WO2020165466A1 - Method and system for controlling traffic access to services on a software defined network (sdn) - Google Patents

Method and system for controlling traffic access to services on a software defined network (sdn) Download PDF

Info

Publication number
WO2020165466A1
WO2020165466A1 PCT/ES2019/070074 ES2019070074W WO2020165466A1 WO 2020165466 A1 WO2020165466 A1 WO 2020165466A1 ES 2019070074 W ES2019070074 W ES 2019070074W WO 2020165466 A1 WO2020165466 A1 WO 2020165466A1
Authority
WO
WIPO (PCT)
Prior art keywords
bits
sdn
access
services
data packet
Prior art date
Application number
PCT/ES2019/070074
Other languages
Spanish (es)
French (fr)
Inventor
Daniel VELASCO BENITO
María Luisa García Osma
Original Assignee
Telefónica Digital España, S.L.U
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefónica Digital España, S.L.U filed Critical Telefónica Digital España, S.L.U
Priority to PCT/ES2019/070074 priority Critical patent/WO2020165466A1/en
Publication of WO2020165466A1 publication Critical patent/WO2020165466A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Definitions

  • the present invention relates generally to the field of software defined networks (SDN).
  • SDN software defined networks
  • the invention concerns a method and a system to control the access of traffic from physical devices, virtual machines or containers to certain services of an SDN network.
  • Patent application US 20130329734 A1 describes the use of different fields in the header of IP packets (both for IPv4 and IPv6) to redirect traffic to the most suitable service. It is also proposed to use the MAC source address for this same purpose.
  • the two main differences of this US patent application with the present invention are: (1) The source MAC address is not used to redirect traffic, but to determine if a data packet has access to a certain service (access control ) and (2) does not use specific MAC addresses, but rather proposes the use of MAC prefixes or masks (MAC address segments) to add multiple MAC addresses instead of individual MAC addresses.
  • the objective pursued when using MAC prefixes is to avoid having to introduce a rule in the switches for each node and service to be managed, so that the number of rules in the TCAM table is reduced and the use of these is optimized. , avoiding the scalability problems of other solutions present.
  • the international patent application WO 2017180098 A1 suggests the use of portions of the source MAC address to encode the services to which the data packets must be sent, in a similar way to that discussed on service chaining.
  • the present invention uses the MAC address to control access to services, not to carry out forwarding of data packets, which is done based on the destination IP address, which is translated into a MAC corresponding destination.
  • US patent 9742589 B2 provides a method to implement service chaining by rewriting the source and destination MACs of data packets.
  • the present invention does not rewrite MACs, but rather uses portions of them to give access to certain services.
  • Exemplary embodiments of the present invention provide, according to a first aspect, a method for controlling traffic access to services in an SDN network.
  • the method comprises receiving, by a virtual machine in a data center, a data packet from a node for a given service on the SDN network; check, by an SDN controller or by a switch operatively connected to the SDN controller, whether one or more bits of a series of bits of the data packet address have a specific value and allow, by the SDN controller or by the switch, access to said determined service only if the value of said one or more bits of the series of bits coincides with a preset MAC mask for said determined service.
  • said virtual machine replaces a source or destination MAC mask of said data packet with said new MAC mask. Therefore, for a packet coming from outside the data center, a switch controlled by the SDN controller, for example, is It will take care of rewriting the original MAC address of the packet when the data packet enters the data center. Said rewriting will compose the new MAC address with the bits or bitmask that appropriately encodes the permissions for that data packet. It is important to note that this MAC rewriting already occurs every time a packet crosses a switch, only in this case, it is used to reflect the access permissions of said data packet, as it is an environment (the data center) under the SDN controller driver. Once the data packet enters the data center, the internal switches will use this new MAC address to determine access to the destination resource.
  • the virtual machine does not replace the MAC mask and that it is the one that originates the traffic. This would be the case of having machines in a data center with databases and machines that have to access the databases and where you want them to be able to communicate with each other and with no other machine. In this case, the MAC should not be replaced, just check that they all have the appropriate masks to talk to each other.
  • the replacement of the source or destination MAC mask by the new MAC mask is performed after receiving an indication from a cloud controller.
  • the cloud controller in this case receives an indication of the new MAC mask to be replaced from a provisioner computing device operatively connected to it.
  • said node can be a physical device, a virtual machine or a container.
  • each one of said one or more bits of said series of bits allows access to a different service.
  • said one or more bits allow access to different combinations of services.
  • Exemplary embodiments of the present invention also provide, according to a second aspect, a system for controlling traffic access to services in an SDN network.
  • the elements / devices / modules that are part of the proposed system are configured to implement the steps of the method of the first aspect of the invention.
  • the proposed mechanism allows controlling the access of traffic from physical devices or virtual machines to certain services or destinations within a network, using the MAC address of the source or destination device or virtual machine to determine if the communication is allowed.
  • the difference of the proposed method with current implementations lies in the use of segments of the MAC address as a prefix or mask, so that instead of requiring an SDN rule for each device / MAC address, masks or prefixes are used that add multiple nodes, which will have been assigned a MAC address according to the services or networks they can access.
  • SDN Ses Network Access Control
  • the present invention can be applied to fixed, mobile and company networks, in which the SDN technology is to be deployed.
  • Fig. 1 is a flow chart illustrating an exemplary embodiment of a method for controlling traffic access to services in an SDN network.
  • Fig. 2 is a flow chart illustrating another embodiment of the proposed method.
  • Fig. 3 is a flow diagram that illustrates how a switch gives access or not to a certain service, according to an embodiment of the present invention.
  • Figs. 4 and 5 show different examples of MAC addresses that can be replaced to give access to certain services on the SDN network. Detailed description of the invention and some embodiments
  • Fig. 1 shows an exemplary embodiment of a method for controlling traffic access to services of a network defined by SDN.
  • a virtual machine 121 in a data center receives a data packet from a node (eg a physical device or a virtual machine) for a given service 200 on the SDN network.
  • a node eg a physical device or a virtual machine
  • an SDN controller 130 or a switch 131 operatively connected to the SDN controller 130, checks whether one or more bits of a series of bits of a new MAC mask of the received data packet has a specific value.
  • said SDN controller 130 or switch 131 allows access to said determined service only if the value of said one or more bits of the series of bits coincides with a preset MAC mask for said determined service.
  • the proposed method proposes a new way of implementing access control in SDN networks, which increases scalability and improves performance.
  • SDN that is, the switching layer itself to perform access control is a technique used in various environments, but it presents scalability problems, since the number of necessary rules means that it can only be applied to a limited number of services and devices.
  • the proposed method allows the access of a data packet to a specific service, network or destination. Therefore, the complete source or destination address is not checked, but if one or more bits of the series of bits of these have a specific value, which allows setting a single rule for multiple machines or devices.
  • virtual machines or containers can be created and assigned MAC addresses that contain the bits that correspond to the access rules that will be installed on the switching nodes. Thus, access can be given, in a simple and scalable way, to the services or networks deemed appropriate.
  • you want a series of instances to stop having access to certain sites you can change the MAC address of the virtualized device, without having to change the rules installed in the switching nodes, which will allow additional functionalities.
  • an orchestrator 100 of the solution requests a Provisioner computing device 110 that deploys a virtual machine 121 (or alternatively a device) that can connect to a specific service 200.
  • the provisioner computing device 110 identifies the MAC mask that gives access to that service 200 and requests the cloud 120 that deploys a virtual machine 121 whose MAC address includes the new mask (that is, the combination of bits) that gives access to service 200.
  • the SDN controller 130 is configured so that only data packets that have the correct MAC mask can access the 200 service, so it will only allow communication to those machines that have been configured to access the 200 service.
  • Fig. 2 it has been assumed that the SDN controller 130 is configured in reactive mode, so all new flows will arrive at the SDN controller 130.
  • the flows are predefined in the switches 131, that is, that the SDN controller 130 program / configure the switches 131 to accept or reject the data packets based on certain rules.
  • the SDN controller 130 will indicate to the switches 131 the new MAC mask that the data packets that go to certain services must have and will only allow access to those data packets that come from machines authorized to access the services. , which you will identify by their MAC mask.
  • Fig. 3 it can be seen how only the data packets that have the segment of their MAC corresponding to the A 200 service will be able to access and those that do not have it will not be able to access the 200 service.
  • the orchestrator 100 could request the provisioning computing device 110 to modify the MAC address of said node so that it does not contain the mask that gives access to service 200.
  • Fig. 4 shows an example of the new replaced MAC mask in which 3 specific bits of the MAC address of a device are used to give access to three different services, in this case video, games and storage.
  • the proposed method allows the creation of complex rules in virtualized environments, which allow access to various services in a simple way, since it is enough to properly set the MAC addresses of the virtual machines 121, 122 in which the services 200 are deployed.
  • this mechanism can be used to route or allow access to networks of devices considered reliable after being identified by their MAC, since the proposed method could filter by manufacturer or type of device if the corresponding MAC identifies it.
  • the present invention has great flexibility and it is possible to choose whether specific bits give access to certain services / networks or combinations of bits of the MAC address allow access to combinations of services, as can be seen in Fig. 5.
  • IP level 3
  • the present invention solves the scalability problem presented by solutions based on level 2 (source / destination MAC) for access control and provides a very flexible and efficient way to do it. Additionally, access control policies are executed in a more efficient and flexible way, since instead of needing a firewall or an access / security management mechanism, it is implemented in the switching layer itself and using the same SDN mechanisms used to define routing policies.
  • a possible application of the proposed solution could be in multitenant cloud environments, where as an additional security layer different masks would be assigned to the virtualized instances of the different clients, which would be used to prevent access by the traffic of some clients' machines to those of others.
  • Computer-readable medium includes computer storage medium.
  • the storage medium can be any available medium that can be accessed by a computer.
  • such computer-readable medium may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
  • Disk (disk) and disk (disc), as used herein, include compact discs (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disc, and Blu-ray disc where the discs ( disks) normally reproduce data magnetically, whereas discs (dises) reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable medium.
  • Any processor and storage medium can reside in an ASIC.
  • the ASIC can reside in a user terminal.
  • the processor and storage medium can reside as discrete components in a user terminal.
  • computer program products comprising computer-readable media include all forms of computer-readable medium except, to the extent that such medium is considered to be non-established transient propagation signals.

Abstract

The invention relates to a method and system for controlling traffic access to services on a software defined network (SDN). The method comprises (a) receiving, by a virtual machine in a data centre, a data packet from a node for a particular service on the SDN network; (b) checking, by an SDN controller or by a switch operationally connected to the SDN controller, whether one or more bits of a bit string of a new MAC mask of said received data packet have a specific value, wherein the bit string establishes rules for accessing one or more services of the SDN network; and c) allowing, by the SDN controller or by the switch, access to said particular service only if the value of said one or more bits of the bit string matches a predetermined MAC mask for said particular service.

Description

Método v sistema para controlar el acceso de tráfico a servicios de una red definida por software (SDN) System v method to control traffic access to services on a software-defined network (SDN)
Campo de la técnica Technical field
La presente invención concierne en general al campo de las redes definidas por software (SDN). En particular, la invención concierne a un método y a un sistema para controlar el acceso de tráfico procedente de dispositivos físicos, máquinas virtuales o contenedores a determinados servicios de una red SDN. The present invention relates generally to the field of software defined networks (SDN). In particular, the invention concerns a method and a system to control the access of traffic from physical devices, virtual machines or containers to certain services of an SDN network.
Antecedentes de la invención Background of the invention
Por la solicitud de patente US 20130272305 A1 se conoce un método para reescribir la dirección MAC de destino en los paquetes de datos para enviarlos al nodo de destino elegido o para implementar servicios como puede ser el de proxy transparente. Por el contrario, la solución propuesta en la presente invención no reescribe la dirección de destino (ni de origen) de los paquetes de datos, sino que la utiliza para realizar funciones de control de acceso. La presente invención, a diferencia de esta solicitud de patente US, proporciona un servicio de control/protección ( screening/policing ) que pueda ser implementado de forma eficiente en los conmutadores para gestionar el acceso a distintos servicios de una red SDN. From patent application US 20130272305 A1 a method is known to rewrite the destination MAC address in the data packets to send them to the chosen destination node or to implement services such as transparent proxy. On the contrary, the solution proposed in the present invention does not rewrite the destination (or source) address of the data packets, but uses it to perform access control functions. The present invention, unlike this US patent application, provides a screening / policing service that can be efficiently implemented in switches to manage access to different services in an SDN network.
La solicitud de patente US 20130329734 A1 describe el uso de distintos campos de la cabecera de los paquetes IP (tanto para IPv4 como IPv6) para redirigir el tráfico al servicio que sea más adecuado. También se propone usar la dirección de origen MAC para este mismo propósito. Las dos principales diferencias de esta solicitud de patente US con la presente invención son: (1) La dirección MAC de origen no se utiliza para redirigir el tráfico, sino para determinar si un paquete de datos tiene acceso a un determinado servicio (control de acceso) y (2) no usa direcciones MAC concretas, sino que propone el uso de prefijos o máscaras MAC (segmentos de la dirección MAC) para agregar múltiples direcciones MAC en lugar de direcciones MAC individuales. El objetivo que se persigue al utilizar prefijos MAC es para evitar tener que introducir una regla en los conmutadores por cada nodo y servicio que se quiere gestionar, de manera que se reduce el número de reglas en la tabla TCAM y se optimiza el uso de estas, evitando los problemas de escalabilidad de otras soluciones presentan. Patent application US 20130329734 A1 describes the use of different fields in the header of IP packets (both for IPv4 and IPv6) to redirect traffic to the most suitable service. It is also proposed to use the MAC source address for this same purpose. The two main differences of this US patent application with the present invention are: (1) The source MAC address is not used to redirect traffic, but to determine if a data packet has access to a certain service (access control ) and (2) does not use specific MAC addresses, but rather proposes the use of MAC prefixes or masks (MAC address segments) to add multiple MAC addresses instead of individual MAC addresses. The objective pursued when using MAC prefixes is to avoid having to introduce a rule in the switches for each node and service to be managed, so that the number of rules in the TCAM table is reduced and the use of these is optimized. , avoiding the scalability problems of other solutions present.
La solicitud de patente internacional WO 2017180098 A1 sugiere el uso de porciones de la dirección MAC de origen para codificar los servicios hacia los que los paquetes de datos deben ser enviados, de forma similar a la comentada sobre encadenamiento de servicios. Por el contrario, la presente invención usa la dirección MAC para controlar el acceso a los servicios, no para realizar el reenvío ( forwarding ) de los paquetes de datos, que se hace basado en la dirección IP de destino, que se traduce en una MAC de destino correspondiente. The international patent application WO 2017180098 A1 suggests the use of portions of the source MAC address to encode the services to which the data packets must be sent, in a similar way to that discussed on service chaining. On the contrary, the present invention uses the MAC address to control access to services, not to carry out forwarding of data packets, which is done based on the destination IP address, which is translated into a MAC corresponding destination.
La patente US 9742589 B2 proporciona un método para implementar el encadenamiento de servicios reescribiendo las MAC de origen y destino de los paquetes de datos. Por el contrario, la presente invención no reescribe las MAC, sino que usa porciones de estas para dar acceso a determinados servicios. US patent 9742589 B2 provides a method to implement service chaining by rewriting the source and destination MACs of data packets. In contrast, the present invention does not rewrite MACs, but rather uses portions of them to give access to certain services.
Las anteriores soluciones del estado de la técnica implementan funcionalidades de encaminamiento que permiten conseguir que los paquetes de datos pasen de forma transparente por servicios intermedios (habitualmente esta funcionalidad se conoce como “service chaining" u orquestación). Asimismo, las soluciones del estado de la técnica no permiten optimizar la función de control de acceso, es conseguir que los paquetes de datos sólo puedan llegar a su destino si están autorizados, sin que esto suponga capacidad de cómputo o retraso. The previous solutions of the state of the art implement routing functionalities that allow the data packets to pass transparently through intermediate services (usually this functionality is known as "service chaining" or orchestration). Likewise, the solutions of the state of the art This technique does not allow the optimization of the access control function, it is to ensure that the data packets can only reach their destination if they are authorized, without this implying computing capacity or delay.
Se requieren, por tanto, nuevos métodos y/o sistemas, escalables y que simplifiquen las reglas de control de acceso de tráfico, procedente de dispositivos físicos o máquinas virtuales, a determinados servicios de una red SDN. Therefore, new methods and / or systems are required, scalable and simplifying the rules for controlling access of traffic, coming from physical devices or virtual machines, to certain services of an SDN network.
Exposición de la invención Presentation of the invention
Ejemplos de realización de la presente invención, aportan de acuerdo a un primer aspecto, un método para controlar el acceso de tráfico a servicios de una red SDN. El método comprende recibir, por una máquina virtual de un centro de datos, un paquete de datos procedente de un nodo para un servicio determinado de la red SDN; comprobar, por un controlador SDN o por un conmutador operativamente conectado con el controlador SDN, si uno o más bits de una serie de bits de la dirección del paquete de datos tienen un valor concreto y permitir, por el controlador SDN o por el conmutador, el acceso a dicho servicio determinado únicamente si el valor de dicho uno o más bits de la serie de bits coincide con una máscara MAC prefijada para dicho servicio determinado. Exemplary embodiments of the present invention provide, according to a first aspect, a method for controlling traffic access to services in an SDN network. The method comprises receiving, by a virtual machine in a data center, a data packet from a node for a given service on the SDN network; check, by an SDN controller or by a switch operatively connected to the SDN controller, whether one or more bits of a series of bits of the data packet address have a specific value and allow, by the SDN controller or by the switch, access to said determined service only if the value of said one or more bits of the series of bits coincides with a preset MAC mask for said determined service.
En un ejemplo de realización, y en respuesta a la recepción del paquete de datos, la citada máquina virtual reemplaza una máscara MAC de origen o de destino de dicho paquete de datos por la citada nueva máscara MAC. Por tanto, para un paquete procedente del exterior del centro de datos, un conmutador controlado por el controlador SDN, por ejemplo, se encargará de reescribir la dirección MAC original del paquete cuando el paquete de datos ingrese en el centro de datos. Dicha reescritura compondrá la nueva dirección MAC con los bits o máscara de bits que codifique apropiadamente los permisos para ese paquete de datos. Es importante destacar que esta reescritura MAC ya ocurre cada vez que un paquete atraviesa un conmutador, sólo que en este caso, se utiliza para reflejar los permisos de acceso de dicho paquete de datos, al tratarse de un entorno (el centro de datos) bajo el controlador del controlador SDN. Una vez el paquete de datos ingresa en el centro de datos, los conmutadores internos utilizarán dicha nueva dirección MAC para determinar el acceso al recurso destino. In an exemplary embodiment, and in response to the receipt of the data packet, said virtual machine replaces a source or destination MAC mask of said data packet with said new MAC mask. Therefore, for a packet coming from outside the data center, a switch controlled by the SDN controller, for example, is It will take care of rewriting the original MAC address of the packet when the data packet enters the data center. Said rewriting will compose the new MAC address with the bits or bitmask that appropriately encodes the permissions for that data packet. It is important to note that this MAC rewriting already occurs every time a packet crosses a switch, only in this case, it is used to reflect the access permissions of said data packet, as it is an environment (the data center) under the SDN controller driver. Once the data packet enters the data center, the internal switches will use this new MAC address to determine access to the destination resource.
Alternativamente, en el método propuesto, también existe la posibilidad de la que la máquina virtual no reemplace la máscara MAC y que sea la que origine el tráfico. Este sería el caso de tener en un centro de datos máquinas con bases de datos y máquinas que tienen que acceder a las bases de datos y donde se quiere que se puedan comunicar entre sí y con ninguna otra máquina. En este caso no habría que reemplazar la MAC, solo comprobar que todas tienen las máscaras adecuadas para hablar entre ellas. Alternatively, in the proposed method, there is also the possibility that the virtual machine does not replace the MAC mask and that it is the one that originates the traffic. This would be the case of having machines in a data center with databases and machines that have to access the databases and where you want them to be able to communicate with each other and with no other machine. In this case, the MAC should not be replaced, just check that they all have the appropriate masks to talk to each other.
En un ejemplo de realización particular, el reemplazo de la máscara MAC de origen o de destino por la nueva máscara MAC se realiza posteriormente a haber recibido una indicación de un controlador de nube. El controlador de nube en este caso recibe una indicación de la nueva máscara MAC a reemplazar de un dispositivo de computación provisionador operativamente conectado al mismo. In a particular embodiment, the replacement of the source or destination MAC mask by the new MAC mask is performed after receiving an indication from a cloud controller. The cloud controller in this case receives an indication of the new MAC mask to be replaced from a provisioner computing device operatively connected to it.
Según el método propuesto, el citado nodo puede ser un dispositivo físico, una máquina virtual o un contenedor. According to the proposed method, said node can be a physical device, a virtual machine or a container.
En un ejemplo de realización, cada uno de dicho uno o más bits de la citada serie de bits permiten el acceso a un servicio diferente. Alternativamente, dicho uno o más bits permiten el acceso a diferentes combinaciones de servicios. In an exemplary embodiment, each one of said one or more bits of said series of bits allows access to a different service. Alternatively, said one or more bits allow access to different combinations of services.
Ejemplos de realización de la presente invención proporcionan también, de acuerdo a un segundo aspecto, un sistema para controlar el acceso de tráfico a servicios de una red SDN. Los elementos/dispositivos/módulos que forman parte del sistema propuesto están configurados para implementar las etapas del método del primer aspecto de la invención. Exemplary embodiments of the present invention also provide, according to a second aspect, a system for controlling traffic access to services in an SDN network. The elements / devices / modules that are part of the proposed system are configured to implement the steps of the method of the first aspect of the invention.
El mecanismo propuesto permite controlar el acceso de tráfico procedente de dispositivos físicos o máquinas virtuales a determinados servicios o destinos dentro una red, usando la dirección MAC del dispositivo o máquina virtual de origen o destino para determinar si la comunicación está permitida. La diferencia del método propuesto con las implementaciones actuales radica en el uso de segmentos de la dirección MAC a modo de prefijo o máscara, de manera que en lugar de requerir una regla SDN por cada dispositivo/dirección MAC, se utilizan máscaras o prefijos que agregan múltiples nodos, a los que se les habrá asignado una dirección MAC de acuerdo con los servicios o redes a las que pueden acceder. De esta manera, el uso de SDN para el control de acceso se convierte en una solución escalable, al eliminarse los problemas relacionados con el tamaño de la tabla TCAM (Ternary Contení Addressable Memory), que limita la solución a unos pocos cientos de dispositivos/reglas. The proposed mechanism allows controlling the access of traffic from physical devices or virtual machines to certain services or destinations within a network, using the MAC address of the source or destination device or virtual machine to determine if the communication is allowed. The difference of the proposed method with current implementations lies in the use of segments of the MAC address as a prefix or mask, so that instead of requiring an SDN rule for each device / MAC address, masks or prefixes are used that add multiple nodes, which will have been assigned a MAC address according to the services or networks they can access. In this way, the use of SDN for access control becomes a scalable solution, by eliminating problems related to the size of the TCAM (Ternary Contained Addressable Memory) table, which limits the solution to a few hundred devices / rules.
Con esta solución, las reglas de control de acceso se simplifican considerablemente, ya que no hacen falta instalar en los nodos de conmutación una regla para cada cliente y servicio (NxM), sino únicamente una regla por servicio (M). Esto es posible porque se propone usar la MAC de origen de los paquetes de datos para codificar los permisos del nodo origen, y por tanto, la capa de conmutación, ya no tiene que comprobar la dirección de origen completa de cada paquete de datos para verificar si existe una regla especifica que indique si tiene permiso para llegar al destino, sino únicamente si la MAC origen contiene el valor de los bit (o bits) correspondiente a ese servicio, por lo que una misma regla permite dar acceso a todos los nodos que pueden acceder a un servicio. With this solution, access control rules are considerably simplified, since it is not necessary to install one rule for each client and service (NxM) in the switching nodes, but only one rule per service (M). This is possible because it is proposed to use the source MAC of the data packets to encode the permissions of the source node, and therefore the switching layer no longer has to check the full source address of each data packet to verify if there is a specific rule that indicates if it has permission to reach the destination, but only if the source MAC contains the value of the bits (or bits) corresponding to that service, so the same rule allows access to all nodes that can access a service.
La presente invención se puede aplicar a redes fijas, móviles y de empresa, en las que se quiera desplegar la tecnología SDN. The present invention can be applied to fixed, mobile and company networks, in which the SDN technology is to be deployed.
Breve descripción de los dibujos Brief description of the drawings
Las anteriores y otras características y ventajas se comprenderán más plenamente a partir de la siguiente descripción detallada de unos ejemplos de realización, meramente ilustrativa y no limitativa, con referencia a los dibujos que la acompañan, en los que: The above and other characteristics and advantages will be more fully understood from the following detailed description of some exemplary embodiments, merely illustrative and not limiting, with reference to the accompanying drawings, in which:
La Fig. 1 es un diagrama de flujo que ilustra un ejemplo de realización de un método para controlar el acceso de tráfico a servicios de una red SDN. Fig. 1 is a flow chart illustrating an exemplary embodiment of a method for controlling traffic access to services in an SDN network.
La Fig. 2 es un diagrama de flujo que ilustra otro ejemplo de realización del método propuesto. Fig. 2 is a flow chart illustrating another embodiment of the proposed method.
La Fig. 3 es un diagrama de flujo que ilustra como un conmutador da acceso o no a un determinado servicio, según un ejemplo de realización de la presente invención. Fig. 3 is a flow diagram that illustrates how a switch gives access or not to a certain service, according to an embodiment of the present invention.
Las Figs. 4 y 5 muestran diferentes ejemplos de las direcciones MAC que se pueden reemplazar para dar acceso a determinados servicios de la red SDN. Descripción detallada de la invención y de unos ejemplos de realización Figs. 4 and 5 show different examples of MAC addresses that can be replaced to give access to certain services on the SDN network. Detailed description of the invention and some embodiments
La Fig. 1 muestra un ejemplo de realización de un método para controlar el acceso de tráfico a servicios de una red definida por SDN. Según este ejemplo de realización, en la etapa 1001 , una máquina virtual 121 de un centro de datos recibe un paquete de datos procedente de un nodo (ej. un dispositivo físico o una máquina virtual) para un servicio determinado 200 de la red SDN. En la etapa 1002, un controlador SDN 130 o un conmutador 131 operativamente conectado con el controlador SDN 130, comprueba si uno o más bits de una serie de bits de una nueva máscara MAC del paquete de datos recibido tienen un valor concreto. Finalmente, en la etapa 1003, el citado controlador SDN 130 o el conmutador 131 , permite el acceso a dicho servicio determinado únicamente si el valor de dicho uno o más bits de la serie de bits coincide con una máscara MAC prefijada para dicho servicio determinado. Fig. 1 shows an exemplary embodiment of a method for controlling traffic access to services of a network defined by SDN. According to this exemplary embodiment, in step 1001, a virtual machine 121 in a data center receives a data packet from a node (eg a physical device or a virtual machine) for a given service 200 on the SDN network. In step 1002, an SDN controller 130 or a switch 131 operatively connected to the SDN controller 130, checks whether one or more bits of a series of bits of a new MAC mask of the received data packet has a specific value. Finally, in step 1003, said SDN controller 130 or switch 131 allows access to said determined service only if the value of said one or more bits of the series of bits coincides with a preset MAC mask for said determined service.
Por tanto, el método propuesto propone una nueva forma de implementar el control de acceso en las redes SDN, que incrementa la escalabilidad y mejora las prestaciones. El uso de SDN, es decir, la propia capa de conmutación para realizar el control del acceso es una técnica utilizada en diversos entornos, pero presenta problemas de escalabilidad, ya que el número de reglas necesarias hace que solo se pueda aplicar a un número limitado de servicios y dispositivos. Therefore, the proposed method proposes a new way of implementing access control in SDN networks, which increases scalability and improves performance. The use of SDN, that is, the switching layer itself to perform access control is a technique used in various environments, but it presents scalability problems, since the number of necessary rules means that it can only be applied to a limited number of services and devices.
Por ende, con el establecimiento de reglas con máscaras o prefijos, es decir, utilizando parte de la dirección MAC de origen o de destino, el método propuesto permite el acceso de un paquete de datos a un determinado servicio, red o destino. Por lo tanto, no se comprueba la dirección de origen o destino completa, sino si uno o más bits de la serie de bits de éstas tienen un valor concreto, lo que permite fijar una única regla para múltiples máquinas o dispositivos. De esta manera, en una infraestructura virtualizada, se pueden crear máquinas virtuales o contenedores y asignarles direcciones MAC que contengan los bits que correspondan con las reglas de acceso que se instalarán en los nodos de conmutación. Así, se puede dar acceso, de una forma sencilla y escalable, a los servicios o redes que se considere oportuno. Adicionalmente, si se desea que una serie de instancias dejen de tener acceso a determinados sitios, se podrá cambiar la dirección MAC del dispositivo virtualizado, sin necesidad de cambiar las reglas instaladas en los nodos de conmutación, lo cual permitirá funcionalidades adicionales. Therefore, with the establishment of rules with masks or prefixes, that is, using part of the source or destination MAC address, the proposed method allows the access of a data packet to a specific service, network or destination. Therefore, the complete source or destination address is not checked, but if one or more bits of the series of bits of these have a specific value, which allows setting a single rule for multiple machines or devices. In this way, in a virtualized infrastructure, virtual machines or containers can be created and assigned MAC addresses that contain the bits that correspond to the access rules that will be installed on the switching nodes. Thus, access can be given, in a simple and scalable way, to the services or networks deemed appropriate. Additionally, if you want a series of instances to stop having access to certain sites, you can change the MAC address of the virtualized device, without having to change the rules installed in the switching nodes, which will allow additional functionalities.
Con referencia ahora a la Fig. 2, se muestra otro ejemplo de realización del método propuesto. En este caso, un orquestador 100 de la solución solicita a un dispositivo de computación provisionador 110 que despliegue una máquina virtual 121 (o alternativamente un dispositivo) que se pueda conectar a un servicio determinado 200. Para ello, el dispositivo de computación provisionador 110 identifica la máscara MAC que da acceso a ese servicio 200 y solicita al controlador de nube 120 que despliegue una máquina virtual 121 cuya dirección MAC incluya la nueva máscara (es decir la combinación de bits) que da acceso al servicio 200. El controlador de SDN 130 está configurado para que solo los paquetes de datos que tienen la máscara MAC correcta puedan acceder al servicio 200, por lo que solo permitirá la comunicación a aquellas máquinas que hayan sido configuradas para acceder al servicio 200. Referring now to Fig. 2, another embodiment of the proposed method is shown. In this case, an orchestrator 100 of the solution requests a Provisioner computing device 110 that deploys a virtual machine 121 (or alternatively a device) that can connect to a specific service 200. To do this, the provisioner computing device 110 identifies the MAC mask that gives access to that service 200 and requests the cloud 120 that deploys a virtual machine 121 whose MAC address includes the new mask (that is, the combination of bits) that gives access to service 200. The SDN controller 130 is configured so that only data packets that have the correct MAC mask can access the 200 service, so it will only allow communication to those machines that have been configured to access the 200 service.
En la Fig. 2 se ha supuesto que el controlador SDN 130 está configurado en modo reactivo, por lo que todos los nuevos flujos llegarán al controlador SDN 130. Sin embargo, es posible que los flujos estén predefinidos en los conmutadores 131 , es decir, que el controlador SDN 130 programe/configure los conmutadores 131 para que estos acepten o rechacen los paquetes de datos en función de determinadas reglas. De esta manera, el controlador SDN 130 indicará a los conmutadores 131 la nueva máscara MAC que deben tener los paquetes de datos que se dirijan a determinados servicios y solo permitirá su acceso a aquellos paquetes de datos que provengan de máquinas autorizadas para acceder a los servicios, a las que identificará por su máscara MAC. En la Fig. 3 se puede observar cómo solo los paquetes de datos que tienen el segmento de su MAC correspondiente al servicio A 200, podrán acceder y aquellos que no lo tengan no podrán acceder al servicio 200. In Fig. 2 it has been assumed that the SDN controller 130 is configured in reactive mode, so all new flows will arrive at the SDN controller 130. However, it is possible that the flows are predefined in the switches 131, that is, that the SDN controller 130 program / configure the switches 131 to accept or reject the data packets based on certain rules. In this way, the SDN controller 130 will indicate to the switches 131 the new MAC mask that the data packets that go to certain services must have and will only allow access to those data packets that come from machines authorized to access the services. , which you will identify by their MAC mask. In Fig. 3 it can be seen how only the data packets that have the segment of their MAC corresponding to the A 200 service will be able to access and those that do not have it will not be able to access the 200 service.
Si se quisiera que un nodo dejara de tener acceso al servicio 200, el orquestador 100 podría solicitar al dispositivo de computación provisionador 110 que modificara la dirección MAC de dicho nodo para que no contuviera la máscara que da acceso al servicio 200. If it is desired that a node ceases to have access to service 200, the orchestrator 100 could request the provisioning computing device 110 to modify the MAC address of said node so that it does not contain the mask that gives access to service 200.
La Fig. 4 muestra un ejemplo de la nueva mascara MAC reemplazada en el que se utilizan 3 bits concretos de la dirección MAC de un dispositivo para dar acceso a tres servicios diferentes, en este caso vídeo, juegos y almacenamiento. Alternativamente se podrían haber elegido una combinación de bits (p.e. b7b6b5b4=1111) para dar acceso a un servicio determinado. Por ejemplo, puede que un cliente que tenga b7b6=11 podría acceder a los servicios de vídeo y de juegos. Otra opción sería codificar el acceso en un conjunto de bits, por ejemplo, b7b6b5b4=1001 para acceder al servicio de vídeo. Otra opción adicional es que una serie de bits den acceso a una serie de servicios, por ejemplo b3b2b1=110 da acceso a los servicios para empresas, como podrían ser almacenamiento y escritorio remoto. El método propuesto permite crear reglas complejas en entornos virtualizados, que permitan el acceso a varios servicios de una forma sencilla, ya que basta con fijar de forma adecuada las direcciones MAC de las máquinas virtuales 121 , 122 en las que se despliegan los servicios 200. Fig. 4 shows an example of the new replaced MAC mask in which 3 specific bits of the MAC address of a device are used to give access to three different services, in this case video, games and storage. Alternatively, a combination of bits could have been chosen (eg b7b6b5b4 = 1111) to give access to a specific service. For example, a customer with b7b6 = 11 might be able to access video and game services. Another option would be to encode the access to a set of bits, for example, b7b6b5b4 = 1001 to access the video service. Another additional option is that a series of bits give access to a series of services, for example b3b2b1 = 110 gives access to services for companies, such as storage and remote desktop. The proposed method allows the creation of complex rules in virtualized environments, which allow access to various services in a simple way, since it is enough to properly set the MAC addresses of the virtual machines 121, 122 in which the services 200 are deployed.
Adicionalmente, se puede utilizar este mecanismo para encaminar o permitir el acceso a redes de dispositivos considerados fiables tras ser identificados por su MAC, ya que el método propuesto podría filtrar por fabricante o tipo de dispositivo si la MAC correspondiente lo identificara. Additionally, this mechanism can be used to route or allow access to networks of devices considered reliable after being identified by their MAC, since the proposed method could filter by manufacturer or type of device if the corresponding MAC identifies it.
La presente invención tiene una gran flexibilidad y se puede optar porque bits concretos den acceso a servicios/redes determinadas o que combinaciones de bits de la dirección MAC permitan acceder a combinaciones de servicios, tal y como se puede observar en la Fig. 5. The present invention has great flexibility and it is possible to choose whether specific bits give access to certain services / networks or combinations of bits of the MAC address allow access to combinations of services, as can be seen in Fig. 5.
La metodología se podría extender para utilizar las direcciones de nivel 3 (IP) para el Control de Acceso. No obstante esta opción proporcionaría una menor seguridad, ya que es mucho más sencillo cambiar la dirección IP que la dirección MAC. Una limitación de este procedimiento es la posibilidad de usar MAC Spoofing (cambio o suplantación de la dirección MAC), por lo que su uso está limitado aquellos entornos en los que esta posibilidad no sea factible o cuando se disponga de mecanismos para detectarlo. The methodology could be extended to use level 3 (IP) addresses for Access Control. However, this option would provide less security, since it is much easier to change the IP address than the MAC address. A limitation of this procedure is the possibility of using MAC Spoofing (change or spoofing of the MAC address), so its use is limited to those environments in which this possibility is not feasible or when mechanisms are available to detect it.
La presente invención soluciona el problema de escalabilidad que presentan las soluciones basadas en nivel 2 (MAC origen/destino) para el control de acceso y proporciona una forma muy flexible y eficiente de realizarlo. Adicionalmente, las políticas de control de acceso se ejecutan de una forma más eficiente y flexible, ya que en lugar de necesitar un firewall o de un mecanismo de gestión de acceso/seguridad, ésta se implementa en la propia capa de conmutación y utilizando los mismos mecanismos SDN que se utilizan para definir las políticas de encaminamiento. The present invention solves the scalability problem presented by solutions based on level 2 (source / destination MAC) for access control and provides a very flexible and efficient way to do it. Additionally, access control policies are executed in a more efficient and flexible way, since instead of needing a firewall or an access / security management mechanism, it is implemented in the switching layer itself and using the same SDN mechanisms used to define routing policies.
Una posible aplicación de la solución propuesta podría ser en entornos de nube multitenant, donde como capa de seguridad adicional se asignarían máscaras distintas a las instancias virtualizadas de los diferentes clientes, que se utilizarían para evitar el acceso del tráfico de las máquinas de unos clientes a las de otros. A possible application of the proposed solution could be in multitenant cloud environments, where as an additional security layer different masks would be assigned to the virtualized instances of the different clients, which would be used to prevent access by the traffic of some clients' machines to those of others.
La invención propuesta puede implementarse en hardware, software, firmware o cualquier combinación de los mismos. Si se implementa en software, las funciones pueden almacenarse en o codificarse como una o más instrucciones o código en un medio legible por ordenador. El medio legible por ordenador incluye medio de almacenamiento informático. El medio de almacenamiento puede ser cualquier medio disponible que pueda accederse mediante un ordenador. A modo de ejemplo, y no de limitación, tal medio legible por ordenador puede comprender RAM, ROM, EEPROM, CD-ROM u otro almacenamiento de disco óptico, almacenamiento de disco magnético u otros dispositivos de almacenamiento magnético, o cualquier otro medio que pueda usarse para llevar o almacenar código de programa deseado en la forma de instrucciones o estructuras de datos y que pueda accederse mediante un ordenador. Disco (disk) y disco (disc), como se usan en el presente documento, incluyen discos compactos (CD), láser disc, disco óptico, disco versátil digital (DVD), disco flexible y disco de Blu-ray donde los discos (disks) reproducen normalmente datos de forma magnética, mientras que los discos (dises) reproducen datos de forma óptica con láseres. Deberían incluirse también combinaciones de los anteriores dentro del alcance de medio legible por ordenador. Cualquier procesador y el medio de almacenamiento pueden residir en un ASIC. El ASIC puede residir en un terminal de usuario. Como alternativa, el procesador y el medio de almacenamiento pueden residir como componentes discretos en un terminal de usuario. The proposed invention can be implemented in hardware, software, firmware or any combination thereof. If implemented in software, the functions can be stored in or encoded as one or more instructions or code on a computer-readable medium. Computer-readable medium includes computer storage medium. The storage medium can be any available medium that can be accessed by a computer. By way of example, and not limitation, such computer-readable medium may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Disk (disk) and disk (disc), as used herein, include compact discs (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disc, and Blu-ray disc where the discs ( disks) normally reproduce data magnetically, whereas discs (dises) reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable medium. Any processor and storage medium can reside in an ASIC. The ASIC can reside in a user terminal. Alternatively, the processor and storage medium can reside as discrete components in a user terminal.
Como se usa en el presente documento, los productos de programa de ordenador que comprenden medios legibles por ordenador incluyen todas las formas de medio legible por ordenador excepto, hasta el punto que ese medio se considere que no son señales de propagación transitorias no establecidas. As used herein, computer program products comprising computer-readable media include all forms of computer-readable medium except, to the extent that such medium is considered to be non-established transient propagation signals.
El alcance de la presente invención está definido en las reivindicaciones adjuntas. The scope of the present invention is defined in the appended claims.

Claims

REIVINDICACIONES
1. Método para controlar el acceso de tráfico a servicios de una red definida por software (SDN), comprende: 1. Method to control traffic access to services of a software-defined network (SDN), includes:
a) recibir, por una máquina virtual de un centro de datos, un paquete de datos procedente de un nodo para un servicio determinado de la red SDN; a) receive, by a virtual machine in a data center, a data packet from a node for a given service on the SDN network;
b) comprobar, por un controlador SDN o por un conmutador operativamente conectado con el controlador SDN, si uno o más bits de una serie de bits de una nueva máscara MAC de dicho paquete de datos recibido tiene un valor concreto, en donde la serie de bits establece reglas de acceso a uno o más servicios de la red SDN; y b) check, by an SDN controller or by a switch operatively connected to the SDN controller, if one or more bits of a series of bits of a new MAC mask of said received data packet has a specific value, where the series of bits establishes access rules to one or more services of the SDN network; and
c) permitir, por el controlador SDN o por el conmutador, el acceso a dicho servicio determinado únicamente si el valor de dicho uno o más bits de la serie de bits coincide con una máscara MAC prefijada para dicho servicio determinado. c) allow, by the SDN controller or by the switch, access to said determined service only if the value of said one or more bits of the series of bits coincides with a preset MAC mask for said determined service.
2. Método según la reivindicación 1 , en donde previamente a dicha etapa b), en respuesta a la recepción del paquete de datos, la máquina virtual reemplaza una máscara MAC de origen o de destino de dicho paquete de datos por dicha nueva máscara MAC. 2. Method according to claim 1, wherein prior to said step b), in response to receiving the data packet, the virtual machine replaces a source or destination MAC mask of said data packet with said new MAC mask.
3. Método según la reivindicación 2, en donde dicho reemplazo de la máscara MAC de origen o de destino por la nueva máscara MAC se realiza posteriormente a haber recibido una indicación de un controlador de nube, y en donde un dispositivo de computación provisionador operativamente conectado con el controlador de nube indica la nueva máscara MAC a reemplazar al controlador de nube. 3. Method according to claim 2, wherein said replacement of the source or destination MAC mask with the new MAC mask is performed after receiving an indication from a cloud controller, and wherein an operationally connected provisioner computing device with the cloud controller indicates the new MAC mask to replace the cloud controller.
4. Método según la reivindicación 1 , en donde dicho nodo comprende un dispositivo físico. 4. Method according to claim 1, wherein said node comprises a physical device.
5. Método según la reivindicación 1 , en donde el nodo comprende una máquina virtual. Method according to claim 1, wherein the node comprises a virtual machine.
6. Método según las reivindicaciones anteriores, en donde cada uno de dicho uno o más bits de la serie de bits permiten el acceso a un servicio diferente. Method according to the preceding claims, wherein each one of said one or more bits of the series of bits allows access to a different service.
7. Método según las reivindicaciones anteriores 1 a 5, en donde dicho uno o más bits de la serie de bits permiten el acceso a diferentes combinaciones de servicios. 7. Method according to previous claims 1 to 5, wherein said one or more bits of the series of bits allow access to different combinations of services.
8. Sistema para controlar el acceso de tráfico a servicios de una red definida por software (SDN), comprende: 8. System to control traffic access to services of a software-defined network (SDN), comprising:
al menos un nodo; al menos una máquina virtual (121 , 122) de un centro de datos, configurada para recibir un paquete de datos procedente de dicho nodo para un servicio determinado (200) de la red SDN; y at least one node; at least one virtual machine (121, 122) of a data center, configured to receive a data packet from said node for a determined service (200) of the SDN network; and
un controlador SDN (130) o un conmutador (131) operativamente conectado con el controlador SDN (130), configurado para comprobar si uno o más bits de una serie de bits de una nueva máscara MAC de dicho paquete de datos recibido tiene un valor concreto, en donde la serie de bits establece reglas de acceso a uno o más servicios de la red SDN, y para permitir el acceso a dicho servicio determinado (200) únicamente si el valor de dicho uno o más bits de la serie de bits coincide con una máscara MAC prefijada para dicho servicio determinado (200). an SDN controller (130) or a switch (131) operatively connected to the SDN controller (130), configured to check if one or more bits of a series of bits of a new MAC mask of said received data packet has a specific value , where the series of bits establishes rules for access to one or more services of the SDN network, and to allow access to said determined service (200) only if the value of said one or more bits of the series of bits matches a preset MAC mask for said particular service (200).
9. Sistema según la reivindicación 8, en donde dicha máquina virtual (121 , 122) está configurada para, en respuesta a la recepción del paquete de datos, reemplazar, una máscara MAC de origen o de destino de dicho paquete de datos por dicha nueva máscara MAC. System according to claim 8, wherein said virtual machine (121, 122) is configured to, in response to the receipt of the data packet, replace a source or destination MAC mask of said data packet with said new MAC mask.
10. Sistema según la reivindicación 9, que comprende: 10. System according to claim 9, comprising:
un dispositivo de computación provisionador (110); y a provisioner computing device (110); and
un controlador de nube (120), a cloud controller (120),
en donde el dispositivo de computación provisionador (110) está configurado para indicar la nueva máscara MAC a reemplazar al controlador de nube (120), y where the provisioning computing device (110) is configured to indicate the new MAC mask to replace the cloud controller (120), and
en donde el controlador de nube (120) está configurado para desplegar dicha máquina virtual (121 , 122), que es al menos una, para que realice el reemplazo de la máscara MAC de origen o de destino por la nueva máscara MAC. wherein the cloud controller (120) is configured to deploy said virtual machine (121, 122), which is at least one, to perform the replacement of the source or destination MAC mask with the new MAC mask.
11. Sistema según las reivindicaciones anteriores 7 u 8, en donde dicho nodo comprende un dispositivo físico. System according to preceding claims 7 or 8, wherein said node comprises a physical device.
12. Sistema según las reivindicaciones anteriores 7 u 8, en donde dicho nodo comprende una máquina virtual. 12. System according to preceding claims 7 or 8, wherein said node comprises a virtual machine.
PCT/ES2019/070074 2019-02-12 2019-02-12 Method and system for controlling traffic access to services on a software defined network (sdn) WO2020165466A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/ES2019/070074 WO2020165466A1 (en) 2019-02-12 2019-02-12 Method and system for controlling traffic access to services on a software defined network (sdn)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/ES2019/070074 WO2020165466A1 (en) 2019-02-12 2019-02-12 Method and system for controlling traffic access to services on a software defined network (sdn)

Publications (1)

Publication Number Publication Date
WO2020165466A1 true WO2020165466A1 (en) 2020-08-20

Family

ID=72045500

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/ES2019/070074 WO2020165466A1 (en) 2019-02-12 2019-02-12 Method and system for controlling traffic access to services on a software defined network (sdn)

Country Status (1)

Country Link
WO (1) WO2020165466A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2870326A1 (en) * 2012-04-16 2013-10-24 Telefonaktiebolaget L M Ericsson (Publ) Chaining of inline services using software defined networking

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2870326A1 (en) * 2012-04-16 2013-10-24 Telefonaktiebolaget L M Ericsson (Publ) Chaining of inline services using software defined networking

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CLOUD COMPUTING, 31 December 2018 (2018-12-31), XP055730595, Retrieved from the Internet <URL:https://web.archive.org/web/20181231121238/https://en.wikipedia.org/wiki/Cloud_computing> [retrieved on 20191030] *

Similar Documents

Publication Publication Date Title
US9807003B2 (en) System and method for supporting partition-aware routing in a multi-tenant cluster environment
CN112640369B (en) Method, apparatus, and machine-readable medium for intelligently using peers in a public cloud
ES2602084T3 (en) Method and system for creating, modifying and deleting a distributed virtual CPE
US11374794B2 (en) Transitive routing in public cloud
ES2288461T3 (en) METHOD AND PROVISION FOR HANDLING INFORMATION PACKAGES VIA RELAY NODES SELECTABLE BY THE USER.
AU2003226093B2 (en) Label switching in fibre channel networks
ES2599623T3 (en) Method, system and node for the interconnection of nodes in a content delivery network
US9219718B2 (en) System and method for supporting sub-subnet in an infiniband (IB) network
US7827402B2 (en) Method and apparatus for ingress filtering using security group information
ES2574003T3 (en) Procedure and apparatus for providing network security using role-based access control
US20060101171A1 (en) SAS expander
ES2663017T3 (en) Control device and software-defined network control method (SDN)
US8560627B2 (en) Virtual switch for use in fibre channel applications
US20090310610A1 (en) Packet-Layer Transparent Packet-Switching Network
ES2818825T3 (en) Hybrid network access for client devices connected to a telecommunications network
US7991006B2 (en) Filtering redundant packets in computer network equipments
ES2718652T3 (en) Communication system, control device, communication device, communication control method, and program
ES2846757T3 (en) Method and system for the interconnection of sites through a transport network
BR102012027415A2 (en) METHOD AND APPARATUS FOR DYNAMIC ASSOCIATION OF TERMINAL US WITH AGGREGATION AND LOAD BALANCE
US9658984B2 (en) Method and apparatus for synchronizing multiple MAC tables across multiple forwarding pipelines
CN112272145B (en) Message processing method, device, equipment and machine readable storage medium
US20060203827A1 (en) Method for facilitating application server functionality and access node comprising same
US20180191669A1 (en) Providing dynamic routing updates in field area network deployment using internet key exchange v2
US9722932B1 (en) Packet path selection using shuffle sharding
US20140064150A1 (en) Mst extensions for flexible and scalable vn-segment loop prevention

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19915376

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19915376

Country of ref document: EP

Kind code of ref document: A1