 (in this example, the processing rule for the flow B obtained for each packet processing device through which the flow B passes). And notifies the corresponding packet processing device 2 (step S55).
  • the packet processing device 2a receives the packet of the flow C.
  • the packet processing device 2a does not store the processing rule corresponding to the flow C, and transmits a processing rule inquiry (in this example, a processing method inquiry for the packet of the flow C) to the control device 1.
  • a processing rule inquiry in this example, a processing method inquiry for the packet of the flow C
  • the packet processing device 2 a also transmits the packet (in this example, the packet of the flow C) to the control device 1.
  • the control device 1 receives this inquiry and performs the operation shown in FIG.
  • the processing method for the flow A packet and the processing method for the flow C packet are the same.
  • the control unit 10 of the control device 1 receives the processing rule inquiry and the packet (step S51). Then, the processing rule granularity determination unit 11 creates an identification rule for identifying the flow C based on the packet (step S52).
  • the processing rule granularity determination unit 11 determines a processing method corresponding to the flow C for each packet processing device through which the flow C passes based on the control policy. With this processing method and the identification rule created in step SS52, the processing rule for each packet processing device through which the flow C passes is determined. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the processing rules of the flow C and the processing rules of other flows are aggregated (step S53). If the processing method is the same and there are processing rules corresponding to different flows, the processing rule granularity determination unit 11 determines that the processing rules of the plurality of flows can be aggregated, and the different flows Are integrated into one processing rule.
  • the processing rule granularity determination unit 11 determines that the processing rule corresponding to the flow C in the packet processing device 2a and the processing rule corresponding to the flow A in the packet processing device 2a can be integrated into one, and the two Combine processing rules into one. Specifically, the processing rule granularity determination unit 11 determines an identification rule (in other words, an identification rule that matches each of the plurality of flows) that includes a plurality of flows (in this example, flows A and C), and identifies them. A set of rules and the same processing method may be defined for the plurality of flows.
  • the packet processing device 2a has been described as an example, but the same applies to the other packet processing devices 2b and 2c.
  • the processing rule granularity determination unit 11 registers the processing rule obtained in step S53 in the management DB storage unit 12 (step S54). When a processing rule in which a plurality of processing rules are integrated into one is determined, the processing rule granularity determination unit 11 registers the processing rule in the management DB storage unit 12. In addition, the processing rule granularity determination unit 11 deletes the existing processing rule (in this example, the processing rule of the flow A) that is aggregated into one processing rule from the management DB storage unit 12.
  • FIG. 6 is a schematic diagram showing processing rules registered in the management DB storage unit 12 at this point.
  • the processing rules corresponding to the flow A and the processing rules corresponding to the flow C are aggregated into one processing rule, and the processing rules corresponding to the existing flow A shown in FIG. Has been deleted.
  • the processing rule granularity determination unit 11 notifies the corresponding packet processing device 2 of the processing rules for each packet processing device 2 registered in step S54 (in this example, processing rules corresponding to flows A and C). (Step S55).
  • the processing rule to be notified is an aggregation of processing rules corresponding to a plurality of flows
  • the processing rule granularity determination unit 11 deletes an existing processing rule corresponding to the aggregated flow. Is also transmitted to the packet processing apparatus 2.
  • the processing rule granularity determination unit 11 also transmits a notification to delete the existing processing rule corresponding to the flow A in step S55.
  • the packet processing devices 2a, 2b, and 2c do not need to store the processing rules corresponding to the flow A and the processing rules corresponding to the flow C separately, and store the processing rules corresponding to the flows A and C. To do. Therefore, the number of processing rules stored in the packet processing device 2 can be reduced.
  • FIG. 7 is a block diagram illustrating an example of the packet processing device 2.
  • the packet processing device 2 includes a processing rule setting unit 20, a storage unit 21, and a packet processing unit 22.
  • the storage unit 21 is a storage device that stores processing rules.
  • the processing rule setting unit 20 stores the processing rule notified from the control device 1 in the storage unit 21.
  • the processing rule setting unit 20 receives an instruction to delete the processing rule from the control device 1, the processing rule setting unit 20 deletes the processing rule designated to be deleted by the control device 1 from the storage unit 21.
  • the packet processing unit 22 searches the processing rule stored in the storage unit 21 for a processing rule having an identification rule corresponding to the received packet.
  • the packet processing unit 22 processes the received packet according to the processing method defined by the processing rule.
  • the packet processing unit 22 processes the received packet together with the received packet. Send a rule query.
  • the control device 1 performs the operations after step S51 described above.
  • the processing rule setting unit 20 and the packet processing unit 22 are realized by, for example, a CPU of a computer that operates according to a packet processing device program.
  • the CPU may read the packet processing device program from a program recording medium such as a computer program storage device (not shown) and operate as the processing rule setting unit 20 and the packet processing unit 22 according to the program.
  • the processing rule setting unit 20 and the packet processing unit 22 may be realized by separate hardware.
  • FIG. 8 is a schematic diagram illustrating an example of the packet processing device 2 controlled by the control device 1.
  • the numbers indicated with the # symbol are port numbers.
  • terminals 8a, 8b, and 8c are connected to the packet processing device 2a.
  • a terminal 8d is connected to the packet processing device 2c.
  • the IP (Internet Protocol) address of the terminal 8a is 172.20.1.1.1.
  • IP address of the terminal 8b is 172.20.1.2.
  • IP address of the terminal 8c is 172.20.1.3.
  • the IP address of the terminal 8d is assumed to be 172, 20.2.1.
  • the terminal 8a transmits a packet with the terminal 8d as a destination.
  • the packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 of the packet processing device 2a transmits an inquiry about the processing rule for the flow (flow 1) of the packet to the control device 1. . At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
  • the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a (step S51).
  • the processing rule granularity determination unit 11 creates an identification rule for identifying the flow 1 based on the packet (step S52).
  • the identification rule created in step S52 is represented by a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1”.
  • the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 1 for each packet processing device 2 through which the flow 1 passes, and sets a processing rule for each packet processing device 2 based on the control policy. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the flow 1 and other flows are aggregated (step S53).
  • the processing method defined for the packet processing device 2a is “transfer from port # 4”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” for the packet processing device 2a.
  • a processing rule including an identification rule and a processing method with the content “transfer from port # 4” is defined.
  • the processing method defined for the packet processing device 2b is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” with respect to the packet processing device 2b. A processing rule including an identification rule and a processing method with the content “transfer from port # 2” is determined.
  • the processing method defined for the packet processing device 2c is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” for the packet processing device 2c. A processing rule including an identification rule and a processing method with the content “transfer from port # 2” is determined.
  • step S53 after setting the processing rule for each packet processing device 2 as described above, the processing rule granularity determination unit 11 can create a processing rule in which the processing rules of flow 1 and the processing rules of other flows are aggregated. It is determined whether or not.
  • FIG. 9 shows an example of the processing progress of the determination process of whether or not it is possible to create a processing rule in which processing rules for a plurality of flows are aggregated.
  • the processing rule granularity determination unit 11 determines whether there is another identification rule having the same processing method as the processing rule created in step S53 as described above (step S531). In this example, an identification rule having the same processing method as the processing rule created in step S53 as described above is not stored in the management DB storage unit 12 (NO in step S531). In this case, the processing rule granularity determination unit 11 determines to register the processing rule including the identification rule obtained in step S52 (the processing rule created in step S53 as described above) (step S533).
  • step S532 When the identification rule having the same processing method as the processing rule created in step S53 as described above is stored in the management DB storage unit 12 (YES in step S531), the processing rule granularity determination unit 11 It is determined that a processing rule including the processing rule including the identification rule and the processing rule generated in step S53 as described above is created and the processing rule is registered (step S532). The case of executing step S532 will be described later.
  • the processing rule granularity determination unit 11 manages the processing rule including the identification rule obtained in step S52 (the processing rule created in step S53 as described above) according to the determination in step S533 in step S54.
  • Register in the DB storage unit 12 step S54). Processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
  • the processing rule granularity determining unit 11 notifies the corresponding packet processing device 2 of each processing rule registered in step S54 for each packet processing device 2 (step S55).
  • the processing rule granularity determination unit 11 notifies the packet processing device 2a of the processing rules of the packet processing device 2a shown in FIG.
  • the processing rule granularity determination unit 11 notifies the packet processing device 2b of the processing rules of the packet processing device 2b shown in FIG.
  • the processing rule granularity determining unit 11 notifies the packet processing device 2c of the processing rules of the packet processing device 2c shown in FIG.
  • the processing rule setting unit 20 (see FIG. 7) of each packet processing device 2 stores the notified processing rule in the storage unit 21. Then, the packet processing unit 22 processes the received packet according to the processing rule. As a result, the packets of flow 1 are sequentially transferred according to the processing rule corresponding to flow 1.
  • the terminal 8b transmits a packet with the terminal 8d as a destination.
  • the packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 (see FIG. 7) of the packet processing device 2a controls the processing rule inquiry for the flow (flow 2) of the packet. Transmit to device 1. At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
  • the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a (step S51).
  • the processing rule granularity determination unit 11 creates an identification rule for identifying the flow 2 based on the packet (step S52).
  • an identification rule represented by a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” is created.
  • the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 2 for each packet processing device 2 through which the flow 2 passes, and sets a processing rule for each packet processing device 2 based on the control policy. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the processing rules of the flow 2 and the processing rules of other flows are aggregated (step S53).
  • the processing method defined for the packet processing device 2a is “transfer from port # 5”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” for the packet processing device 2a.
  • a processing rule including an identification rule and a processing method with the content “transfer from port # 5” is defined.
  • the processing method defined for the packet processing device 2b is “transfer from port # 4”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” with respect to the packet processing device 2b.
  • a processing rule including an identification rule and a processing method with the content “transfer from port # 4” is defined.
  • the processing method defined for the packet processing device 2c is “transfer from port # 4”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” for the packet processing device 2c.
  • a processing rule including an identification rule and a processing method with the content “transfer from port # 4” is defined.
  • step S53 after setting the processing rule for each packet processing device 2 as described above, can the processing rule granularity determination unit 11 create a processing rule that aggregates the processing rule of the flow 2 and the processing rule of another flow? Determine whether or not.
  • the processing rule granularity determination unit 11 determines whether there is another identification rule having the same processing method as the processing rule created in step S53 as described above (see step S531, FIG. 9).
  • the processing rules shown in FIG. 10 (processing rules corresponding to the flow 1) are stored in the management DB storage unit 12.
  • the processing rule processing method shown in FIG. 10 is different from the processing rule processing method created in step S53 as described above. Therefore, an identification rule having the same processing method as the processing rule created in step S53 as described above is not stored in the management DB storage unit 12 (NO in step S531). Therefore, the processing rule granularity determination unit 11 determines to register the processing rule including the identification rule obtained in step S52 (the processing rule created in step S53 as described above) (see step S533, FIG. 9).
  • step S54 the processing rule granularity determination unit 11 stores the processing rule including the identification rule obtained in step S52 (the processing rule created in step S53 as described above) in the management DB in accordance with the determination in step S533.
  • Register in the unit 12 step S54).
  • the processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
  • a processing rule including an identification rule represented by a combination of a source IP address “172.20.1.2” and a destination IP address “172.20.2.1” is newly registered. Processing rules.
  • the processing rule granularity determining unit 11 notifies the corresponding packet processing device 2 of each processing rule registered in step S54 for each packet processing device 2 (step S55).
  • each packet processing device 2 that has received the processing rule notification is the same as the operation already described.
  • the processing rules of the packet processing device 2a shown in FIG. 11 are stored in the packet processing device 2a.
  • the processing rules of the packet processing device 2b shown in FIG. 11 are stored in the packet processing device 2b.
  • the processing rules of the packet processing device 2c shown in FIG. 11 are stored in the packet processing device 2c.
  • the packet processing unit 22 processes the received packet according to the processing rule.
  • the packet of flow 1 is sequentially transferred according to the processing rule corresponding to flow 1
  • the packet of flow 2 is sequentially transferred according to the processing rule corresponding to flow 2.
  • the terminal 8c transmits a packet with the terminal 8d as a destination.
  • the packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 (see FIG. 7) of the packet processing device 2a controls the processing rule inquiry for the flow (flow 3) of the packet. Transmit to device 1. At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
  • the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a (step S51).
  • the processing rule granularity determination unit 11 creates an identification rule for identifying the flow 3 based on the packet (step S52).
  • an identification rule represented by a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” is created.
  • the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 3 for each packet processing device 2 through which the flow 3 passes, and sets a processing rule for each packet processing device 2 based on the control policy. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the processing rules of the flow 3 and the processing rules of other flows are aggregated (step S53).
  • the processing method defined for the packet processing device 2a is “transfer from port # 4”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” for the packet processing device 2a.
  • a processing rule including an identification rule and a processing method with the content “transfer from port # 4” is defined.
  • the processing method defined for the packet processing device 2b is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” for the packet processing device 2b. A processing rule including an identification rule and a processing method with the content “transfer from port # 2” is determined.
  • the processing method defined for the packet processing device 2c is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” for the packet processing device 2c. A processing rule including an identification rule and a processing method with the content “transfer from port # 2” is determined.
  • step S53 after the processing rule is determined for each packet processing device 2 as described above, can the processing rule granularity determination unit 11 create a processing rule in which the processing rules of the flow 3 and the processing rules of other flows are aggregated? Determine whether or not.
  • the processing rule granularity determination unit 11 determines whether there is another identification rule having the same processing method as the processing rule created in step S53 as described above (see step S531, FIG. 9).
  • the processing rules shown in FIG. 11 (the processing rules corresponding to the flow 1 and the processing rules corresponding to the flow 2) are stored in the management DB storage unit 12.
  • the processing rule processing method corresponding to the flow 1 is the same as the processing rule processing method created in step S53 as described above. Therefore, an identification rule having the same processing method as the processing rule created in step S53 as described above is stored in the management DB storage unit 12 (YES in step S531). Therefore, the processing rule granularity determination unit 11 determines that the processing rule including the identification rule and the processing rule generated in step S53 as described above are aggregated and the processing rule is registered. (Step S532).
  • the processing rule granularity determination unit 11 determines an identification rule including the flow 3 and the flow 1 (in other words, an identification rule that matches each of the flow 3 and the flow 1).
  • the processing rule granularity determination unit 11 uses, for example, a source IP address “172.20.1.0/30” and a destination IP address “172.20.2.1” as an identification rule that includes the flow 3 and the flow 1.
  • the processing rule granularity determination unit 11 creates a set of processing methods that are the same in the processing rules of the flow 3 and the processing rules of the flow 1 and a set of the identification rules, thereby collecting a plurality of processing rules. Create a rule.
  • the processing rule granularity determination unit 11 determines a set of the above-described identification rule and a processing method having a content “transfer from port # 4”.
  • the packet processing device 2a has been described as an example, but the processing rule granularity determination unit 11 performs the same processing on the other packet processing devices 2b and 2c.
  • step S54 the processing rule granularity determination unit 11 registers the processing rule newly created in step S532 in the management DB storage unit 12 in accordance with the determination in step S532 (step S54). Further, when the processing rule granularity determination unit 11 registers the processing rule newly created in step S532 in the management DB storage unit 12, the existing processing rule (in this example, the flow 1 of the flow 1) collected in the new processing rule. Processing rules (see FIGS. 10 and 11) are deleted from the management DB storage unit 12. Processing rules registered in the management DB storage unit 12 at this time are shown in FIG. A processing rule including an identification rule (see FIG.
  • the processing rule granularity determining unit 11 notifies the corresponding packet processing device 2 of each processing rule registered in step S54 for each packet processing device 2 (step S55). If the existing processing rule is deleted in step S54, the processing rule granularity determination unit 11 transmits to the packet processing device 2 in step S55, together with an instruction to delete the processing rule. To do. In this example, the processing rule granularity determination unit 11 also transmits a notification to delete the existing processing rule corresponding to the flow 1 in step S55.
  • the processing rule setting unit 20 (see FIG. 7) of each packet processing device 2 stores the notified processing rule in the storage unit 21. Further, the processing rule setting unit 20 deletes the processing rule specified by the control device 1 from the storage unit 21 in accordance with an instruction from the control device 1. As a result, the processing rules of the packet processing device 2a shown in FIG. 12 are stored in the packet processing device 2a. Further, the processing rules of the packet processing device 2b shown in FIG. 12 are stored in the packet processing device 2b. Further, the processing rules of the packet processing device 2c shown in FIG. 12 are stored in the packet processing device 2c. As a result, the packet of flow 1 and the packet of flow 3 are sequentially transferred according to the processing rule corresponding to flows 1 and 3, and the packet of flow 2 is sequentially transferred according to the processing rule corresponding to flow 2.
  • the processing rule granularity determination unit 11 aggregates the processing rules corresponding to the different flows. Therefore, the number of processing rules stored in the packet processing device 2 can be reduced.
  • an IP address is used as an identification rule
  • the aspect of the identification rule is not limited to the aspect using an IP address.
  • a tunnel identifier of a mobile system may be applied.
  • the information used for the identification rule may be information that can be described as an identification rule including a plurality of flows.
  • FIG. 1 The control apparatus 1 of 2nd Embodiment is the structure (refer FIG. 1) similar to 1st Embodiment, and 2nd Embodiment is described with reference to FIG.
  • the processing rule granularity determination unit 11 determines a group identifier for identifying a flow group as an identification rule.
  • the identification rule in the processing rule notified to the first-stage packet processing device 2 is the same as the identification rule in the first embodiment.
  • an example in which not only the first-stage packet processing device 2 but also the identification rule in the processing rule notified to the last-stage packet processing device 2 is the same as the identification rule in the first embodiment is taken as an example. I will explain.
  • the first-stage packet processing device 2 is a packet processing device 2 that directly receives a packet from a terminal.
  • the last stage packet processing apparatus 2 is a packet processing apparatus 2 that directly transfers a packet to a terminal.
  • the packet processing device 2 is an L3 (Layer 3) switch
  • L3 Layer 3
  • MAC Media Access Control
  • rewriting the MAC address of the packet transferred by the L3 switch does not affect the transfer.
  • FIG. 13 is a schematic diagram illustrating an example of the packet processing device 2 controlled by the control device 1.
  • FIG. 13 illustrates a case where there are three packet processing apparatuses 2a, 2b, and 2c.
  • the numbers indicated with the # symbol are port numbers.
  • terminals 8a, 8b, and 8c are connected to the packet processing device 2a.
  • a terminal 8d is connected to the packet processing device 2c.
  • the IP addresses of the terminals 8a, 8b, 8c, and 8d shown in FIG. 13 are the same as the IP addresses of the terminals 8a, 8b, 8c, and 8d shown in FIG.
  • the flow from the terminal 8a to the terminal 8d is flow 1.
  • Let the flow from the terminal 8b to the terminal 8d be flow 2.
  • Let the flow from the terminal 8c to the terminal 8d be flow 3. It is assumed that the processing method for the flow 1 packet and the processing method for the flow 3 packet are the same. Also, the processing method for the flow 2 packet is different from the processing method for the flow 1 and 3 packets.
  • the terminal 8a transmits a packet with the terminal 8d as the destination.
  • the packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 of the packet processing device 2a transmits an inquiry about the processing rule for the flow (flow 1) of the packet to the control device 1. . At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
  • the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a.
  • the processing rule granularity determination unit 11 determines an identification rule for identifying the flow 1.
  • the processing rule granularity determination unit 11 determines the MAC address “X” as an identification rule for the flow 1.
  • the identification rules in the processing rules notified to the first-stage packet processing device 2a and the last-stage packet processing device 2c are determined in the same manner as in the first embodiment. That is, the processing rule granularity determination unit 11 uses a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” as the identification rule.
  • the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 1 for each packet processing device 2 through which the flow 1 passes, and sets a processing rule for each packet processing device 2 based on the control policy.
  • the processing rule of the different flow is aggregated by using the processing rule as the processing rule of the flow 1.
  • the processing rule granularity determination unit 11 creates a processing rule for the flow 1.
  • the processing method defined for the packet processing device 2a is “rewrite the source MAC address to X and transfer from port # 4”.
  • the processing rule granularity determination unit 11 represents the first-stage packet processing device 2a as a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1”.
  • a processing rule including “a rewrite source MAC address to X and transfer from port # 4” is defined.
  • the processing method defined for the packet processing device 2b is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 determines a processing rule including an identification rule “X” and a processing method with the content “transfer from port # 2” for the packet processing device 2b.
  • the processing method defined for the packet processing device 2c is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 uses a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” for the packet processing device 2c at the final stage.
  • a processing rule including an identification rule to be expressed and a processing method with a content of “transfer from port # 2” is defined.
  • the processing rule granularity determination unit 11 registers the processing rule determined as described above in the management DB storage unit 12. Processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
  • the processing rule granularity determination unit 11 notifies the corresponding packet processing device 2 of each processing rule determined as described above.
  • the processing rule granularity determination unit 11 notifies the packet processing device 2a of the processing rules of the packet processing device 2a shown in FIG.
  • the processing rule granularity determination unit 11 notifies the packet processing device 2b of the processing rules of the packet processing device 2b shown in FIG.
  • the processing rule granularity determining unit 11 notifies the packet processing device 2c of the processing rules of the packet processing device 2c shown in FIG.
  • the processing rule setting unit 20 (see FIG. 7) of each packet processing device 2 stores the notified processing rule in the storage unit 21. Then, the packet processing unit 22 processes the received packet according to the processing rule.
  • the packet processing device 2a rewrites the transmission source MAC address of the packet of flow 1 received from the terminal 8a to X, and outputs the packet from port # 4.
  • the packet processing device 2b that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule.
  • the packet processing device 2c that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule. As a result, the packet of flow 1 reaches the destination terminal 8d.
  • the terminal 8b transmits a packet with the terminal 8d as a destination.
  • the packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 of the packet processing device 2a transmits a processing inquiry for the flow of the packet (flow 2) to the control device 1. At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
  • the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a.
  • the processing rule granularity determination unit 11 determines an identification rule for identifying the flow 2.
  • the processing rule granularity determination unit 11 determines the MAC address “Y” as an identification rule for the flow 2.
  • the identification rules in the processing rules notified to the first-stage packet processing device 2a and the last-stage packet processing device 2c are determined in the same manner as in the first embodiment. That is, the processing rule granularity determination unit 11 uses a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” as the identification rule.
  • the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 2 for each packet processing device 2 through which the flow 2 passes, and sets a processing rule for each packet processing device 2 based on the control policy.
  • the processing rule of the different flow is aggregated by using the processing rule as the processing rule of the flow 2.
  • the processing rule for flow 1 has already been created, but the group for flow 1 and the group for flow 2 are different. Accordingly, the processing rule granularity determination unit 11 creates a processing rule for the flow 2.
  • the processing method defined for the packet processing device 2a is “rewrite the source MAC address to Y and transfer from port # 4”. That is, the processing rule granularity determination unit 11 represents the first-stage packet processing device 2a as a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1”. And a processing rule including “a rewrite source MAC address to Y and transfer from port # 4” is defined.
  • the processing method defined for the packet processing device 2b is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 determines a processing rule including an identification rule “Y” and a processing method with the content “transfer from port # 2” for the packet processing device 2b.
  • the processing method defined for the packet processing device 2c is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 uses the combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” for the packet processing device 2c at the final stage.
  • a processing rule including an identification rule to be expressed and a processing method with a content of “transfer from port # 2” is defined.
  • the processing rule granularity determination unit 11 registers the processing rule determined as described above in the management DB storage unit 12. Processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
  • the processing rule granularity determination unit 11 notifies the corresponding packet processing device 2 of each processing rule determined as described above.
  • each packet processing device 2 that has received the processing rule notification is the same as the operation already described.
  • the processing rules of the packet processing device 2a shown in FIG. 15 are stored in the packet processing device 2a.
  • the processing rules of the packet processing device 2b shown in FIG. 15 are stored in the packet processing device 2b.
  • the processing rules of the packet processing device 2c shown in FIG. 15 are stored in the packet processing device 2c.
  • the packet processing device 2a rewrites the transmission source MAC address of the packet of the flow 2 received from the terminal 8b to Y, and outputs the packet from the port # 4.
  • the packet processing device 2b that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule.
  • the packet processing device 2c that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule. As a result, the packet of the flow 2 reaches the destination terminal 8d.
  • the terminal 8c transmits a packet with the terminal 8d as the destination.
  • the packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 of the packet processing device 2a transmits a processing inquiry for the flow of the packet (flow 3) to the control device 1. At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
  • the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a.
  • the processing rule granularity determination unit 11 determines an identification rule for identifying the flow 3.
  • the processing rule granularity determination unit 11 determines the MAC address “X” as an identification rule for the flow 3.
  • the identification rules in the processing rules notified to the first-stage packet processing device 2a and the last-stage packet processing device 2c are determined in the same manner as in the first embodiment. That is, the processing rule granularity determination unit 11 uses a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” as the identification rule.
  • the newly generated flow 3 is a flow belonging to the same group as the flow 1 in which the processing rule has already been created. Therefore, the processing rule granularity determination unit 11 aggregates the processing rules of the different flows 1 and 3 by using the processing rule of the flow 1 as the processing rule of the flow 3.
  • the processing rule granularity determination unit 11 does not change the processing rules of the packet processing device 2b other than the first stage and the last stage.
  • the processing rule granularity determination unit 11 changes the identification rule in the processing rule corresponding to the flow 1 of the first-stage packet processing device 2a and the last-stage packet processing device 2c to an identification rule including flows 1 and 3.
  • the identification rule in the processing rule corresponding to the flow 1 is represented by a combination of the source IP address “172.20.1.0/30” and the destination IP address “172.20.2.1”. Change to the identification rule.
  • the processing rule granularity determination unit 11 reflects the change of the processing rule (change of the identification rule) of the packet processing devices 2a and 2c at the first stage and the final stage in the processing rule stored in the management DB storage unit 12.
  • the processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
  • the processing rule granularity determination unit 11 Since the processing rule granularity determination unit 11 has not changed the processing rules of the packet processing device 2b other than the first and last stages, the processing rule need not be notified to the packet processing device 2b.
  • processing rule granularity determination unit 11 notifies the first-stage packet processing device 2a and the final-stage packet processing device 2c of the processing rule whose identification rule has been changed and deletes the processing rule before the change. Send instructions.
  • the processing rule setting unit 20 of the packet processing devices 2 a and 2 c stores the notified processing rule in the storage unit 21 and deletes the processing rule designated to be deleted from the storage unit 21.
  • the processing rules of the packet processing device 2a shown in FIG. 16 are stored in the packet processing device 2a.
  • the processing rules of the packet processing device 2b shown in FIG. 16 are stored in the packet processing device 2b.
  • the processing rules of the packet processing device 2c shown in FIG. 16 are stored in the packet processing device 2c.
  • the packet processing device 2a rewrites the transmission source MAC address of the packet of the flow 3 received from the terminal 8c to X, and outputs the packet from the port # 4.
  • the packet processing device 2b that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule.
  • the packet processing device 2c that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule.
  • the packet transfer mode of the flow 3 is the same as the packet transfer mode of the flow 1.
  • the processing rules of different flows are aggregated, so that the number of processing rules stored in the packet processing device 2 can be reduced.
  • the first-stage packet processing device 2a that receives a packet whose source MAC address has not been rewritten has a processing rule including an identification rule similar to that of the first embodiment without using a group identifier as an identification rule. Be notified. Even with the same identification rule as in the first embodiment, an identification rule including a plurality of flows can be described, so that processing rules can be aggregated. Therefore, the number of processing rules to be stored can be reduced also in the first-stage packet processing device 2.
  • the processing rule granularity determination unit 11 may determine a processing method including the content of writing the group identifier in the vendor extension area in the packet.
  • the identification rule in the processing rule notified to the packet processing apparatus 2c at the final stage is the same as that in the first embodiment has been described as an example.
  • the identification rule in the processing rule notified to the final stage packet processing device 2c may be represented by a group identifier.
  • FIG. 17 is a block diagram showing an outline of the control device of the present invention.
  • the control device of the present invention includes a flow identification information creating unit 91, a processing rule creating unit 92, an aggregation unit 93, and a notification unit 94.
  • the flow identification information creating unit 91 (for example, the processing rule granularity determining unit 11 that executes step S52) creates flow identification information (for example, an identification rule) for identifying a flow.
  • the processing rule creation means 92 determines a processing method for a flow packet, and creates a processing rule including flow identification information and a processing method.
  • the aggregation unit 93 (for example, the processing rule granularity determination unit 11 that executes step S53) can aggregate the processing rule of the flow and the processing rule of the other flow, the processing rule of the flow and the other flow The processing rules are consolidated.
  • the notification means 94 (for example, the processing rule granularity determination unit 11 that executes Step S55) notifies the processing rule to the packet processing device.
  • Such a configuration can reduce the number of processing rules stored in the packet processing apparatus.
  • the configuration may be such that the aggregation means 93 determines that the processing rules of different flows can be aggregated when the processing methods included in the processing rules of different flows are the same.
  • the aggregation means 93 determines that the processing rules of the different flows can be aggregated when the processing methods included in the processing rules of the different flows are the same, determines flow identification information that matches each of the different flows,
  • the configuration may be such that the processing rules are aggregated by creating a processing rule including the flow information and its processing method.
  • the flow identification information creating unit 91 determines flow identification information for identifying a group of flows, When the newly created flow is a flow that belongs to the same group as the flow for which the processing rule has already been created, the aggregation means 93 uses the processing rule as the processing rule for the newly generated flow.
  • the configuration may be such that the processing rules of different flows are aggregated.
  • the present invention is suitably applied to a control device that controls a packet processing device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided is a control apparatus for enabling reduction of the number of processing rules that are to be stored by a packet processing apparatus. A flow identification information creation means (91) creates flow identification information to be used for identifying a flow. A processing rule creation means (92) determines a processing method for packets of the flow and creates a processing rule including the flow identification information and the processing method. When the processing rule of the flow and the processing rule of another flow can be aggregated, the aggregation means (93) aggregates the processing rule of the flow and the processing rule of the other flow.

Description

制御装置、制御方法および制御プログラムControl device, control method, and control program
 本発明は、パケットを処理するパケット処理装置を制御する制御装置、制御方法および制御プログラムに関する。 The present invention relates to a control device, a control method, and a control program for controlling a packet processing device that processes packets.
 オープンフロー(OpenFlow)という技術が提案されている(非特許文献1参照)。オープンフローは、通信をエンドツーエンドのフローとして捉え、フロー単位で経路制御、障害回復、負荷分散、最適化を行うものである。パケット処理装置として機能するオープンフロースイッチは、経路制御装置として位置付けられるオープンフローコントローラとのセキュアチャネルを備える。そして、オープンフロースイッチは、オープンフローコントローラから適宜、追加されたり、書き換え指示されたりするフローエントリに従って動作する。フローエントリは、フロー毎にパケットに対する処理を定めた情報である。フローエントリを格納するオープンフロースイッチ内のテーブルをフローテーブルと呼ぶ。 A technique called OpenFlow has been proposed (see Non-Patent Document 1). OpenFlow captures communication as an end-to-end flow and performs path control, failure recovery, load balancing, and optimization on a per-flow basis. An OpenFlow switch that functions as a packet processing device includes a secure channel with an OpenFlow controller that is positioned as a path control device. The OpenFlow switch operates in accordance with a flow entry that is appropriately added or rewritten by the OpenFlow controller. The flow entry is information defining processing for a packet for each flow. A table in the OpenFlow switch that stores flow entries is called a flow table.
 ネットワーク規模が大きくなると、フローテーブル内のフローエントリの数が増加する。しかし、パケット処理装置が保持できるフローエントリ数には限りがある。 When the network scale increases, the number of flow entries in the flow table increases. However, the number of flow entries that the packet processing apparatus can hold is limited.
 フローを識別するための識別情報と、その識別情報に合致するフローのパケットに対する処理方法とのセットを処理規則と記す。オープンフローにおけるフローエントリも、処理規則に該当する。 A set of identification information for identifying a flow and a processing method for a packet of a flow that matches the identification information is referred to as a processing rule. The flow entry in the open flow also corresponds to the processing rule.
 本発明は、パケット処理装置が記憶する処理規則の数を削減することができる制御装置、制御方法および制御プログラムを提供することを目的とする。 An object of the present invention is to provide a control device, a control method, and a control program that can reduce the number of processing rules stored in a packet processing device.
 本発明による制御装置は、パケットを処理するパケット処理装置を制御する制御装置であって、フローを識別するためのフロー識別情報を作成するフロー識別情報作成手段と、フローのパケットに対する処理方法を定め、フロー識別情報および処理方法を含む処理規則を作成する処理規則作成手段と、そのフローの処理規則と、他のフローの処理規則とを集約できる場合に、そのフローの処理規則と、他のフローの処理規則とを集約する集約手段と、処理規則をパケット処理装置に通知する通知手段とを備えることを特徴とする。 A control device according to the present invention is a control device that controls a packet processing device that processes a packet, and defines flow identification information creating means for creating flow identification information for identifying a flow, and a processing method for a packet of the flow. When the processing rule creation means for creating the processing rule including the flow identification information and the processing method, the processing rule of the flow, and the processing rule of the other flow can be aggregated, the processing rule of the flow and the other flow And a notifying means for notifying the packet processing apparatus of the processing rule.
 また、本発明による制御方法は、パケットを処理するパケット処理装置を制御する制御方法であって、フローを識別するためのフロー識別情報を作成し、フローのパケットに対する処理方法を定め、フロー識別情報および処理方法を含む処理規則を作成し、そのフローの処理規則と、他のフローの処理規則とを集約できる場合に、そのフローの処理規則と、他のフローの処理規則とを集約し、処理規則をパケット処理装置に通知することを特徴とする。 The control method according to the present invention is a control method for controlling a packet processing apparatus that processes a packet. The control method creates flow identification information for identifying a flow, defines a processing method for the packet of the flow, and sets the flow identification information. If the processing rule of the flow and the processing rule of the other flow can be aggregated, the processing rule of the flow and the processing rule of the other flow are aggregated and processed. The rule is notified to the packet processing device.
 また、本発明による制御プログラムは、パケットを処理するパケット処理装置を制御するコンピュータに搭載される制御プログラムであって、コンピュータに、フローを識別するためのフロー識別情報を作成するフロー識別情報作成処理、フローのパケットに対する処理方法を定め、フロー識別情報および処理方法を含む処理規則を作成する処理規則作成処理、そのフローの処理規則と、他のフローの処理規則とを集約できる場合に、そのフローの処理規則と、他のフローの処理規則とを集約する集約処理、および、処理規則をパケット処理装置に通知する通知処理を実行させることを特徴とする。 A control program according to the present invention is a control program installed in a computer that controls a packet processing apparatus that processes packets, and a flow identification information creation process for creating flow identification information for identifying a flow in the computer. If a processing rule creation process that defines a processing method for a flow packet and creates a processing rule including flow identification information and a processing method, and the processing rule of the flow and the processing rule of another flow can be aggregated, the flow And a notification processing for notifying the packet processing device of the processing rule.
 本発明によれば、パケット処理装置が記憶する処理規則の数を削減することができる。 According to the present invention, the number of processing rules stored in the packet processing device can be reduced.
本発明の制御装置の例を示すブロック図である。It is a block diagram which shows the example of the control apparatus of this invention. 処理規則を示す模式図である。It is a schematic diagram which shows a process rule. フローの例を示す模式図である。It is a schematic diagram which shows the example of a flow. 制御装置の処理経過の例を示すフローチャートである。It is a flowchart which shows the example of process progress of a control apparatus. 管理DB記憶部に登録される処理規則を示す模式図である。It is a schematic diagram which shows the process rule registered into a management DB memory | storage part. 管理DB記憶部に登録される処理規則を示す模式図である。It is a schematic diagram which shows the process rule registered into a management DB memory | storage part. パケット処理装置の例を示すブロック図である。It is a block diagram which shows the example of a packet processing apparatus. 制御装置によって制御されるパケット処理装置の例を示す模式図である。It is a schematic diagram which shows the example of the packet processing apparatus controlled by the control apparatus. 複数のフローの処理規則を集約した処理規則を作成可能か否かの判定処理の処理経過の例を示すフローチャートである。It is a flowchart which shows the example of a process progress of the determination process whether the processing rule which aggregated the processing rule of several flows can be produced. 管理DB記憶部に登録される処理規則を示す説明図である。It is explanatory drawing which shows the process rule registered into a management DB memory | storage part. 管理DB記憶部に登録される処理規則を示す説明図である。It is explanatory drawing which shows the process rule registered into a management DB memory | storage part. 管理DB記憶部に登録される処理規則を示す説明図である。It is explanatory drawing which shows the process rule registered into a management DB memory | storage part. 制御装置によって制御されるパケット処理装置の例を示す模式図である。It is a schematic diagram which shows the example of the packet processing apparatus controlled by the control apparatus. 管理DB記憶部に登録される処理規則を示す説明図である。It is explanatory drawing which shows the process rule registered into a management DB memory | storage part. 管理DB記憶部に登録される処理規則を示す説明図である。It is explanatory drawing which shows the process rule registered into a management DB memory | storage part. 管理DB記憶部に登録される処理規則を示す説明図である。It is explanatory drawing which shows the process rule registered into a management DB memory | storage part. 本発明の制御装置の概要を示すブロック図である。It is a block diagram which shows the outline | summary of the control apparatus of this invention.
 以下、本発明の実施形態を図面を参照して説明する。以下に示す各実施形態は例示であり、本発明は、各実施形態に限定されるものではない。 Hereinafter, embodiments of the present invention will be described with reference to the drawings. Each embodiment shown below is an illustration, and the present invention is not limited to each embodiment.
実施形態1.
 図1は、本発明の制御装置の例を示すブロック図である。本発明の制御装置1は、制御部10と、処理規則粒度決定部11と、管理データベース(以下、単にDBと記す。)記憶部12とを備える。 Embodiment 1. FIG.
FIG. 1 is a block diagram showing an example of a control device of the present invention. The control device 1 of the present invention includes a control unit 10, a processing rule granularity determination unit 11, and a management database (hereinafter simply referred to as DB) storage unit 12.
 制御装置1は、パケットを処理するパケット処理装置(図1において図示略)を制御する。パケット処理装置は、複数存在し、その複数のパケット処理装置でネットワークが形成される。制御装置1は、パケット処理装置に処理規則を通知することによって、パケット処理装置を制御する。 The control device 1 controls a packet processing device (not shown in FIG. 1) that processes packets. There are a plurality of packet processing devices, and a network is formed by the plurality of packet processing devices. The control device 1 controls the packet processing device by notifying the packet processing device of the processing rule.
 図2は、処理規則を示す模式図である。既に説明したように、処理規則は、フローを識別するための識別情報(以下、識別規則と記す。)と、その識別規則に合致するフローのパケットに対する処理方法とのセットである(図2参照)。パケット処理装置は、パケットを受信したときに、そのパケットのフローに対応する処理規則を検索し、その処理規則を検索できなかった場合に、制御装置1に対して処理規則の問い合わせを行う。制御装置1は、この問い合わせを受けると、そのパケットを転送すべき各パケット処理装置に対して処理規則を通知する。この結果、パケットはパケット処理装置によって、順次、転送される。 FIG. 2 is a schematic diagram showing processing rules. As already described, the processing rule is a set of identification information for identifying a flow (hereinafter referred to as an identification rule) and a processing method for a packet of a flow that matches the identification rule (see FIG. 2). ). When receiving a packet, the packet processing device searches for a processing rule corresponding to the flow of the packet. If the processing rule cannot be searched, the packet processing device inquires of the control device 1 about the processing rule. Upon receiving this inquiry, the control device 1 notifies the processing rule to each packet processing device to which the packet is to be transferred. As a result, the packets are sequentially transferred by the packet processing device.
 制御装置1がパケット処理装置を制御するプロトコルはオープンフロープロトコルであってもよい。その場合、処理規則は、オープンフローにおけるフローエントリに該当する。また、制御装置1がパケット処理装置を制御するプロトコルはオープンフロープロトコル以外であってもよい。 The protocol by which the control device 1 controls the packet processing device may be an open flow protocol. In that case, the processing rule corresponds to the flow entry in the open flow. Further, the protocol for controlling the packet processing device by the control device 1 may be other than the open flow protocol.
 制御部10は、パケット処理装置からの処理規則の問い合わせを受信する。 The control unit 10 receives a processing rule inquiry from the packet processing device.
 処理規則粒度決定部11は、パケット処理装置からの処理規則の問い合わせに対して、処理規則の粒度を決定し、その粒度の処理規則をパケット処理装置に通知する。処理規則粒度決定部11には、制御ポリシが入力される。制御ポリシは、フローが通過する各パケット処理装置でのパケットの処理方法をフロー毎に定めた情報である。処理規則粒度決定部11は、制御ポリシに従って、フローが通過する各パケット処理装置でのパケットの処理方法を決定する。そして、1つのパケット処理装置に関して、処理方法が同一であって、異なるフローに対応する処理規則が存在する場合には、それらのフローに対応する処理規則を、それらの複数のフローに対応する1つの処理規則に集約する(換言すれば、纏める)。なお、本実施形態では、外部から制御ポリシが入力される場合を例にして説明するが、制御装置1が内部に制御ポリシを保持していてもよい。 The processing rule granularity determination unit 11 determines the granularity of the processing rule in response to the processing rule inquiry from the packet processing device, and notifies the packet processing device of the processing rule of the granularity. A control policy is input to the processing rule granularity determination unit 11. The control policy is information that defines a packet processing method for each flow in each packet processing device through which the flow passes. The processing rule granularity determination unit 11 determines a packet processing method in each packet processing device through which the flow passes according to the control policy. If one packet processing apparatus has the same processing method and processing rules corresponding to different flows, the processing rules corresponding to these flows are set to 1 corresponding to the plurality of flows. It aggregates into one processing rule (in other words, it summarizes). In this embodiment, the case where a control policy is input from the outside is described as an example. However, the control device 1 may hold the control policy inside.
 管理DB記憶部12は、パケット処理装置に通知する処理規則を記憶する記憶装置である。管理DB記憶部12が記憶する処理規則は、パケット処理装置からの処理規則の問い合わせが新たに発生することによって更新され得る。 The management DB storage unit 12 is a storage device that stores processing rules to be notified to the packet processing device. The processing rules stored in the management DB storage unit 12 can be updated when a new processing rule query is generated from the packet processing device.
 制御部10および処理規則粒度決定部11は、例えば、制御プログラムに従って動作するコンピュータのCPUによって実現される、この場合、CPUは、例えば、コンピュータのプログラム記憶装置(図示略)等のプログラム記録媒体から制御プログラムを読み込み、その制御プログラムに従って、制御部10および処理規則粒度決定部11として動作すればよい。また、制御部10および処理規則粒度決定部11が別々のハードウェアで実現されていてもよい。 The control unit 10 and the processing rule granularity determination unit 11 are realized by, for example, a CPU of a computer that operates according to a control program. In this case, the CPU is, for example, from a program recording medium such as a program storage device (not shown) of the computer. What is necessary is just to read a control program and operate | move as the control part 10 and the process rule granularity determination part 11 according to the control program. In addition, the control unit 10 and the processing rule granularity determination unit 11 may be realized by separate hardware.
 図3は、フローの例を示す模式図である。以下、3台のパケット処理装置2a,2b,2cが存在する場合を例にして説明する。各パケット処理装置2a,2b,2cを特に区別しない場合には、単に、「パケット処理装置2」と記す。なお、パケット処理装置2の台数は3台に限定されない。また、図3は、3つのフローA~Cがそれぞれ、各パケット処理装置2a,2b,2cを通過する場合を例示している。フローAのパケットに対する処理方法、および、フローCのパケットに対する処理方法として、同一の処理方法が制御ポリシで定められているものとする。以下、この処理方法を処理方法(1)と記す。また、フローBのパケットに対する処理方法として、処理方法(2)が制御ポリシで定められているものとする。また、図3に示す例において、フローA、フローB、フローCの順にフローが発生するものとする。 FIG. 3 is a schematic diagram showing an example of a flow. Hereinafter, a case where there are three packet processing apparatuses 2a, 2b, and 2c will be described as an example. When the packet processing devices 2a, 2b, and 2c are not particularly distinguished, they are simply referred to as “packet processing device 2”. The number of packet processing devices 2 is not limited to three. FIG. 3 illustrates the case where the three flows A to C pass through the packet processing devices 2a, 2b, and 2c, respectively. It is assumed that the same processing method is defined in the control policy as the processing method for the flow A packet and the processing method for the flow C packet. Hereinafter, this processing method is referred to as processing method (1). Further, it is assumed that the processing method (2) is defined in the control policy as a processing method for the packet of the flow B. In the example shown in FIG. 3, it is assumed that flows occur in the order of flow A, flow B, and flow C.
 図4は、制御装置1の処理経過の例を示すフローチャートである。パケット処理装置2aは、フローAのパケットを受信すると、パケット処理装置2aが記憶している処理規則の中から、フローAに対応する処理規則を検索する。パケット処理装置2aは、フローAに対応する処理規則を記憶してない場合、制御装置1に対して処理規則の問い合わせ(本例では、フローAのパケットに対する処理方法の問い合わせ)を送信する。このとき、パケット処理装置2aは、そのパケット(本例では、フローAのパケット)も制御装置1に送信する。制御装置1の制御部10は、処理規則の問い合わせ、およびパケットを受信する(ステップS51)。すると、処理規則粒度決定部11は、そのパケットに基づいて、フローAを識別する識別規則を作成する(ステップS52)。例えば、処理規則粒度決定部11は、受信したパケットのヘッダフィールドの情報等を組み合わせて識別規則を作成する。 FIG. 4 is a flowchart showing an example of processing progress of the control device 1. When the packet processing device 2a receives the packet of the flow A, the packet processing device 2a searches for the processing rule corresponding to the flow A from the processing rules stored in the packet processing device 2a. When the processing rule corresponding to the flow A is not stored, the packet processing device 2a transmits a processing rule inquiry (in this example, a processing method inquiry for the packet of the flow A) to the control device 1. At this time, the packet processing device 2a also transmits the packet (in this example, the packet of the flow A) to the control device 1. The control unit 10 of the control device 1 receives the processing rule inquiry and the packet (step S51). Then, the processing rule granularity determination unit 11 creates an identification rule for identifying the flow A based on the packet (step S52). For example, the processing rule granularity determination unit 11 creates an identification rule by combining the header field information of the received packet.
 次に、処理規則粒度決定部11は、制御ポリシに基づいて、フローAに対応する処理方法を、フローAが通過するパケット処理装置毎に定める。この処理方法と、ステップSS52で作成された識別規則により、フローAが通過するパケット処理装置毎の処理規則が定まる。そして、処理規則粒度決定部11は、このフローAに対応する処理規則と他のフローに対応する処理規則とを集約した処理規則を作成可能か否かを判定する(ステップS53)。処理規則粒度決定部11は、複数のフローの制御ポリシが同一である場合、その複数のフローの処理規則を集約した処理規則を作成可能であると判定する。より具体的には、処理規則粒度決定部11は、処理方法が同一であって、異なるフローに対応する処理規則が存在する場合には、それらの複数のフローに対応する処理規則を集約することができると判定し、異なるフローに対応する処理規則を1つの処理規則に集約する。処理規則粒度決定部11は、この判定をパケット処理装置2毎に行う。本例では、フローAに対する処理規則しか作成されていないので、処理規則粒度決定部11は、複数のフローに対応する処理規則を1つの処理規則に集約することができないと判定する。 Next, the processing rule granularity determination unit 11 determines a processing method corresponding to the flow A for each packet processing device through which the flow A passes based on the control policy. The processing rule for each packet processing device through which the flow A passes is determined by this processing method and the identification rule created in step SS52. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which processing rules corresponding to this flow A and processing rules corresponding to other flows can be created (step S53). If the control policy of a plurality of flows is the same, the processing rule granularity determination unit 11 determines that a processing rule in which the processing rules of the plurality of flows are aggregated can be created. More specifically, the processing rule granularity determination unit 11 aggregates processing rules corresponding to a plurality of flows when the processing method is the same and there are processing rules corresponding to different flows. The processing rules corresponding to different flows are aggregated into one processing rule. The processing rule granularity determination unit 11 performs this determination for each packet processing device 2. In this example, since only the processing rule for the flow A is created, the processing rule granularity determination unit 11 determines that the processing rules corresponding to a plurality of flows cannot be aggregated into one processing rule.
 ステップS53の後、処理規則粒度決定部11は、ステップS53で得られた処理規則を管理DB記憶部12に登録する(ステップS54)。本例では、フローAが通過するパケット処理装置毎に得られたフローAに対する処理規則をそれぞれ管理DB記憶部12に登録する。 After step S53, the processing rule granularity determination unit 11 registers the processing rule obtained in step S53 in the management DB storage unit 12 (step S54). In this example, the processing rule for the flow A obtained for each packet processing device through which the flow A passes is registered in the management DB storage unit 12.
 次に、処理規則粒度決定部11は、ステップS54で登録したパケット処理装置2毎の各処理規則(本例では、フローAが通過するパケット処理装置毎に得られたフローAに対する処理規則)を、対応するパケット処理装置2に通知する(ステップS55)。 Next, the processing rule granularity determination unit 11 determines each processing rule for each packet processing device 2 registered in step S54 (in this example, the processing rule for the flow A obtained for each packet processing device through which the flow A passes). And notifies the corresponding packet processing device 2 (step S55).
 次に、フローBが発生し、パケット処理装置2aがフローBのパケットを受信したとする。そして、パケット処理装置2aは、フローBに対応する処理規則を記憶しておらず、制御装置1に対して処理規則の問い合わせ(本例では、フローBのパケットに対する処理方法の問い合わせ)を送信するものとする。このとき、パケット処理装置2aは、そのパケット(本例では、フローBのパケット)も制御装置1に送信する。制御装置1は、この問い合わせを受信し、前述の図4に示す動作を行う。 Next, it is assumed that the flow B occurs and the packet processing device 2a receives the flow B packet. Then, the packet processing device 2a does not store the processing rule corresponding to the flow B, and transmits a processing rule inquiry (in this example, a processing method inquiry for the packet of the flow B) to the control device 1. Shall. At this time, the packet processing device 2a also transmits the packet (in this example, the packet of the flow B) to the control device 1. The control device 1 receives this inquiry and performs the operation shown in FIG.
 すなわち、制御装置1の制御部10は、処理規則の問い合わせ、およびパケットを受信する(ステップS51)。すると、処理規則粒度決定部11は、そのパケットに基づいて、フローBを識別する識別規則を作成する(ステップS52)。 That is, the control unit 10 of the control device 1 receives the processing rule inquiry and the packet (step S51). Then, the processing rule granularity determination unit 11 creates an identification rule for identifying the flow B based on the packet (step S52).
 次に、処理規則粒度決定部11は、制御ポリシに基づいて、フローBに対応する処理方法を、フローBが通過するパケット処理装置毎に定める。この処理方法と、ステップSS52で作成された識別規則により、フローBが通過するパケット処理装置毎の処理規則が定まる。そして、処理規則粒度決定部11は、このフローBの処理規則と他のフローの処理規則とを集約した処理規則を作成可能か否かを判定する(ステップS53)。この時点で、フローAに対応する処理規則が管理DB記憶部12に記憶されているが、フローAのパケットに対する処理方法(1)と、フローBのパケットに対する処理方法(2)とは異なる。従って、処理規則粒度決定部11は、個々のパケット処理装置2において、複数のフローA,Bに対応する各処理規則を1つの処理規則に集約することができないと判定する。 Next, the processing rule granularity determination unit 11 determines a processing method corresponding to the flow B for each packet processing device through which the flow B passes based on the control policy. With this processing method and the identification rule created in step SS52, the processing rule for each packet processing device through which the flow B passes is determined. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the processing rules of this flow B and the processing rules of other flows are aggregated (step S53). At this time, the processing rule corresponding to the flow A is stored in the management DB storage unit 12, but the processing method (1) for the flow A packet is different from the processing method (2) for the flow B packet. Therefore, the processing rule granularity determination unit 11 determines that each processing rule corresponding to the plurality of flows A and B cannot be integrated into one processing rule in each packet processing device 2.
 ステップS53の後、処理規則粒度決定部11は、ステップS53で得られた処理規則を管理DB記憶部12に登録する(ステップS54)。本例では、フローBが通過するパケット処理装置毎に得られたフローBに対する処理規則をそれぞれ管理DB記憶部12に登録する。図5は、この時点において、管理DB記憶部12に登録されている処理規則を示す模式図である。この時点では、各パケット処理装置2a,2b,2cにおける処理規則として、それぞれ、フローAに対応する処理規則と、フローBに対応する処理規則とが管理DB記憶部12に登録されている。なお、図5に示す例では、「処理方法(1)」、「処理方法(2)」と示しているが、処理方法(1)の具体的な内容は、パケット処理装置2毎に異なっていてもよい。処理方法(2)に関しても同様である。 After step S53, the processing rule granularity determination unit 11 registers the processing rule obtained in step S53 in the management DB storage unit 12 (step S54). In this example, the processing rule for the flow B obtained for each packet processing device through which the flow B passes is registered in the management DB storage unit 12. FIG. 5 is a schematic diagram showing processing rules registered in the management DB storage unit 12 at this point. At this point, the processing rules corresponding to the flow A and the processing rules corresponding to the flow B are registered in the management DB storage unit 12 as the processing rules in each of the packet processing devices 2a, 2b, and 2c. In the example shown in FIG. 5, “processing method (1)” and “processing method (2)” are shown, but the specific contents of processing method (1) are different for each packet processing device 2. May be. The same applies to the processing method (2).
 次に、処理規則粒度決定部11は、ステップS54で登録したパケット処理装置2毎の各処理規則(本例では、フローBが通過するパケット処理装置毎に得られたフローBに対する処理規則)を、対応するパケット処理装置2に通知する(ステップS55)。 Next, the processing rule granularity determination unit 11 determines each processing rule registered in step S54 for each packet processing device 2 (in this example, the processing rule for the flow B obtained for each packet processing device through which the flow B passes). And notifies the corresponding packet processing device 2 (step S55).
 次に、フローCが発生し、パケット処理装置2aがフローCのパケットを受信したとする。そして、パケット処理装置2aは、フローCに対応する処理規則を記憶しておらず、制御装置1に対して処理規則の問い合わせ(本例では、フローCのパケットに対する処理方法の問い合わせ)を送信するものとする。このとき、パケット処理装置2aは、そのパケット(本例では、フローCのパケット)も制御装置1に送信する。制御装置1は、この問い合わせを受信し、前述の図4に示す動作を行う。なお、既に説明したように、フローAのパケットに対する処理方法と、フローCのパケットに対する処理方法は、同一である。 Next, it is assumed that the flow C occurs and the packet processing device 2a receives the packet of the flow C. The packet processing device 2a does not store the processing rule corresponding to the flow C, and transmits a processing rule inquiry (in this example, a processing method inquiry for the packet of the flow C) to the control device 1. Shall. At this time, the packet processing device 2 a also transmits the packet (in this example, the packet of the flow C) to the control device 1. The control device 1 receives this inquiry and performs the operation shown in FIG. As described above, the processing method for the flow A packet and the processing method for the flow C packet are the same.
 制御装置1の制御部10は、処理規則の問い合わせ、およびパケットを受信する(ステップS51)。すると、処理規則粒度決定部11は、そのパケットに基づいて、フローCを識別する識別規則を作成する(ステップS52)。 The control unit 10 of the control device 1 receives the processing rule inquiry and the packet (step S51). Then, the processing rule granularity determination unit 11 creates an identification rule for identifying the flow C based on the packet (step S52).
 次に、処理規則粒度決定部11は、制御ポリシに基づいて、フローCに対応する処理方法を、フローCが通過するパケット処理装置毎に定める。この処理方法と、ステップSS52で作成された識別規則により、フローCが通過するパケット処理装置毎の処理規則が定まる。そして、処理規則粒度決定部11は、このフローCの処理規則と他のフローの処理規則とを集約した処理規則を作成可能か否かを判定する(ステップS53)。処理規則粒度決定部11は、処理方法が同一であって、異なるフローに対応する処理規則が存在する場合には、それらの複数のフローの処理規則を集約することができると判定し、異なるフローに対応する処理規則を1つの処理規則に集約する。例えば、パケット処理装置2aにおけるフローCに対応する処理規則、および、パケット処理装置2aにおけるフローAに対応する処理規則では、処理方法が「処理方法(1)」で同一である。従って、処理規則粒度決定部11は、パケット処理装置2aにおけるフローCに対応する処理規則と、パケット処理装置2aにおけるフローAに対応する処理規則とを1つに集約できると判定し、その2つの処理規則を一つに集約する。具体的には、処理規則粒度決定部11は、複数のフロー(本例ではフローA,C)を包含する識別規則(換言すれば、複数のフローそれぞれに合致する識別規則)を定め、その識別規則と、その複数のフローで同一の処理方法とのセットを定めればよい。ここでは、パケット処理装置2aを例にして説明したが、他のパケット処理装置2b,2cに関しても同様である。 Next, the processing rule granularity determination unit 11 determines a processing method corresponding to the flow C for each packet processing device through which the flow C passes based on the control policy. With this processing method and the identification rule created in step SS52, the processing rule for each packet processing device through which the flow C passes is determined. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the processing rules of the flow C and the processing rules of other flows are aggregated (step S53). If the processing method is the same and there are processing rules corresponding to different flows, the processing rule granularity determination unit 11 determines that the processing rules of the plurality of flows can be aggregated, and the different flows Are integrated into one processing rule. For example, in the processing rule corresponding to the flow C in the packet processing device 2a and the processing rule corresponding to the flow A in the packet processing device 2a, the processing method is the same as “processing method (1)”. Therefore, the processing rule granularity determination unit 11 determines that the processing rule corresponding to the flow C in the packet processing device 2a and the processing rule corresponding to the flow A in the packet processing device 2a can be integrated into one, and the two Combine processing rules into one. Specifically, the processing rule granularity determination unit 11 determines an identification rule (in other words, an identification rule that matches each of the plurality of flows) that includes a plurality of flows (in this example, flows A and C), and identifies them. A set of rules and the same processing method may be defined for the plurality of flows. Here, the packet processing device 2a has been described as an example, but the same applies to the other packet processing devices 2b and 2c.
 ステップS53の後、処理規則粒度決定部11は、ステップS53で得られた処理規則を管理DB記憶部12に登録する(ステップS54)。複数の処理規則を1つに集約した処理規則を定めた場合には、処理規則粒度決定部11は、その処理規則を管理DB記憶部12に登録する。また、処理規則粒度決定部11は、1つの処理規則に集約された既存の処理規則(本例では、フローAの処理規則)を管理DB記憶部12から削除する。 After step S53, the processing rule granularity determination unit 11 registers the processing rule obtained in step S53 in the management DB storage unit 12 (step S54). When a processing rule in which a plurality of processing rules are integrated into one is determined, the processing rule granularity determination unit 11 registers the processing rule in the management DB storage unit 12. In addition, the processing rule granularity determination unit 11 deletes the existing processing rule (in this example, the processing rule of the flow A) that is aggregated into one processing rule from the management DB storage unit 12.
 図6は、この時点において、管理DB記憶部12に登録されている処理規則を示す模式図である。各パケット処理装置2a~2cにおける処理規則において、フローAに対応する処理規則およびフローCに対応する処理規則が1つの処理規則に集約され、図5に示した既存のフローAに対応する処理規則は削除されている。 FIG. 6 is a schematic diagram showing processing rules registered in the management DB storage unit 12 at this point. In the processing rules in each of the packet processing devices 2a to 2c, the processing rules corresponding to the flow A and the processing rules corresponding to the flow C are aggregated into one processing rule, and the processing rules corresponding to the existing flow A shown in FIG. Has been deleted.
 次に、処理規則粒度決定部11は、ステップS54で登録したパケット処理装置2毎の処理規則(本例では、フローA,Cに対応する処理規則)を、対応するパケット処理装置2に通知する(ステップS55)。また、通知する処理規則が、複数のフローに対応する処理規則を1つに集約したものである場合、処理規則粒度決定部11は、集約されたフローに対応する既存の処理規則を削除する旨の指示も合わせて、パケット処理装置2に送信する。本例では、処理規則粒度決定部11は、フローAに対応する既存の処理規則を削除する旨の通知もステップS55で送信する。 Next, the processing rule granularity determination unit 11 notifies the corresponding packet processing device 2 of the processing rules for each packet processing device 2 registered in step S54 (in this example, processing rules corresponding to flows A and C). (Step S55). In addition, when the processing rule to be notified is an aggregation of processing rules corresponding to a plurality of flows, the processing rule granularity determination unit 11 deletes an existing processing rule corresponding to the aggregated flow. Is also transmitted to the packet processing apparatus 2. In this example, the processing rule granularity determination unit 11 also transmits a notification to delete the existing processing rule corresponding to the flow A in step S55.
 この結果、パケット処理装置2a,2b,2cは、フローAに対応する処理規則と、フローCに対応する処理規則とを別個に記憶する必要はなく、フローA,Cに対応する処理規則を記憶する。従って、パケット処理装置2が記憶する処理規則の数を削減できる。 As a result, the packet processing devices 2a, 2b, and 2c do not need to store the processing rules corresponding to the flow A and the processing rules corresponding to the flow C separately, and store the processing rules corresponding to the flows A and C. To do. Therefore, the number of processing rules stored in the packet processing device 2 can be reduced.
 図7は、パケット処理装置2の例を示すブロック図である。パケット処理装置2は、処理規則設定部20と、記憶部21と、パケット処理部22とを含む。 FIG. 7 is a block diagram illustrating an example of the packet processing device 2. The packet processing device 2 includes a processing rule setting unit 20, a storage unit 21, and a packet processing unit 22.
 記憶部21は、処理規則を記憶する記憶装置である。 The storage unit 21 is a storage device that stores processing rules.
 処理規則設定部20は、制御装置1から通知された処理規則を記憶部21に記憶させる。また、処理規則設定部20は、処理規則を削除する旨の指示を制御装置1から受信した場合には、制御装置1によって削除することを指定された処理規則を、記憶部21から削除する。 The processing rule setting unit 20 stores the processing rule notified from the control device 1 in the storage unit 21. When the processing rule setting unit 20 receives an instruction to delete the processing rule from the control device 1, the processing rule setting unit 20 deletes the processing rule designated to be deleted by the control device 1 from the storage unit 21.
 パケット処理部22は、パケットを受信すると、記憶部21に記憶されている処理規則の中から、受信パケットに対応する識別規則を有する処理規則を検索する。受信パケットに対応する識別規則を有する処理規則を検索できた場合、パケット処理部22は、その処理規則で定められている処理方法に従って、受信パケットを処理する。受信パケットに対応する識別規則を有する処理規則を検索できなかった場合(すなわち、記憶部21に記憶されていなかった場合)、パケット処理部22は、制御装置1に対して、受信パケットとともに、処理規則の問い合わせを送信する。この結果、制御装置1は、前述のステップS51以降の動作を行う。 When the packet processing unit 22 receives the packet, the packet processing unit 22 searches the processing rule stored in the storage unit 21 for a processing rule having an identification rule corresponding to the received packet. When a processing rule having an identification rule corresponding to the received packet can be retrieved, the packet processing unit 22 processes the received packet according to the processing method defined by the processing rule. When the processing rule having the identification rule corresponding to the received packet cannot be retrieved (that is, when the processing rule is not stored in the storage unit 21), the packet processing unit 22 processes the received packet together with the received packet. Send a rule query. As a result, the control device 1 performs the operations after step S51 described above.
 処理規則設定部20およびパケット処理部22は、例えば、パケット処理装置用プログラムに従って動作するコンピュータのCPUによって実現される。この場合、CPUは、例えば、コンピュータのプログラム記憶装置(図示略)等のプログラム記録媒体からパケット処理装置用プログラムを読み込み、そのプログラムに従って、処理規則設定部20およびパケット処理部22として動作すればよい。また、処理規則設定部20およびパケット処理部22が別々のハードウェアで実現されていてもよい。 The processing rule setting unit 20 and the packet processing unit 22 are realized by, for example, a CPU of a computer that operates according to a packet processing device program. In this case, for example, the CPU may read the packet processing device program from a program recording medium such as a computer program storage device (not shown) and operate as the processing rule setting unit 20 and the packet processing unit 22 according to the program. . Further, the processing rule setting unit 20 and the packet processing unit 22 may be realized by separate hardware.
 次に、具体例を用いて、制御装置1の動作を説明する。図8は、制御装置1によって制御されるパケット処理装置2の例を示す模式図である。ここでは、図3に示す場合と同様、3台のパケット処理装置2a,2b,2cが存在する場合を例にして説明する。図8において、#記号とともに示している番号は、ポート番号である。 Next, the operation of the control device 1 will be described using a specific example. FIG. 8 is a schematic diagram illustrating an example of the packet processing device 2 controlled by the control device 1. Here, as in the case shown in FIG. 3, a case where there are three packet processing devices 2a, 2b, 2c will be described as an example. In FIG. 8, the numbers indicated with the # symbol are port numbers.
 図8に示す例では、パケット処理装置2aに、端末8a,8b,8cが接続されている。また、パケット処理装置2cに、端末8dが接続されている。 In the example shown in FIG. 8, terminals 8a, 8b, and 8c are connected to the packet processing device 2a. A terminal 8d is connected to the packet processing device 2c.
 端末8aのIP(Internet Protocol )アドレスは、172.20.1.1であるものとする。 The IP (Internet Protocol) address of the terminal 8a is 172.20.1.1.1.
 端末8bのIPアドレスは、172.20.1.2であるものとする。 Assume that the IP address of the terminal 8b is 172.20.1.2.
 端末8cのIPアドレスは、172.20.1.3であるものとする。 It is assumed that the IP address of the terminal 8c is 172.20.1.3.
 端末8dのIPアドレスは、172,20.2.1であるものとする。 The IP address of the terminal 8d is assumed to be 172, 20.2.1.
 また、端末8aから端末8dまでのフローをフロー1とする。端末8bから端末8dまでのフローをフロー2とする。端末8cから端末8dまでのフローをフロー3とする。フロー1のパケットに対する処理方法と、フロー3のパケットに対する処理方法は同一であるものとする。また、フロー2のパケットに対する処理方法は、フロー1,3のパケットに対する処理方法とは異なるものとする。 Also, let the flow from the terminal 8a to the terminal 8d be flow 1. Let the flow from the terminal 8b to the terminal 8d be flow 2. Let the flow from the terminal 8c to the terminal 8d be flow 3. It is assumed that the processing method for the flow 1 packet and the processing method for the flow 3 packet are the same. Also, the processing method for the flow 2 packet is different from the processing method for the flow 1 and 3 packets.
 以下の説明において、初期状態では、各パケット処理装置2の記憶部21に処理規則が記憶されていないものとする。 In the following description, it is assumed that no processing rule is stored in the storage unit 21 of each packet processing device 2 in the initial state.
 最初に端末8aが、端末8dを宛先としてパケットを送信するものとする。パケット処理装置2aは、そのパケットを受信する。パケット処理装置2aのパケット処理部22は、受信したパケットに対応する処理規則が記憶部21に記憶されていないので、そのパケットのフロー(フロー1)に対する処理規則の問い合わせを制御装置1に送信する。このとき、パケット処理装置2aのパケット処理部22は、そのパケットも制御装置1に送信する。 First, it is assumed that the terminal 8a transmits a packet with the terminal 8d as a destination. The packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 of the packet processing device 2a transmits an inquiry about the processing rule for the flow (flow 1) of the packet to the control device 1. . At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
 すると、制御装置1の制御部10は、パケット処理装置2aから、処理規則の問い合わせ、およびパケットを受信する(ステップS51)。次に、処理規則粒度決定部11は、そのパケットに基づいて、フロー1を識別する識別規則を作成する(ステップS52)。本実施形態では、パケットのIPヘッダの送信元IPアドレスおよび宛先IPアドレスの組み合わせを識別規則とする場合を例にして説明する。従って、上記のステップS52で作成される識別規則は、送信元IPアドレス“172.20.1.1”および宛先IPアドレス“172.20.2.1”の組み合わせで表される。 Then, the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a (step S51). Next, the processing rule granularity determination unit 11 creates an identification rule for identifying the flow 1 based on the packet (step S52). In the present embodiment, a case where a combination of a source IP address and a destination IP address in an IP header of a packet is used as an identification rule will be described as an example. Therefore, the identification rule created in step S52 is represented by a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1”.
 次に、処理規則粒度決定部11は、制御ポリシに基づいて、フロー1に対応する処理方法を、フロー1が通過するパケット処理装置2毎に定め、パケット処理装置2毎に処理規則を定める。そして、処理規則粒度決定部11は、フロー1と他のフローとを集約した処理規則を作成可能か否かを判定する(ステップS53)。 Next, the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 1 for each packet processing device 2 through which the flow 1 passes, and sets a processing rule for each packet processing device 2 based on the control policy. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the flow 1 and other flows are aggregated (step S53).
 パケット処理装置2aに対して定める処理方法は、「ポート#4から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2aに対して、送信元IPアドレス“172.20.1.1”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#4から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2a is “transfer from port # 4”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” for the packet processing device 2a. A processing rule including an identification rule and a processing method with the content “transfer from port # 4” is defined.
 パケット処理装置2bに対して定める処理方法は、「ポート#2から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2bに対して、送信元IPアドレス“172.20.1.1”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#2から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2b is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” with respect to the packet processing device 2b. A processing rule including an identification rule and a processing method with the content “transfer from port # 2” is determined.
 パケット処理装置2cに対して定める処理方法は、「ポート#2から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2cに対して、送信元IPアドレス“172.20.1.1”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#2から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2c is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” for the packet processing device 2c. A processing rule including an identification rule and a processing method with the content “transfer from port # 2” is determined.
 ステップS53では、上記のようにパケット処理装置2毎に処理規則を定めた後、処理規則粒度決定部11は、フロー1の処理規則と他のフローの処理規則とを集約した処理規則を作成可能か否かを判定する。 In step S53, after setting the processing rule for each packet processing device 2 as described above, the processing rule granularity determination unit 11 can create a processing rule in which the processing rules of flow 1 and the processing rules of other flows are aggregated. It is determined whether or not.
 複数のフローの処理規則を集約した処理規則を作成可能か否かの判定処理の処理経過の例を図9に示す。処理規則粒度決定部11は、上記のようにステップS53で作成した処理規則と処理方法が同一である識別規則が他に存在するか否かを判定する(ステップS531)。本例では、上記のようにステップS53で作成した処理規則と処理方法が同一である識別規則は、管理DB記憶部12に記憶されていない(ステップS531のNO)。この場合、処理規則粒度決定部11は、ステップS52で求めた識別規則を含む処理規則(上記のようにステップS53で作成した処理規則)を登録することを決定する(ステップS533)。 FIG. 9 shows an example of the processing progress of the determination process of whether or not it is possible to create a processing rule in which processing rules for a plurality of flows are aggregated. The processing rule granularity determination unit 11 determines whether there is another identification rule having the same processing method as the processing rule created in step S53 as described above (step S531). In this example, an identification rule having the same processing method as the processing rule created in step S53 as described above is not stored in the management DB storage unit 12 (NO in step S531). In this case, the processing rule granularity determination unit 11 determines to register the processing rule including the identification rule obtained in step S52 (the processing rule created in step S53 as described above) (step S533).
 なお、上記のようにステップS53で作成した処理規則と処理方法が同一である識別規則は、管理DB記憶部12に記憶されている場合(ステップS531のYES)、処理規則粒度決定部11は、その識別規則を含む処理規則と、上記のようにステップS53で作成した処理規則とを集約した処理規則を作成し、その処理規則を登録することを決定する(ステップS532)。ステップS532を実行する場合については、後述する。 When the identification rule having the same processing method as the processing rule created in step S53 as described above is stored in the management DB storage unit 12 (YES in step S531), the processing rule granularity determination unit 11 It is determined that a processing rule including the processing rule including the identification rule and the processing rule generated in step S53 as described above is created and the processing rule is registered (step S532). The case of executing step S532 will be described later.
 本例では、処理規則粒度決定部11は、ステップS54において、上記のステップS533の決定に従い、ステップS52で求めた識別規則を含む処理規則(上記のようにステップS53で作成した処理規則)を管理DB記憶部12に登録する(ステップS54)。この時点で管理DB記憶部12に登録されている処理規則を図10に示す。 In this example, the processing rule granularity determination unit 11 manages the processing rule including the identification rule obtained in step S52 (the processing rule created in step S53 as described above) according to the determination in step S533 in step S54. Register in the DB storage unit 12 (step S54). Processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
 そして、処理規則粒度決定部11は、ステップS54で登録したパケット処理装置2毎の各処理規則を、対応するパケット処理装置2に通知する(ステップS55)。ここでは、処理規則粒度決定部11は、図10に示すパケット処理装置2aの処理規則を、パケット処理装置2aに通知する。同様に、処理規則粒度決定部11は、図10に示すパケット処理装置2bの処理規則を、パケット処理装置2bに通知する。さらに、処理規則粒度決定部11は、図10に示すパケット処理装置2cの処理規則を、パケット処理装置2cに通知する。 Then, the processing rule granularity determining unit 11 notifies the corresponding packet processing device 2 of each processing rule registered in step S54 for each packet processing device 2 (step S55). Here, the processing rule granularity determination unit 11 notifies the packet processing device 2a of the processing rules of the packet processing device 2a shown in FIG. Similarly, the processing rule granularity determination unit 11 notifies the packet processing device 2b of the processing rules of the packet processing device 2b shown in FIG. Further, the processing rule granularity determining unit 11 notifies the packet processing device 2c of the processing rules of the packet processing device 2c shown in FIG.
 各パケット処理装置2の処理規則設定部20(図7参照)は、通知された処理規則を記憶部21に記憶させる。そして、パケット処理部22は、受信したパケットをその処理規則に従って処理する。この結果、フロー1のパケットは、フロー1に対応する処理規則に従って順次、転送される。 The processing rule setting unit 20 (see FIG. 7) of each packet processing device 2 stores the notified processing rule in the storage unit 21. Then, the packet processing unit 22 processes the received packet according to the processing rule. As a result, the packets of flow 1 are sequentially transferred according to the processing rule corresponding to flow 1.
 次に、端末8bが、端末8dを宛先としてパケットを送信するものとする。パケット処理装置2aは、そのパケットを受信する。パケット処理装置2aのパケット処理部22(図7参照)は、受信したパケットに対応する処理規則が記憶部21に記憶されていないので、そのパケットのフロー(フロー2)に対する処理規則の問い合わせを制御装置1に送信する。このとき、パケット処理装置2aのパケット処理部22は、そのパケットも制御装置1に送信する。 Next, it is assumed that the terminal 8b transmits a packet with the terminal 8d as a destination. The packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 (see FIG. 7) of the packet processing device 2a controls the processing rule inquiry for the flow (flow 2) of the packet. Transmit to device 1. At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
 すると、制御装置1の制御部10は、パケット処理装置2aから、処理規則の問い合わせ、およびパケットを受信する(ステップS51)。次に、処理規則粒度決定部11は、そのパケットに基づいて、フロー2を識別する識別規則を作成する(ステップS52)。ここでは、送信元IPアドレス“172.20.1.2”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則が作成される。 Then, the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a (step S51). Next, the processing rule granularity determination unit 11 creates an identification rule for identifying the flow 2 based on the packet (step S52). Here, an identification rule represented by a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” is created.
 次に、処理規則粒度決定部11は、制御ポリシに基づいて、フロー2に対応する処理方法を、フロー2が通過するパケット処理装置2毎に定め、パケット処理装置2毎に処理規則を定める。そして、処理規則粒度決定部11は、フロー2の処理規則と他のフローの処理規則とを集約した処理規則を作成可能か否かを判定する(ステップS53)。 Next, the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 2 for each packet processing device 2 through which the flow 2 passes, and sets a processing rule for each packet processing device 2 based on the control policy. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the processing rules of the flow 2 and the processing rules of other flows are aggregated (step S53).
 パケット処理装置2aに対して定める処理方法は、「ポート#5から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2aに対して、送信元IPアドレス“172.20.1.2”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#5から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2a is “transfer from port # 5”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” for the packet processing device 2a. A processing rule including an identification rule and a processing method with the content “transfer from port # 5” is defined.
 パケット処理装置2bに対して定める処理方法は、「ポート#4から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2bに対して、送信元IPアドレス“172.20.1.2”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#4から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2b is “transfer from port # 4”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” with respect to the packet processing device 2b. A processing rule including an identification rule and a processing method with the content “transfer from port # 4” is defined.
 パケット処理装置2cに対して定める処理方法は、「ポート#4から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2cに対して、送信元IPアドレス“172.20.1.2”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#4から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2c is “transfer from port # 4”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” for the packet processing device 2c. A processing rule including an identification rule and a processing method with the content “transfer from port # 4” is defined.
 ステップS53では、上記のようにパケット処理装置2毎に処理規則を定めた後、処理規則粒度決定部11は、フロー2の処理規則と他のフローの処理規則を集約した処理規則を作成可能か否かを判定する。 In step S53, after setting the processing rule for each packet processing device 2 as described above, can the processing rule granularity determination unit 11 create a processing rule that aggregates the processing rule of the flow 2 and the processing rule of another flow? Determine whether or not.
 すなわち、処理規則粒度決定部11は、上記のようにステップS53で作成した処理規則と処理方法が同一である識別規則が他に存在するか否かを判定する(ステップS531、図9参照)。本例では、図10に示す処理規則(フロー1に対応する処理規則)が管理DB記憶部12に記憶されている。しかし、図10に示す処理規則の処理方法は、上記のようにステップS53で作成した処理規則の処理方法とは異なる。従って、上記のようにステップS53で作成した処理規則と処理方法が同一である識別規則は、管理DB記憶部12に記憶されていない(ステップS531のNO)。従って、処理規則粒度決定部11は、ステップS52で求めた識別規則を含む処理規則(上記のようにステップS53で作成した処理規則)を登録することを決定する(ステップS533、図9参照)。 That is, the processing rule granularity determination unit 11 determines whether there is another identification rule having the same processing method as the processing rule created in step S53 as described above (see step S531, FIG. 9). In this example, the processing rules shown in FIG. 10 (processing rules corresponding to the flow 1) are stored in the management DB storage unit 12. However, the processing rule processing method shown in FIG. 10 is different from the processing rule processing method created in step S53 as described above. Therefore, an identification rule having the same processing method as the processing rule created in step S53 as described above is not stored in the management DB storage unit 12 (NO in step S531). Therefore, the processing rule granularity determination unit 11 determines to register the processing rule including the identification rule obtained in step S52 (the processing rule created in step S53 as described above) (see step S533, FIG. 9).
 そして、処理規則粒度決定部11は、ステップS54において、上記のステップS533の決定に従い、ステップS52で求めた識別規則を含む処理規則(上記のようにステップS53で作成した処理規則)を管理DB記憶部12に登録する(ステップS54)。この時点で管理DB記憶部12に登録されている処理規則を図11に示す。送信元IPアドレス“172.20.1.2”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則(図11参照)を含む処理規則が、新たに追加登録された処理規則である。 In step S54, the processing rule granularity determination unit 11 stores the processing rule including the identification rule obtained in step S52 (the processing rule created in step S53 as described above) in the management DB in accordance with the determination in step S533. Register in the unit 12 (step S54). The processing rules registered in the management DB storage unit 12 at this time are shown in FIG. A processing rule including an identification rule (see FIG. 11) represented by a combination of a source IP address “172.20.1.2” and a destination IP address “172.20.2.1” is newly registered. Processing rules.
 そして、処理規則粒度決定部11は、ステップS54で登録したパケット処理装置2毎の各処理規則を、対応するパケット処理装置2に通知する(ステップS55)。 Then, the processing rule granularity determining unit 11 notifies the corresponding packet processing device 2 of each processing rule registered in step S54 for each packet processing device 2 (step S55).
 処理規則の通知を受けた各パケット処理装置2の動作は、既に説明した動作と同様である。この結果、図11に示すパケット処理装置2aの処理規則が、パケット処理装置2aに記憶される。また、図11に示すパケット処理装置2bの処理規則が、パケット処理装置2bに記憶される。また、図11に示すパケット処理装置2cの処理規則が、パケット処理装置2cに記憶される。そして、パケット処理部22は、受信したパケットをその処理規則に従って処理する。その結果、フロー1のパケットは、フロー1に対応する処理規則に従って順次、転送され、フロー2のパケットは、フロー2に対応する処理規則に従って順次、転送される。 The operation of each packet processing device 2 that has received the processing rule notification is the same as the operation already described. As a result, the processing rules of the packet processing device 2a shown in FIG. 11 are stored in the packet processing device 2a. Further, the processing rules of the packet processing device 2b shown in FIG. 11 are stored in the packet processing device 2b. Further, the processing rules of the packet processing device 2c shown in FIG. 11 are stored in the packet processing device 2c. Then, the packet processing unit 22 processes the received packet according to the processing rule. As a result, the packet of flow 1 is sequentially transferred according to the processing rule corresponding to flow 1, and the packet of flow 2 is sequentially transferred according to the processing rule corresponding to flow 2.
 次に、端末8cが、端末8dを宛先としてパケットを送信するものとする。パケット処理装置2aは、そのパケットを受信する。パケット処理装置2aのパケット処理部22(図7参照)は、受信したパケットに対応する処理規則が記憶部21に記憶されていないので、そのパケットのフロー(フロー3)に対する処理規則の問い合わせを制御装置1に送信する。このとき、パケット処理装置2aのパケット処理部22は、そのパケットも制御装置1に送信する。 Next, it is assumed that the terminal 8c transmits a packet with the terminal 8d as a destination. The packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 (see FIG. 7) of the packet processing device 2a controls the processing rule inquiry for the flow (flow 3) of the packet. Transmit to device 1. At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
 すると、制御装置1の制御部10は、パケット処理装置2aから、処理規則の問い合わせ、およびパケットを受信する(ステップS51)。次に、処理規則粒度決定部11は、そのパケットに基づいて、フロー3を識別する識別規則を作成する(ステップS52)。ここでは、送信元IPアドレス“172.20.1.3”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則が作成される。 Then, the control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a (step S51). Next, the processing rule granularity determination unit 11 creates an identification rule for identifying the flow 3 based on the packet (step S52). Here, an identification rule represented by a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” is created.
 次に、処理規則粒度決定部11は、制御ポリシに基づいて、フロー3に対応する処理方法を、フロー3が通過するパケット処理装置2毎に定め、パケット処理装置2毎に処理規則を定める。そして、処理規則粒度決定部11は、フロー3の処理規則と他のフローの処理規則とを集約した処理規則を作成可能か否かを判定する(ステップS53)。 Next, the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 3 for each packet processing device 2 through which the flow 3 passes, and sets a processing rule for each packet processing device 2 based on the control policy. Then, the processing rule granularity determination unit 11 determines whether it is possible to create a processing rule in which the processing rules of the flow 3 and the processing rules of other flows are aggregated (step S53).
 パケット処理装置2aに対して定める処理方法は、「ポート#4から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2aに対して、送信元IPアドレス“172.20.1.3”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#4から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2a is “transfer from port # 4”. That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” for the packet processing device 2a. A processing rule including an identification rule and a processing method with the content “transfer from port # 4” is defined.
 パケット処理装置2bに対して定める処理方法は、「ポート#2から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2bに対して、送信元IPアドレス“172.20.1.3”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#2から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2b is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” for the packet processing device 2b. A processing rule including an identification rule and a processing method with the content “transfer from port # 2” is determined.
 パケット処理装置2cに対して定める処理方法は、「ポート#2から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2cに対して、送信元IPアドレス“172.20.1.3”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#2から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2c is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 is represented by a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” for the packet processing device 2c. A processing rule including an identification rule and a processing method with the content “transfer from port # 2” is determined.
 ステップS53では、上記のようにパケット処理装置2毎に処理規則を定めた後、処理規則粒度決定部11は、フロー3の処理規則と他のフローの処理規則を集約した処理規則を作成可能か否かを判定する。 In step S53, after the processing rule is determined for each packet processing device 2 as described above, can the processing rule granularity determination unit 11 create a processing rule in which the processing rules of the flow 3 and the processing rules of other flows are aggregated? Determine whether or not.
 すなわち、処理規則粒度決定部11は、上記のようにステップS53で作成した処理規則と処理方法が同一である識別規則が他に存在するか否かを判定する(ステップS531、図9参照)。本例では、図11に示す処理規則(フロー1に対応する処理規則、およびフロー2に対応する処理規則)が管理DB記憶部12に記憶されている。ここで、フロー1に対応する処理規則の処理方法は、上記のようにステップS53で作成した処理規則の処理方法と同一である。従って、上記のようにステップS53で作成した処理規則と処理方法が同一である識別規則は、管理DB記憶部12に記憶されている(ステップS531のYES)。従って、処理規則粒度決定部11は、その識別規則を含む処理規則と、上記のようにステップS53で作成した処理規則とを集約した処理規則を作成し、その処理規則を登録することを決定する(ステップS532)。 That is, the processing rule granularity determination unit 11 determines whether there is another identification rule having the same processing method as the processing rule created in step S53 as described above (see step S531, FIG. 9). In this example, the processing rules shown in FIG. 11 (the processing rules corresponding to the flow 1 and the processing rules corresponding to the flow 2) are stored in the management DB storage unit 12. Here, the processing rule processing method corresponding to the flow 1 is the same as the processing rule processing method created in step S53 as described above. Therefore, an identification rule having the same processing method as the processing rule created in step S53 as described above is stored in the management DB storage unit 12 (YES in step S531). Therefore, the processing rule granularity determination unit 11 determines that the processing rule including the identification rule and the processing rule generated in step S53 as described above are aggregated and the processing rule is registered. (Step S532).
 処理規則粒度決定部11は、フロー3およびフロー1を包含する識別規則(換言すれば、フロー3とフロー1のそれぞれに合致する識別規則)を定める。処理規則粒度決定部11は、例えば、フロー3およびフロー1を包含する識別規則として、送信元IPアドレス“172.20.1.0/30”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則を作成する。この識別規則は、フロー3およびフロー1それぞれに合致する。そして、処理規則粒度決定部11は、フロー3の処理規則およびフロー1の処理規則で同一であった処理方法と、その識別規則とのセットを作成することで、複数の処理規則を集約した処理規則を作成する。例えば、処理規則粒度決定部11は、パケット処理装置2aに関しては、上記の識別規則と、「ポート#4から転送」という内容の処理方法とのセットを定める。ここでは、パケット処理装置2aを例にして説明したが、処理規則粒度決定部11は、他のパケット処理装置2b,2cに関しても同様の処理を行う。 The processing rule granularity determination unit 11 determines an identification rule including the flow 3 and the flow 1 (in other words, an identification rule that matches each of the flow 3 and the flow 1). The processing rule granularity determination unit 11 uses, for example, a source IP address “172.20.1.0/30” and a destination IP address “172.20.2.1” as an identification rule that includes the flow 3 and the flow 1. Create an identification rule represented by a combination of. This identification rule matches each of flow 3 and flow 1. Then, the processing rule granularity determination unit 11 creates a set of processing methods that are the same in the processing rules of the flow 3 and the processing rules of the flow 1 and a set of the identification rules, thereby collecting a plurality of processing rules. Create a rule. For example, for the packet processing device 2a, the processing rule granularity determination unit 11 determines a set of the above-described identification rule and a processing method having a content “transfer from port # 4”. Here, the packet processing device 2a has been described as an example, but the processing rule granularity determination unit 11 performs the same processing on the other packet processing devices 2b and 2c.
 そして、処理規則粒度決定部11は、ステップS54において、上記のステップS532の決定に従い、ステップS532で新たに作成した処理規則を管理DB記憶部12に登録する(ステップS54)。また、処理規則粒度決定部11は、ステップS532で新たに作成した処理規則を管理DB記憶部12に登録する場合、新たな処理規則に集約された既存の処理規則(本例では、フロー1の処理規則。図10および図11参照。)を管理DB記憶部12から削除する。この時点で管理DB記憶部12に登録されている処理規則を図12に示す。送信元IPアドレス“172.20.1.0/30”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則(図12参照)を含む処理規則が、新たに追加登録された処理規則である。また、“172.20.1.1”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則を含む処理規則(図11参照)は、削除されている。 In step S54, the processing rule granularity determination unit 11 registers the processing rule newly created in step S532 in the management DB storage unit 12 in accordance with the determination in step S532 (step S54). Further, when the processing rule granularity determination unit 11 registers the processing rule newly created in step S532 in the management DB storage unit 12, the existing processing rule (in this example, the flow 1 of the flow 1) collected in the new processing rule. Processing rules (see FIGS. 10 and 11) are deleted from the management DB storage unit 12. Processing rules registered in the management DB storage unit 12 at this time are shown in FIG. A processing rule including an identification rule (see FIG. 12) represented by a combination of a source IP address “172.20.1.0/30” and a destination IP address “172.20.2.1” has been newly added. It is a registered processing rule. Further, the processing rule (see FIG. 11) including the identification rule represented by the combination of “172.20.1.1” and the destination IP address “172.20.2.1” has been deleted.
 そして、処理規則粒度決定部11は、ステップS54で登録したパケット処理装置2毎の各処理規則を、対応するパケット処理装置2に通知する(ステップS55)。また、ステップS54で、既存の処理規則を削除している場合には、処理規則粒度決定部11は、ステップS55で、その処理規則を削除する旨の指示も併せて、パケット処理装置2に送信する。本例では、処理規則粒度決定部11は、フロー1に対応する既存の処理規則を削除する旨の通知もステップS55で送信する。 Then, the processing rule granularity determining unit 11 notifies the corresponding packet processing device 2 of each processing rule registered in step S54 for each packet processing device 2 (step S55). If the existing processing rule is deleted in step S54, the processing rule granularity determination unit 11 transmits to the packet processing device 2 in step S55, together with an instruction to delete the processing rule. To do. In this example, the processing rule granularity determination unit 11 also transmits a notification to delete the existing processing rule corresponding to the flow 1 in step S55.
 各パケット処理装置2の処理規則設定部20(図7参照)は、通知された処理規則を記憶部21に記憶させる。また、処理規則設定部20は、制御装置1からの指示に従い、制御装置1によって指定された処理規則を記憶部21から削除する。この結果、図12に示すパケット処理装置2aの処理規則が、パケット処理装置2aに記憶される。また、図12に示すパケット処理装置2bの処理規則が、パケット処理装置2bに記憶される。また、図12に示すパケット処理装置2cの処理規則が、パケット処理装置2cに記憶される。この結果、フロー1のパケットおよびフロー3のパケットは、フロー1,3に対応する処理規則に従って順次、転送され、フロー2のパケットは、フロー2に対応する処理規則に従って順次、転送される。 The processing rule setting unit 20 (see FIG. 7) of each packet processing device 2 stores the notified processing rule in the storage unit 21. Further, the processing rule setting unit 20 deletes the processing rule specified by the control device 1 from the storage unit 21 in accordance with an instruction from the control device 1. As a result, the processing rules of the packet processing device 2a shown in FIG. 12 are stored in the packet processing device 2a. Further, the processing rules of the packet processing device 2b shown in FIG. 12 are stored in the packet processing device 2b. Further, the processing rules of the packet processing device 2c shown in FIG. 12 are stored in the packet processing device 2c. As a result, the packet of flow 1 and the packet of flow 3 are sequentially transferred according to the processing rule corresponding to flows 1 and 3, and the packet of flow 2 is sequentially transferred according to the processing rule corresponding to flow 2.
 本実施形態によれば、異なるフローに対応する処理規則において処理方法が同一である場合に、処理規則粒度決定部11が、その異なるフローに対応する処理規則を集約する。従って、パケット処理装置2が記憶する処理規則の数を削減することができる。 According to this embodiment, when the processing method is the same in the processing rules corresponding to different flows, the processing rule granularity determination unit 11 aggregates the processing rules corresponding to the different flows. Therefore, the number of processing rules stored in the packet processing device 2 can be reduced.
 本実施形態では、識別規則にIPアドレスを用いる場合を例にして説明したが、識別規則の態様は、IPアドレスを用いる態様に限定されない。例えば、モバイルシステムのトンネル識別子を適用してもよい。識別規則に用いる情報は、複数のフローを包含する識別規則として記述できる情報であればよい。 In the present embodiment, the case where an IP address is used as an identification rule has been described as an example, but the aspect of the identification rule is not limited to the aspect using an IP address. For example, a tunnel identifier of a mobile system may be applied. The information used for the identification rule may be information that can be described as an identification rule including a plurality of flows.
実施形態2.
 第2の実施形態の制御装置1は、第1の実施形態と同様の構成(図1参照)であり、図1を参照して第2の実施形態を説明する。 Embodiment 2. FIG.
The control apparatus 1 of 2nd Embodiment is the structure (refer FIG. 1) similar to 1st Embodiment, and 2nd Embodiment is described with reference to FIG.
 第2の実施形態では、処理規則粒度決定部11が、フローのグループを識別するグループ識別子を識別規則として定める。ただし、初段のパケット処理装置2に通知する処理規則内の識別規則は、第1の実施形態での識別規則と同様である。以下の説明では、初段のパケット処理装置2だけでなく、最終段のパケット処理装置2に通知する処理規則内の識別規則も、第1の実施形態での識別規則と同様である場合を例にして説明する。なお、初段のパケット処理装置2とは、端末から直接パケットを受信するパケット処理装置2である。最終段のパケット処理装置2とは、端末に対して直接パケットを転送するパケット処理装置2である。 In the second embodiment, the processing rule granularity determination unit 11 determines a group identifier for identifying a flow group as an identification rule. However, the identification rule in the processing rule notified to the first-stage packet processing device 2 is the same as the identification rule in the first embodiment. In the following description, an example in which not only the first-stage packet processing device 2 but also the identification rule in the processing rule notified to the last-stage packet processing device 2 is the same as the identification rule in the first embodiment is taken as an example. I will explain. The first-stage packet processing device 2 is a packet processing device 2 that directly receives a packet from a terminal. The last stage packet processing apparatus 2 is a packet processing apparatus 2 that directly transfers a packet to a terminal.
 また、以下の説明では、パケット処理装置2がL3(Layer 3 )スイッチである場合を例にして説明する。L3スイッチは、パケット転送時にMAC(Media Access Control)アドレスを用いないので、L3スイッチで転送されるパケットのMACアドレスを書き換えても、転送に影響しない。また、書き換えたMACアドレスを元のMACアドレスに戻す必要もない。そこで、以下に示す例では、フローのグループを識別する識別規則として、MACアドレスを用い、そのMACアドレスをパケット内の送信元MACアドレスとして書き込む場合を例にして説明する。この送信元MACアドレスは、フローのグループを識別するために用いられる。 Further, in the following description, a case where the packet processing device 2 is an L3 (Layer 3) switch will be described as an example. Since the L3 switch does not use a MAC (Media Access Control) address during packet transfer, rewriting the MAC address of the packet transferred by the L3 switch does not affect the transfer. Moreover, it is not necessary to return the rewritten MAC address to the original MAC address. Therefore, in the example shown below, a case where a MAC address is used as an identification rule for identifying a flow group and the MAC address is written as a source MAC address in a packet will be described as an example. This source MAC address is used to identify a group of flows.
 以下、具体例を用いて、制御装置1の動作を説明する。図13は、制御装置1によって制御されるパケット処理装置2の例を示す模式図である。図13では、3台のパケット処理装置2a,2b,2cが存在する場合を例示している。#記号とともに示している番号は、ポート番号である。 Hereinafter, the operation of the control device 1 will be described using a specific example. FIG. 13 is a schematic diagram illustrating an example of the packet processing device 2 controlled by the control device 1. FIG. 13 illustrates a case where there are three packet processing apparatuses 2a, 2b, and 2c. The numbers indicated with the # symbol are port numbers.
 また、図13に示す例では、パケット処理装置2aに、端末8a,8b,8cが接続されている。また、パケット処理装置2cに、端末8dが接続されている。図13に示す端末8a,8b,8c,8dのIPアドレスは、それぞれ、図8に示す端末8a,8b,8c,8dのIPアドレスと同じである。 In the example shown in FIG. 13, terminals 8a, 8b, and 8c are connected to the packet processing device 2a. A terminal 8d is connected to the packet processing device 2c. The IP addresses of the terminals 8a, 8b, 8c, and 8d shown in FIG. 13 are the same as the IP addresses of the terminals 8a, 8b, 8c, and 8d shown in FIG.
 端末8aから端末8dまでのフローをフロー1とする。端末8bから端末8dまでのフローをフロー2とする。端末8cから端末8dまでのフローをフロー3とする。フロー1のパケットに対する処理方法と、フロー3のパケットに対する処理方法は同一であるものとする。また、フロー2のパケットに対する処理方法は、フロー1,3のパケットに対する処理方法とは異なるものとする。 Suppose the flow from the terminal 8a to the terminal 8d is flow 1. Let the flow from the terminal 8b to the terminal 8d be flow 2. Let the flow from the terminal 8c to the terminal 8d be flow 3. It is assumed that the processing method for the flow 1 packet and the processing method for the flow 3 packet are the same. Also, the processing method for the flow 2 packet is different from the processing method for the flow 1 and 3 packets.
 また、どのフローがどのグループに属するかは、予め定められている。各フローがどのグループに属するかを示す情報は、予め処理規則粒度決定部11が保持している。そして、フロー1およびフロー3のグループに対するグループ識別子として、Xが予め定められているものとする。また、フロー2のグループに対するグループ識別子として、Yが予め定められているものとする。X,Yは、それぞれMACアドレスとして記述される。 Also, which flow belongs to which group is determined in advance. Information indicating to which group each flow belongs is held in advance by the processing rule granularity determination unit 11. Assume that X is predetermined as a group identifier for the groups of flow 1 and flow 3. Further, it is assumed that Y is predetermined as a group identifier for the group of flow 2. X and Y are each described as a MAC address.
 以下、フロー1、フロー2、フロー3の順にフローが発生するものとする。また、初期状態では、各パケット処理装置2の記憶部21に処理規則が記憶されていないものとする。 Hereinafter, it is assumed that flows occur in the order of flow 1, flow 2, and flow 3. In the initial state, it is assumed that no processing rule is stored in the storage unit 21 of each packet processing device 2.
 最初に、端末8aが、端末8dを宛先としてパケットを送信する。パケット処理装置2aは、そのパケットを受信する。パケット処理装置2aのパケット処理部22は、受信したパケットに対応する処理規則が記憶部21に記憶されていないので、そのパケットのフロー(フロー1)に対する処理規則の問い合わせを制御装置1に送信する。このとき、パケット処理装置2aのパケット処理部22は、そのパケットも制御装置1に送信する。 First, the terminal 8a transmits a packet with the terminal 8d as the destination. The packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 of the packet processing device 2a transmits an inquiry about the processing rule for the flow (flow 1) of the packet to the control device 1. . At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
 制御装置1の制御部10は、パケット処理装置2aから、処理規則の問い合わせ、およびパケットを受信する。 The control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a.
 次に、処理規則粒度決定部11は、フロー1を識別する識別規則を定める。処理規則粒度決定部11は、フロー1に対する識別規則として、MACアドレス“X”を定める。ただし、初段のパケット処理装置2aおよび最終段のパケット処理装置2cに通知する処理規則内の識別規則は、第1の実施形態と同様に定められる。すなわち、処理規則粒度決定部11は、送信元IPアドレス“172.20.1.1”および宛先IPアドレス“172.20.2.1”の組み合わせを識別規則とする。 Next, the processing rule granularity determination unit 11 determines an identification rule for identifying the flow 1. The processing rule granularity determination unit 11 determines the MAC address “X” as an identification rule for the flow 1. However, the identification rules in the processing rules notified to the first-stage packet processing device 2a and the last-stage packet processing device 2c are determined in the same manner as in the first embodiment. That is, the processing rule granularity determination unit 11 uses a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” as the identification rule.
 次に、処理規則粒度決定部11は、制御ポリシに基づいて、フロー1に対応する処理方法を、フロー1が通過するパケット処理装置2毎に定め、パケット処理装置2毎に処理規則を定める。ただし、フロー1が、既に処理規則が作成されたフローと同一のグループに属するフローである場合、その処理規則をフロー1の処理規則としても用いることによって、異なるフローの処理規則を集約する。本例では、既に処理規則が作成されたフローが存在していない。従って、処理規則粒度決定部11は、フロー1に対する処理規則を作成する。 Next, the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 1 for each packet processing device 2 through which the flow 1 passes, and sets a processing rule for each packet processing device 2 based on the control policy. However, when the flow 1 belongs to the same group as the flow for which the processing rule has already been created, the processing rule of the different flow is aggregated by using the processing rule as the processing rule of the flow 1. In this example, there is no flow for which a processing rule has already been created. Therefore, the processing rule granularity determination unit 11 creates a processing rule for the flow 1.
 パケット処理装置2aに対して定める処理方法は、「送信元MACアドレスをXに書き換え、ポート#4から転送」である。すなわち、処理規則粒度決定部11は、初段のパケット処理装置2aに対して、送信元IPアドレス“172.20.1.1”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「送信元MACアドレスをXに書き換え、ポート#4から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2a is “rewrite the source MAC address to X and transfer from port # 4”. In other words, the processing rule granularity determination unit 11 represents the first-stage packet processing device 2a as a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1”. And a processing rule including “a rewrite source MAC address to X and transfer from port # 4” is defined.
 パケット処理装置2bに対して定める処理方法は、「ポート#2から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2bに対して、識別規則“X”と、「ポート#2から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2b is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 determines a processing rule including an identification rule “X” and a processing method with the content “transfer from port # 2” for the packet processing device 2b.
 パケット処理装置2cに対して定める処理方法は、「ポート#2から転送」である。すなわち、処理規則粒度決定部11は、最終段のパケット処理装置2cに対して、送信元IPアドレス“172.20.1.1”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#2から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2c is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 uses a combination of the source IP address “172.20.1.1” and the destination IP address “172.20.2.1” for the packet processing device 2c at the final stage. A processing rule including an identification rule to be expressed and a processing method with a content of “transfer from port # 2” is defined.
 次に、処理規則粒度決定部11は、上記のように定めた処理規則を管理DB記憶部12に登録する。この時点で管理DB記憶部12に登録されている処理規則を図14に示す。 Next, the processing rule granularity determination unit 11 registers the processing rule determined as described above in the management DB storage unit 12. Processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
 そして、処理規則粒度決定部11は、上記のように定めた各処理規則を、対応するパケット処理装置2に通知する。ここでは、処理規則粒度決定部11は、図14に示すパケット処理装置2aの処理規則を、パケット処理装置2aに通知する。同様に、処理規則粒度決定部11は、図14に示すパケット処理装置2bの処理規則を、パケット処理装置2bに通知する。さらに、処理規則粒度決定部11は、図14に示すパケット処理装置2cの処理規則を、パケット処理装置2cに通知する。 Then, the processing rule granularity determination unit 11 notifies the corresponding packet processing device 2 of each processing rule determined as described above. Here, the processing rule granularity determination unit 11 notifies the packet processing device 2a of the processing rules of the packet processing device 2a shown in FIG. Similarly, the processing rule granularity determination unit 11 notifies the packet processing device 2b of the processing rules of the packet processing device 2b shown in FIG. Furthermore, the processing rule granularity determining unit 11 notifies the packet processing device 2c of the processing rules of the packet processing device 2c shown in FIG.
 各パケット処理装置2の処理規則設定部20(図7参照)は、通知された処理規則を記憶部21に記憶させる。そして、パケット処理部22は、受信したパケットをその処理規則に従って処理する。パケット処理装置2aは、端末8aから受信したフロー1のパケットの送信元MACアドレスをXに書き換え、そのパケットをポート#4から出力する。そのパケットを受信したパケット処理装置2bは、通知された処理規則に従って、そのパケットをポート#2から出力する。そのパケットを受信したパケット処理装置2cは、通知された処理規則に従って、そのパケットをポート#2から出力する。この結果、フロー1のパケットは、宛先となる端末8dに到達する。 The processing rule setting unit 20 (see FIG. 7) of each packet processing device 2 stores the notified processing rule in the storage unit 21. Then, the packet processing unit 22 processes the received packet according to the processing rule. The packet processing device 2a rewrites the transmission source MAC address of the packet of flow 1 received from the terminal 8a to X, and outputs the packet from port # 4. The packet processing device 2b that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule. The packet processing device 2c that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule. As a result, the packet of flow 1 reaches the destination terminal 8d.
 次に、端末8bが、端末8dを宛先としてパケットを送信する。パケット処理装置2aは、そのパケットを受信する。パケット処理装置2aのパケット処理部22は、受信したパケットに対応する処理規則が記憶部21に記憶されていないので、そのパケットのフロー(フロー2)に対する処理の問い合わせを制御装置1に送信する。このとき、パケット処理装置2aのパケット処理部22は、そのパケットも制御装置1に送信する。 Next, the terminal 8b transmits a packet with the terminal 8d as a destination. The packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 of the packet processing device 2a transmits a processing inquiry for the flow of the packet (flow 2) to the control device 1. At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
 制御装置1の制御部10は、パケット処理装置2aから、処理規則の問い合わせ、およびパケットを受信する。 The control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a.
 次に、処理規則粒度決定部11は、フロー2を識別する識別規則を定める。処理規則粒度決定部11は、フロー2に対する識別規則として、MACアドレス“Y”を定める。ただし、初段のパケット処理装置2aおよび最終段のパケット処理装置2cに通知する処理規則内の識別規則は、第1の実施形態と同様に定められる。すなわち、処理規則粒度決定部11は、送信元IPアドレス“172.20.1.2”および宛先IPアドレス“172.20.2.1”の組み合わせを識別規則とする。 Next, the processing rule granularity determination unit 11 determines an identification rule for identifying the flow 2. The processing rule granularity determination unit 11 determines the MAC address “Y” as an identification rule for the flow 2. However, the identification rules in the processing rules notified to the first-stage packet processing device 2a and the last-stage packet processing device 2c are determined in the same manner as in the first embodiment. That is, the processing rule granularity determination unit 11 uses a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” as the identification rule.
 次に、処理規則粒度決定部11は、制御ポリシに基づいて、フロー2に対応する処理方法を、フロー2が通過するパケット処理装置2毎に定め、パケット処理装置2毎に処理規則を定める。ただし、フロー2が、既に処理規則が作成されたフローと同一のグループに属するフローである場合、その処理規則をフロー2の処理規則としても用いることによって、異なるフローの処理規則を集約する。本例では、フロー1の処理規則が既に作成されているが、フロー1のグループと、フロー2のグループは異なる。従って、処理規則粒度決定部11は、フロー2に対する処理規則を作成する。 Next, the processing rule granularity determination unit 11 determines a processing method corresponding to the flow 2 for each packet processing device 2 through which the flow 2 passes, and sets a processing rule for each packet processing device 2 based on the control policy. However, when the flow 2 is a flow belonging to the same group as the flow for which the processing rule has already been created, the processing rule of the different flow is aggregated by using the processing rule as the processing rule of the flow 2. In this example, the processing rule for flow 1 has already been created, but the group for flow 1 and the group for flow 2 are different. Accordingly, the processing rule granularity determination unit 11 creates a processing rule for the flow 2.
 パケット処理装置2aに対して定める処理方法は、「送信元MACアドレスをYに書き換え、ポート#4から転送」である。すなわち、処理規則粒度決定部11は、初段のパケット処理装置2aに対して、送信元IPアドレス“172.20.1.2”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「送信元MACアドレスをYに書き換え、ポート#4から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2a is “rewrite the source MAC address to Y and transfer from port # 4”. That is, the processing rule granularity determination unit 11 represents the first-stage packet processing device 2a as a combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1”. And a processing rule including “a rewrite source MAC address to Y and transfer from port # 4” is defined.
 パケット処理装置2bに対して定める処理方法は、「ポート#2から転送」である。すなわち、処理規則粒度決定部11は、パケット処理装置2bに対して、識別規則“Y”と、「ポート#2から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2b is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 determines a processing rule including an identification rule “Y” and a processing method with the content “transfer from port # 2” for the packet processing device 2b.
 パケット処理装置2cに対して定める処理方法は、「ポート#2から転送」である。すなわち、処理規則粒度決定部11は、最終段のパケット処理装置2cに対して、送信元IPアドレス“172.20.1.2”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則と、「ポート#2から転送」という内容の処理方法とを含む処理規則を定める。 The processing method defined for the packet processing device 2c is “transfer from port # 2.” That is, the processing rule granularity determination unit 11 uses the combination of the source IP address “172.20.1.2” and the destination IP address “172.20.2.1” for the packet processing device 2c at the final stage. A processing rule including an identification rule to be expressed and a processing method with a content of “transfer from port # 2” is defined.
 次に、処理規則粒度決定部11は、上記のように定めた処理規則を管理DB記憶部12に登録する。この時点で管理DB記憶部12に登録されている処理規則を図15に示す。 Next, the processing rule granularity determination unit 11 registers the processing rule determined as described above in the management DB storage unit 12. Processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
 そして、処理規則粒度決定部11は、上記のように定めた各処理規則を、対応するパケット処理装置2に通知する。 Then, the processing rule granularity determination unit 11 notifies the corresponding packet processing device 2 of each processing rule determined as described above.
 処理規則の通知を受けた各パケット処理装置2の動作は、既に説明した動作と同様である。この結果、図15に示すパケット処理装置2aの処理規則が、パケット処理装置2aに記憶される。また、図15に示すパケット処理装置2bの処理規則が、パケット処理装置2bに記憶される。また、図15に示すパケット処理装置2cの処理規則が、パケット処理装置2cに記憶される。 The operation of each packet processing device 2 that has received the processing rule notification is the same as the operation already described. As a result, the processing rules of the packet processing device 2a shown in FIG. 15 are stored in the packet processing device 2a. Further, the processing rules of the packet processing device 2b shown in FIG. 15 are stored in the packet processing device 2b. Further, the processing rules of the packet processing device 2c shown in FIG. 15 are stored in the packet processing device 2c.
 そして、パケット処理装置2aは、端末8bから受信したフロー2のパケットの送信元MACアドレスをYに書き換え、そのパケットをポート#4から出力する。そのパケットを受信したパケット処理装置2bは、通知された処理規則に従って、そのパケットをポート#2から出力する。そのパケットを受信したパケット処理装置2cは、通知された処理規則に従って、そのパケットをポート#2から出力する。この結果、フロー2のパケットは、宛先となる端末8dに到達する。 Then, the packet processing device 2a rewrites the transmission source MAC address of the packet of the flow 2 received from the terminal 8b to Y, and outputs the packet from the port # 4. The packet processing device 2b that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule. The packet processing device 2c that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule. As a result, the packet of the flow 2 reaches the destination terminal 8d.
 次に、端末8cが、端末8dを宛先としてパケットを送信する。パケット処理装置2aは、そのパケットを受信する。パケット処理装置2aのパケット処理部22は、受信したパケットに対応する処理規則が記憶部21に記憶されていないので、そのパケットのフロー(フロー3)に対する処理の問い合わせを制御装置1に送信する。このとき、パケット処理装置2aのパケット処理部22は、そのパケットも制御装置1に送信する。 Next, the terminal 8c transmits a packet with the terminal 8d as the destination. The packet processing device 2a receives the packet. Since the processing rule corresponding to the received packet is not stored in the storage unit 21, the packet processing unit 22 of the packet processing device 2a transmits a processing inquiry for the flow of the packet (flow 3) to the control device 1. At this time, the packet processing unit 22 of the packet processing device 2 a also transmits the packet to the control device 1.
 制御装置1の制御部10は、パケット処理装置2aから、処理規則の問い合わせ、およびパケットを受信する。 The control unit 10 of the control device 1 receives the processing rule inquiry and the packet from the packet processing device 2a.
 次に、処理規則粒度決定部11は、フロー3を識別する識別規則を定める。処理規則粒度決定部11は、フロー3に対する識別規則として、MACアドレス“X”を定める。ただし、初段のパケット処理装置2aおよび最終段のパケット処理装置2cに通知する処理規則内の識別規則は、第1の実施形態と同様に定められる。すなわち、処理規則粒度決定部11は、送信元IPアドレス“172.20.1.3”および宛先IPアドレス“172.20.2.1”の組み合わせを識別規則とする。 Next, the processing rule granularity determination unit 11 determines an identification rule for identifying the flow 3. The processing rule granularity determination unit 11 determines the MAC address “X” as an identification rule for the flow 3. However, the identification rules in the processing rules notified to the first-stage packet processing device 2a and the last-stage packet processing device 2c are determined in the same manner as in the first embodiment. That is, the processing rule granularity determination unit 11 uses a combination of the source IP address “172.20.1.3” and the destination IP address “172.20.2.1” as the identification rule.
 ここで、新たに発生したフロー3は、既に処理規則が作成されたフロー1と同一のグループに属するフローである。従って、処理規則粒度決定部11は、フロー1の処理規則をフロー3の処理規則としても用いることによって、異なるフロー1,3の処理規則を集約する。 Here, the newly generated flow 3 is a flow belonging to the same group as the flow 1 in which the processing rule has already been created. Therefore, the processing rule granularity determination unit 11 aggregates the processing rules of the different flows 1 and 3 by using the processing rule of the flow 1 as the processing rule of the flow 3.
 処理規則粒度決定部11は、初段および最終段以外のパケット処理装置2bの処理規則については変更しない。また、処理規則粒度決定部11は、初段のパケット処理装置2aおよび最終段のパケット処理装置2cのフロー1に対応する処理規則内の識別規則については、フロー1,3を包含する識別規則に変更する。具体的には、フロー1に対応する処理規則内の識別規則を、送信元IPアドレス“172.20.1.0/30”および宛先IPアドレス“172.20.2.1”の組み合わせで表される識別規則に変更する。 The processing rule granularity determination unit 11 does not change the processing rules of the packet processing device 2b other than the first stage and the last stage. In addition, the processing rule granularity determination unit 11 changes the identification rule in the processing rule corresponding to the flow 1 of the first-stage packet processing device 2a and the last-stage packet processing device 2c to an identification rule including flows 1 and 3. To do. Specifically, the identification rule in the processing rule corresponding to the flow 1 is represented by a combination of the source IP address “172.20.1.0/30” and the destination IP address “172.20.2.1”. Change to the identification rule.
 処理規則粒度決定部11は、初段および最終段のパケット処理装置2a,2cの処理規則の変更(識別規則の変更)を、管理DB記憶部12が記憶する処理規則に反映する。この時点で管理DB記憶部12に登録されている処理規則を図16に示す。 The processing rule granularity determination unit 11 reflects the change of the processing rule (change of the identification rule) of the packet processing devices 2a and 2c at the first stage and the final stage in the processing rule stored in the management DB storage unit 12. The processing rules registered in the management DB storage unit 12 at this time are shown in FIG.
 処理規則粒度決定部11は、初段および最終段以外のパケット処理装置2bの処理規則については変更していないので、パケット処理装置2bに対しては、処理規則を通知しなくてよい。 Since the processing rule granularity determination unit 11 has not changed the processing rules of the packet processing device 2b other than the first and last stages, the processing rule need not be notified to the packet processing device 2b.
 また、処理規則粒度決定部11は、初段のパケット処理装置2aおよび最終段のパケット処理装置2cに対しては、識別規則を変更した処理規則を通知するとともに、変更前の処理規則を削除する旨の指示を送信する。 In addition, the processing rule granularity determination unit 11 notifies the first-stage packet processing device 2a and the final-stage packet processing device 2c of the processing rule whose identification rule has been changed and deletes the processing rule before the change. Send instructions.
 パケット処理装置2a,2cの処理規則設定部20は、通知された処理規則を記憶部21に記憶させるとともに、削除することを指定された処理規則を記憶部21から削除する。この結果、図16に示すパケット処理装置2aの処理規則が、パケット処理装置2aに記憶される。また、図16に示すパケット処理装置2bの処理規則が、パケット処理装置2bに記憶される。また、図16に示すパケット処理装置2cの処理規則が、パケット処理装置2cに記憶される。 The processing rule setting unit 20 of the packet processing devices 2 a and 2 c stores the notified processing rule in the storage unit 21 and deletes the processing rule designated to be deleted from the storage unit 21. As a result, the processing rules of the packet processing device 2a shown in FIG. 16 are stored in the packet processing device 2a. Also, the processing rules of the packet processing device 2b shown in FIG. 16 are stored in the packet processing device 2b. Further, the processing rules of the packet processing device 2c shown in FIG. 16 are stored in the packet processing device 2c.
 そして、パケット処理装置2aは、端末8cから受信したフロー3のパケットの送信元MACアドレスをXに書き換え、そのパケットをポート#4から出力する。そのパケットを受信したパケット処理装置2bは、通知された処理規則に従って、そのパケットをポート#2から出力する。そのパケットを受信したパケット処理装置2cは、通知された処理規則に従って、そのパケットをポート#2から出力する。この結果、フロー3のパケットは、宛先となる端末8dに到達する。このフロー3のパケットの転送態様は、フロー1のパケットの転送態様と同様である。 Then, the packet processing device 2a rewrites the transmission source MAC address of the packet of the flow 3 received from the terminal 8c to X, and outputs the packet from the port # 4. The packet processing device 2b that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule. The packet processing device 2c that has received the packet outputs the packet from the port # 2 in accordance with the notified processing rule. As a result, the packet of the flow 3 reaches the destination terminal 8d. The packet transfer mode of the flow 3 is the same as the packet transfer mode of the flow 1.
 本実施形態においても、異なるフローの処理規則を集約するので、パケット処理装置2が記憶する処理規則の数を削減することができる。 Also in the present embodiment, the processing rules of different flows are aggregated, so that the number of processing rules stored in the packet processing device 2 can be reduced.
 また、送信元MACアドレスの書き換えが行われていないパケットを受信する初段のパケット処理装置2aには、グループ識別子を識別規則とせずに、第1の実施形態と同様の識別規則を含む処理規則が通知される。第1の実施形態と同様の識別規則であっても、複数のフローを包含する識別規則を記述することができるので、処理規則を集約できる。従って、初段のパケット処理装置2においても、記憶する処理規則の数を削減することができる。 Further, the first-stage packet processing device 2a that receives a packet whose source MAC address has not been rewritten has a processing rule including an identification rule similar to that of the first embodiment without using a group identifier as an identification rule. Be notified. Even with the same identification rule as in the first embodiment, an identification rule including a plurality of flows can be described, so that processing rules can be aggregated. Therefore, the number of processing rules to be stored can be reduced also in the first-stage packet processing device 2.
 上記の例では、グループ識別子(上記の例では“X”,“Y”)で、パケットの送信元アドレスを書き換える場合を例示した。パケットにグループ識別子を付加する態様は、この例に限定されない。例えば、グループ識別子をパケット内のベンダ拡張領域に書き込むという内容を含む処理方法を、処理規則粒度決定部11が定めてもよい。 In the above example, the case where the source address of the packet is rewritten with the group identifier (“X”, “Y” in the above example) is illustrated. The mode of adding the group identifier to the packet is not limited to this example. For example, the processing rule granularity determination unit 11 may determine a processing method including the content of writing the group identifier in the vendor extension area in the packet.
 また、上記の例では、最終段のパケット処理装置2cに通知される処理規則内の識別規則が第1の実施形態と同様である場合を例にして説明した。最終段のパケット処理装置2cに通知される処理規則内の識別規則は、グループ識別子で表されていてもよい。 In the above example, the case where the identification rule in the processing rule notified to the packet processing apparatus 2c at the final stage is the same as that in the first embodiment has been described as an example. The identification rule in the processing rule notified to the final stage packet processing device 2c may be represented by a group identifier.
 次に、本発明の概要を説明する。図17は、本発明の制御装置の概要を示すブロック図である。本発明の制御装置は、フロー識別情報作成手段91と、処理規則作成手段92と、集約手段93と、通知手段94とを備える。 Next, the outline of the present invention will be described. FIG. 17 is a block diagram showing an outline of the control device of the present invention. The control device of the present invention includes a flow identification information creating unit 91, a processing rule creating unit 92, an aggregation unit 93, and a notification unit 94.
 フロー識別情報作成手段91(例えば、ステップS52を実行する処理規則粒度決定部11)は、フローを識別するためのフロー識別情報(例えば、識別規則)を作成する。 The flow identification information creating unit 91 (for example, the processing rule granularity determining unit 11 that executes step S52) creates flow identification information (for example, an identification rule) for identifying a flow.
 処理規則作成手段92(例えば、ステップS53を実行する処理規則粒度決定部11)は、フローのパケットに対する処理方法を定め、フロー識別情報および処理方法を含む処理規則を作成する。 The processing rule creation means 92 (for example, the processing rule granularity determination unit 11 that executes step S53) determines a processing method for a flow packet, and creates a processing rule including flow identification information and a processing method.
 集約手段93(例えば、ステップS53を実行する処理規則粒度決定部11)は、そのフローの処理規則と、他のフローの処理規則とを集約できる場合に、そのフローの処理規則と、他のフローの処理規則とを集約する。 When the aggregation unit 93 (for example, the processing rule granularity determination unit 11 that executes step S53) can aggregate the processing rule of the flow and the processing rule of the other flow, the processing rule of the flow and the other flow The processing rules are consolidated.
 通知手段94(例えば、ステップS55を実行する処理規則粒度決定部11)は、処理規則をパケット処理装置に通知する。 The notification means 94 (for example, the processing rule granularity determination unit 11 that executes Step S55) notifies the processing rule to the packet processing device.
 そのような構成によって、パケット処理装置が記憶する処理規則の数を削減することができる。 Such a configuration can reduce the number of processing rules stored in the packet processing apparatus.
 集約手段93が、別々のフローの処理規則に含まれる処理方法が同一である場合に、別々のフローの処理規則を集約できると判定する構成であってもよい。 The configuration may be such that the aggregation means 93 determines that the processing rules of different flows can be aggregated when the processing methods included in the processing rules of different flows are the same.
 集約手段93が、別々のフローの処理規則に含まれる処理方法が同一である場合に、別々のフローの処理規則を集約できると判定し、別々のフローのそれぞれに合致するフロー識別情報を定め、当該フロー情報とその処理方法とを含む処理規則を作成することによって、処理規則を集約する構成であってもよい。 The aggregation means 93 determines that the processing rules of the different flows can be aggregated when the processing methods included in the processing rules of the different flows are the same, determines flow identification information that matches each of the different flows, The configuration may be such that the processing rules are aggregated by creating a processing rule including the flow information and its processing method.
 フロー識別情報作成手段91が、フローのグループを識別するフロー識別情報を定め、
 集約手段93が、新たに生じたフローが、既に処理規則が作成されたフローと同一のグループに属するフローである場合、その処理規則を、新たに生じたフローの処理規則としても用いることによって、別々のフローの処理規則を集約する構成であってもよい。 The flow identification information creating unit 91 determines flow identification information for identifying a group of flows,
When the newly created flow is a flow that belongs to the same group as the flow for which the processing rule has already been created, the aggregation means 93 uses the processing rule as the processing rule for the newly generated flow. The configuration may be such that the processing rules of different flows are aggregated.
 以上、実施形態を参照して本願発明を説明したが、本願発明は上記の実施形態に限定されるものではない。本願発明の構成や詳細には、本願発明のスコープ内で当業者が理解し得る様々な変更をすることができる。 The present invention has been described above with reference to the embodiments, but the present invention is not limited to the above-described embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.
 この出願は、2014年3月14日に出願された日本特許出願2014-051330を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2014-051330 filed on Mar. 14, 2014, the entire disclosure of which is incorporated herein.
産業上の利用の可能性Industrial applicability
 本発明は、パケット処理装置を制御する制御装置に好適に適用される。 The present invention is suitably applied to a control device that controls a packet processing device.
 1 制御装置
 2 パケット処理装置
 10 制御部
 11 処理規則粒度決定部
 12 管理DB記憶部 DESCRIPTION OF SYMBOLS 1 Control apparatus 2 Packet processing apparatus 10 Control part 11 Processing rule granularity determination part 12 Management DB memory | storage part

Claims (6)

  1.  パケットを処理するパケット処理装置を制御する制御装置であって、
     フローを識別するためのフロー識別情報を作成するフロー識別情報作成手段と、
     前記フローのパケットに対する処理方法を定め、前記フロー識別情報および前記処理方法を含む処理規則を作成する処理規則作成手段と、
     前記フローの処理規則と、他のフローの処理規則とを集約できる場合に、前記フローの処理規則と、前記他のフローの処理規則とを集約する集約手段と、
     処理規則をパケット処理装置に通知する通知手段とを備える
     ことを特徴とする制御装置。     A control device that controls a packet processing device that processes packets,
    Flow identification information creating means for creating flow identification information for identifying a flow;
    A processing rule creating means for defining a processing method for the packet of the flow, and creating a processing rule including the flow identification information and the processing method;
    An aggregating means for aggregating the processing rule of the flow and the processing rule of the other flow when the processing rule of the flow and the processing rule of the other flow can be aggregated;
    A control device comprising: notification means for notifying a packet processing device of a processing rule.
  2.  集約手段は、
     別々のフローの処理規則に含まれる処理方法が同一である場合に、前記別々のフローの処理規則を集約できると判定する
     請求項1に記載の制御装置。     Aggregation means
    The control device according to claim 1, wherein when the processing methods included in the processing rules of different flows are the same, it is determined that the processing rules of the different flows can be aggregated.
  3.  集約手段は、
     別々のフローの処理規則に含まれる処理方法が同一である場合に、前記別々のフローの処理規則を集約できると判定し、前記別々のフローのそれぞれに合致するフロー識別情報を定め、当該フロー情報と前記処理方法とを含む処理規則を作成することによって、処理規則を集約する
     請求項1または請求項2に記載の制御装置。     Aggregation means
    When the processing methods included in the processing rules of different flows are the same, it is determined that the processing rules of the different flows can be aggregated, flow identification information that matches each of the separate flows is determined, and the flow information The control device according to claim 1, wherein the processing rules are aggregated by creating a processing rule including the processing method.
  4.  フロー識別情報作成手段は、
     フローのグループを識別するフロー識別情報を定め、
     集約手段は、
     新たに生じたフローが、既に処理規則が作成されたフローと同一のグループに属するフローである場合、前記処理規則を、前記新たに生じたフローの処理規則としても用いることによって、別々のフローの処理規則を集約する
     請求項1に記載の制御装置。     The flow identification information creation means
    Define flow identification information that identifies groups of flows,
    Aggregation means
    When a newly generated flow belongs to the same group as a flow for which a processing rule has already been created, the processing rule is also used as a processing rule for the newly generated flow, so that The control device according to claim 1, wherein processing rules are collected.
  5.  パケットを処理するパケット処理装置を制御する制御方法であって、
     フローを識別するためのフロー識別情報を作成し、
     前記フローのパケットに対する処理方法を定め、前記フロー識別情報および前記処理方法を含む処理規則を作成し、
     前記フローの処理規則と、他のフローの処理規則とを集約できる場合に、前記フローの処理規則と、前記他のフローの処理規則とを集約し、
     処理規則をパケット処理装置に通知する
     ことを特徴とする制御方法。     A control method for controlling a packet processing device for processing a packet,
    Create flow identification information to identify the flow,
    Define a processing method for the packet of the flow, create a processing rule including the flow identification information and the processing method,
    When the processing rule of the flow and the processing rule of another flow can be aggregated, the processing rule of the flow and the processing rule of the other flow are aggregated,
    A control method characterized by notifying a packet processing device of a processing rule.
  6.  パケットを処理するパケット処理装置を制御するコンピュータに搭載される制御プログラムであって、
     前記コンピュータに、
     フローを識別するためのフロー識別情報を作成するフロー識別情報作成処理、
     前記フローのパケットに対する処理方法を定め、前記フロー識別情報および前記処理方法を含む処理規則を作成する処理規則作成処理、
     前記フローの処理規則と、他のフローの処理規則とを集約できる場合に、前記フローの処理規則と、前記他のフローの処理規則とを集約する集約処理、および、
     処理規則をパケット処理装置に通知する通知処理
     を実行させるための制御プログラム。     A control program installed in a computer that controls a packet processing device that processes packets,
    In the computer,
    Flow identification information creation processing for creating flow identification information for identifying a flow,
    A processing rule creation process for defining a processing method for the packet of the flow and creating a processing rule including the flow identification information and the processing method;
    An aggregation process for aggregating the processing rule for the flow and the processing rule for the other flow when the processing rule for the flow and the processing rule for the other flow can be aggregated; and
    A control program for executing notification processing for notifying packet processing devices of processing rules.
PCT/JP2014/006207 2014-03-14 2014-12-12 Control apparatus, control method and control program WO2015136585A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016507133A JPWO2015136585A1 (en) 2014-03-14 2014-12-12 Control device, control method, and control program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014-051330 2014-03-14
JP2014051330 2014-03-14

Publications (1)

Publication Number Publication Date
WO2015136585A1 true WO2015136585A1 (en) 2015-09-17

Family

ID=54071066

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/006207 WO2015136585A1 (en) 2014-03-14 2014-12-12 Control apparatus, control method and control program

Country Status (2)

Country Link
JP (1) JPWO2015136585A1 (en)
WO (1) WO2015136585A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015186213A (en) * 2014-03-26 2015-10-22 富士通株式会社 Control device and its table formation method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013008134A2 (en) * 2011-07-08 2013-01-17 Telefonaktiebolaget L M Ericsson (Publ) Controller driven oam for openflow
JP2013545320A (en) * 2010-12-01 2013-12-19 日本電気株式会社 COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION METHOD, AND PROGRAM
JP2014505379A (en) * 2011-01-05 2014-02-27 日本電気株式会社 Communication control system, control server, transfer node, communication control method, and communication control program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013545320A (en) * 2010-12-01 2013-12-19 日本電気株式会社 COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION METHOD, AND PROGRAM
JP2014505379A (en) * 2011-01-05 2014-02-27 日本電気株式会社 Communication control system, control server, transfer node, communication control method, and communication control program
WO2013008134A2 (en) * 2011-07-08 2013-01-17 Telefonaktiebolaget L M Ericsson (Publ) Controller driven oam for openflow

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015186213A (en) * 2014-03-26 2015-10-22 富士通株式会社 Control device and its table formation method

Also Published As

Publication number Publication date
JPWO2015136585A1 (en) 2017-04-06

Similar Documents

Publication Publication Date Title
JP5440691B2 (en) Packet transfer system, control device, transfer device, processing rule creation method and program
RU2523917C2 (en) Communication control system and communication control method
US20150131666A1 (en) Apparatus and method for transmitting packet
WO2012053540A1 (en) Communication system, control apparatus, configuration method for processing rules, and program
WO2015101119A1 (en) Flow table matching method and apparatus, and openflow exchanging system
US9363158B2 (en) Reduce size of IPV6 routing tables by using a bypass tunnel
JP6007972B2 (en) Communication node, packet processing method and program
JP2016019052A (en) Packet processing device, control program, and control method of packet processing device
US10084613B2 (en) Self adapting driver for controlling datapath hardware elements
JP5534033B2 (en) Communication system, node, packet transfer method and program
US10462064B2 (en) Maximum transmission unit installation for network traffic along a datapath in a software defined network
JP5720162B2 (en) Communication system, switching hub, and router
WO2015075862A1 (en) Network control device, network control method, and program
WO2014126094A1 (en) Communication system, communication method, control device, and control device control method and program
WO2015136585A1 (en) Control apparatus, control method and control program
US20150263990A1 (en) Network device, control method, and program
JP6127900B2 (en) Packet processing apparatus, packet processing method, and packet processing program
WO2016173196A1 (en) Method and apparatus for learning address mapping relationship
US20180198704A1 (en) Pre-processing of data packets with network switch application -specific integrated circuit
US20160337232A1 (en) Flow-indexing for datapath packet processing
KR101707073B1 (en) Error detection network system based on sdn
JP5854488B2 (en) Communication system, control device, processing rule setting method and program
US20120233431A1 (en) Relay device
JP7359299B2 (en) Packet identification device, packet identification method, and packet identification program
JP6898846B2 (en) Abnormal cause identification support system and abnormal cause identification support method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14885772

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016507133

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14885772

Country of ref document: EP

Kind code of ref document: A1