FR2961365A1 - METHOD OF MANAGING SECURE FLOWS BETWEEN SEVERAL SITES AND ASSOCIATED ROUTER-DISTRIBUTOR - Google Patents

Abstract

The present invention relates to a secure flow management method between several sites, for example campus type, and an encrypting router for implementing said method.

Description

Method for managing secure flows between multiple sites and associated router-encryptor

The present invention relates to a secure flow management method between several sites, for example campus type, and a routing device and encryption or "encryption router" to implement said method.

Network telecommunications architectures, particularly military networks, are distinguished by the fact that they interconnect through military networks with strong resilience capabilities for the transmission of sensitive flows for the benefit of vital users and that they have also civilian means to ensure the flow of non-sensitive flows for the benefit of non-vital users. Sensitive flows are understood to mean confidentiality flows as well as routing or operational constraints. The confidentiality protection of the flows is ensured by the applications or by other means implemented in the networks of services (campuses) and which do not influence directly on the architecture of the system. The transport in the services (that is to say LANs, Local Area Network for local networks and / or MAN, Metropolitan Area Network for metropolitan networks) sensitive and non-sensitive flows is characterized by the fact that all the flows are carried on a single, non-sensitive MAN (non-sensitive flows are by their nature more voluminous and affect a larger number of users). To provide Wide Area Network (WAN) routing protection for all streams (both sensitive and non-sensitive), these streams are transported encrypted over WANs via IPsec tunnels ("Internet Protocol Security"). "). Means with high resilience capabilities are high resource capacity terrestrial infrastructure means or satellite infrastructure facilities with lower resource capacity and quality of service constraints (also referred to as QoS for Quality of Service) for example in terms of latency, transit time, packet loss. The communication between the users located in the services is constrained by the use of IPsec encryptors and it obeys rules of communications established generally in static ways, these rules define the having right to communicate (generally sub-networks) and the distant sites (IPsec security equipment) that these rights holders can achieve. This information is contained in a database called SPD ("Security Policy Database"). SPD is not dynamically modifiable and requires manual configuration by an operator. The set of rules listed in the SPD is called the "flow security policy". The flows between the campuses are of different types, they are identified by a traffic class in the DiffServ sense, the DiffServ field being a field of the header of an IP packet. Network edge devices do not perform flow processing based on traffic class, but on a class of service, a class of service being a grouping of a set of traffic classes. This principle makes it possible to carry out equal treatment on flows having identical technical constraints, such as the transit time, for example. With current systems, as shown in Figure 16a, encryption is done before routing. It is necessary to have two routing plans, a routing plan in the red (before the encryptors) and a routing plan in the dark (after the encryptors). However, it is not possible to correlate these two routing plans, because the black routing plan is hidden and inaccessible due to the use of VPN IPsec ("Virtual Private Network Internet Protocol Security"). A known technique is to use both WAN networks in "backup" function, that is to say that the second WAN will only be used if the first is in lack of connectivity. In the other cases and in particular in case of saturation of the WAN, the flows continue to take the saturated WAN. Finally, to allow simultaneous use of the two WANs, it is necessary to re-establish a routing topology from the red routing plan, this solution uses tunneling of the streams by the use of GRE tunnels which make it possible to re-establish connectivity between red router equipment and develop the red routing plan by the use of an IGP (OSPF for example). The prior art requires the implementation of several distinct products (Switch, Firewall, Router and Encryptor). The management and security operations are distinct and require a correlation between the operators to define the establishment of the security policies and that of the routing (GRE tunnels). Exploitation is complicated on large networks as it is necessary to establish GRE tunnels between all sites.

The implementation of a flow management policy is very limited by the simple fact that there is limited visibility on the content of the packets (DSCP field) and not on the origin and destination of the flows. This involves making routing decisions upstream (red plane). The offset generated by the IPsec tunnels does not ensure 1 o a coherent SLA between the MAN (users) and WAN (transit) networks, which is why it is necessary to have a router (called in some cases QoS router) between the WANs and the encryptors whose main objective is to ensure coherence between the flows coming from the WAN and towards the MANs and vice versa. Several problems remain unresolved by prior art systems. In particular, the variable elongation of the packet size (overhead) provided by the encryptor does not allow consistency on the QoS. The flow management policy is not carried out according to the type of operational flow. There is no flow distribution policy between the 20 WANs. There is no reservation and preemption of WAN resources that implement protocols like RSVP. Network edge equipments incorporate service class management capabilities through the use of multiple queues and they associate with these queues a particular process which ensures the users of these services an appropriate treatment of their services. flow during congestions in networks. These QoS principles and the associated rules are referred to as the "flow processing policy". Figure 1 shows this generic architecture and locates the identified problems. Communications architectures employing several WANs protected by IPsec tunnels include the problems described hereinafter.

First problem The routing of flows to different WANs taking into account criteria requires either to analyze the applications that are above the IP layer, or to resort to a precise identification of the source and the destination of the flows. These features, which must be implemented on R1_S1, R1_S2 edge router equipment, require hardware configurations that support these features, which is often incompatible with small-site deployment. The sites host users with administrative or operational functions, these users are considered either as vital users (in limited numbers) or non-vital users and they generate sensitive and non-sensitive flows. There is no correlation between vital users and sensitive flows, a non-vital user can generate sensitive flows. The flows coming from the LANs and / or MAN can be encrypted for reasons of security level of these flows. In this case, the analysis can only be performed on the DSCP field ("Differentiated Services Code Point") of the IP packet, which benefits from an integral copy without alteration on the part of the encryption equipment. Also, the routing of the flows towards one or the other of the WAN can be realized only from this field DSCP. This first problem is referenced PB1 in FIG. 1. The current flow processing policy is limited to the queue management functionalities on the DSCP field and to the DiffServ method.

Second problem IPsec encryptors in tunnel mode introduce overhead, or overhead, over the original IP packets. This overhead can be important compared to the original flows if the latter is a voice stream for example. The RW1 router at the entrance of the WAN infrastructure implements a policy of quality of service based on policing and shaping which makes it possible to deal with congestion problems and to guarantee the respect of the quality of service required with respect to Service Level Agreement (SLA). The router R1_S1 has no knowledge of the measures taken by the router RW1 in terms of flow processing policy (QoS), knowing that these two routers are in different areas of administration, which requires coordination between the two 35 administrators and they are in different worlds (red / black). If the two routers have interfaces at the same rate, the overhead generated by the encryptor can cause the RW1 router a quality of service policy up to the rejection of IP packets in the direction R1_S1 to RW1, the flow in WAN router input is greater than that allowed by this router. The router RW1 delivers the IP packets to the encryptor by smoothing them up to the maximum speed of its traffic contract. The encryptor after deciphering the packets puts them back to the router R1_S1, the input bit rate of this router being lower than the output bit rate of the router RW1. There is no coherence (QoS / SLA) and taking into account the overhead introduced by IPsec in routers RW1 and R1_S1. This second problem is referenced PB2 in FIG.

The third problem The implementation of IPsec tunnels makes opaque all the flows coming from the services which makes the protocols operating above IP (for example, the ESP protocol "Encapsulating Security Payload") invisible of the WAN. The protocols coming from the encryptors and understandable by the WANs are the protocols of the IPsec standard. By construction, IPsec encryptors are not routers, in the sense that they do not implement Interior Gateway Protocol (IGP) or Exterior Gateway Protocol (EGP) and that they do not participate routing. The use of IPsec tunnel does not pose any particular problem if this use is carried out from a site A to a single site B, the routing operations being limited to communicating the black addresses of the tunnel ends to the WAN so that it can route this address to the recipient. In a use which implements several sites meshed with each other by IPsec tunnels having to borrow different WANs, there is the problem of choosing the output interface of the router R1_S1, R1_S2 to reach the recipient via the WANs through tunnels. IPsec. Open Top Path Pathology (OSPF) provides a low-cost route between a source router and a destination. A link is a direct link between two routers; we then designate a router directly connected to another by the term "adjacent".

In the example, the neighbor of the router R1_S1 is an encryptor that does not implement the OSPF protocol; it is therefore necessary to establish direct links to implement OSPF between routers R1_S1, R1_S2. These links are established using the GRE ("Generic Routing Encapsulation") protocol and installing GRE tunnels between the R1_S1, R1_S2 routers. The OSPF protocol can then establish a topology between all the routers concerned by considering each GRE tunnel as a pseudo physical interface allowing a router to generate hello to its adjacent, so as to maintain and verify connectivity with its neighbors OSPF.

This architecture based on GRE tunnels does not guarantee the scalability of the model that suffers from a scaling factor. Indeed, on large architectures, it is necessary to establish GRE tunnels in full mesh; the number of routes is therefore equal to n * (n-1) / 2, where n is the number of routers, which requires routers R1_S1, R1_S2 to be routers capable of handling this load. This third problem is referenced PB3 in FIG.

Fourth problem The use of the OSPF protocol as a routing protocol makes it possible to route the flows according to the cost of the links. In the example, the cost of the links comes down to the cost of the link of the pseudo physical interface "GRE tunnel", which takes as cost value that of the interface on which is mounted the GRE tunnel. The IGP routing protocols implemented in the WANs have no interaction with the OSPF routing protocol of routers R1_S1, R1_S2; they are hidden by IPsec tunnels. Also, the incidents that occur in the various WANs will be taken into account at the R1_S1, R1_S2 routers only on detection by the OSPF protocol of a malfunction (using a protocol messages "Hello"). The malfunction observed by the router to change the routing is a break in the link, ie a rupture of the GRE tunnel. In this case, the OSPF protocol can route the streams to another WAN. Load sharing between different WANs can be done provided that the link costs are the same.

This operation in active / backup does not intelligently route flows taking into account criteria on both WAN. It also does not allow to optimize the capacity in transit of the WANs. This amounts to using only the WANs below their transit capacity or to provision the resource by exceeding on one or the other of the WANs. This fourth problem is referenced PB4 in FIG. 1. Fifth problem The treatment of congestions must be observed at several levels of the architecture: congestion processing on the routers R1_S1, R1, S2; - congestion processing on RWx routers; - the treatment of congestion in the WANs. The treatment of congestions can be approached in two different aspects: on the one hand, the treatment of congestions relating to the momentary bottleneck of resources (that is to say of routers) on the way of communications; on the other hand, the treatment of congestion relating to the shortage of resources due to an incident or a lasting degradation in the WAN networks. The treatment of these momentary congestion, also called "micro congestions", is relatively well implemented in network equipment by the Policing and Shaping technologies 25 as well as the functions relating to the management of queues. In the architecture of the system according to the invention, the routers R1_S1, R1_S2 and RWx implement these functions. The treatment of this type of congestion in the WANs is specific to each WAN according to its characteristics and its flow processing policy (quality of service management). The lack of resources on routers R1_S1, R1_S2 and RWx can be overcome by solutions consisting in duplicating equipment, interfaces and implementing mechanisms for managing these principles (link aggregation, VRRP protocol or VSS solution). . These functions are currently well controlled and do not raise, a priori, any particular problem.

Some sensitive streams require routing guarantees, current DiffServ / DSCP-based techniques, and queue management only address part of the problem, ie momentary congestion of traffic flows. Another solution is to provision bandwidth on the WAN to overcome any congestion, but this principle is not economically viable and impossible to implement when the transit resource is a satellite-type resource. The congestion may be due to an unavailability (more or less long) WAN transit resources which causes upstream of this unavailability a constraint in the flow routing. Since the OSPF protocol has no information on the state of congestion of the underlying network, the flows continue to be routed on the congested links, the network devices on the path of communication to deal with these congestion problems, even if this route is of very poor quality and that as long as the road does not become unavailable (that is to say as long as the GRE tunnel is not broken). In the event of an incident leading to the disruption of connectivity between the OSPF router, a GRE / lPsec tunnel rerouting process is implemented to elect a route between the two devices. This operating principle is incompatible with a need for flow routing having a mandatory character in terms of quality of service, routing times and latency, in particular. This fifth problem is referenced PB5 in Figure 1. Sixth problem Resource shortage phenomena can persist if the WANs are under capacitive in a major incident, there is no resilience of communications. The routing of certain sensitive flows is no longer guaranteed. This sixth problem is identified PB6 in Figure 6.

Methods implemented to solve or approach the resolution of the aforementioned problems are given below. Some methods, presented below in Figure 2, solve some of the problems but generate other constraints that may be technical or administrative (eg organizational).

The system of FIG. 2 takes the topology of FIG. 1. It comprises users of the service of a first site S1, which are respectively subscribers A1_S1 and subscribers A2_S2. These users have different IP addresses in the defense addressing plan, identifiable by their prefix. The users of the site S2 also have different addresses between subscribers B1 S2 and B2 S2 and vis-à-vis the site S1. The system also comprises local LAN / MAN networks whose main activity is to convey the flows between the users of the sites S1 or S2 and to the output router R1_S1, R1_S2.

The system also includes an output router R1_S1, R1, S2 of MAN. This router R1_S1 directs the streams to the encryptors Z1_S1 or Z2_S1 according to the flow processing policy which consists in routing the sensitive flows to the WAN_M and non-sensitive flows to the WAN_C. This policy is carried out according to the addressing of the users of the site S1. The role of the router R1_S2 is identical to that of the site S1 for the flows coming from the LAN / MAN of the site S2. As for the streams coming from the encryptors Z1_S2 and Z2_S2, these are sent to the recipients via the LAN / MANs of the site S2. The system of Figure 2 also includes encryptors Z1_S1, Z2_S1. The encryptor Z1_S1 provides protection of the streams coming from the router R1_S1 to the WAN_M and the encryptor Z2_S1 provides protection of the flows from the router R1_S1 to the WAN_C. The protection is ensured by the implementation of the IPsec protocol in tunnel mode. The security policy assigned to each encryptor makes it possible to partition the flows coming from the site S1 service to the users of the site S2. The encapsulation IPsec makes it possible to mask with WAN_M and WAN_C the addresses of the sites S1 and S2. The IP addresses on the black interface of the encryptors are the only addresses visible by the WAN_M and WAN_C. These are the addresses that are used by these WANs to route the flows to and from the R1_Sx routers. The WAN_M transports the flows between the site S1 and S2 according to a routing specific to this WAN. WAN_C performs the same routing functions according to its own parameters (topology, routing protocols, QoS, etc.). In the example, the system includes only two WAN_M WANs, WAN_C, but it could also apply to a larger number of WAN_M WAN_C, WAN_C. With the architecture of the system of FIG. 2, the first problem PB1 can be considered as partially solved with methods such as, for example, PfR (Performance Routing) and PBR ("Policy Based Routing") of the company CISCO which implement performs a routing control on an application traffic. This traffic is defined by prefixes and / or by "traffic classes" which are a combination containing the prefix, the protocol, the port numbers and the DSCP field. Features such as Netflow 1 o are also associated with PfR / PBR and used to provide a topological and qualitative view of flow routing. However, in the architecture according to the invention, only non-sensitive streams would be able to be subjected to these functionalities. The sensitive streams being protected by encryption, the information useful for the analysis 15 is not accessible, the only useful field is the DSCP field. This architecture therefore only partially solves the first problem PB1. The second problem PB2 is partially solved by introducing an additional router QoS1_S1, QoS1_S2, QoS2_S1, QoS2_S2 in the architecture, as illustrated in FIG. 3. These routers _S1, QoS1_S2, QoS2_S1, QoS2_S2 are inserted between the encryptors and the routers RWx. These routers are included in the architecture and, apart from their WAN_M WAN connection function, WAN_C, which can be achieved by link aggregation to provide better WAN access availability, these routers provide service quality function with respect to the services, that is to say sites S1 and S2, and the WAN. One of the problems to be solved is that the use of encryptors in tunnel mode necessarily causes encapsulation of the original IP flows in ESP stream, which results in an overhead on the origin flows. 30 But the R1_S1 router, R1_S2 does not have a function to take into account this overhead in quality of service functions (whether Policing or Shaping). The encryptor does not have sophisticated QoS features to deal with this problem, which implicitly means adding a router solely for QoS processing.

This problem is partially solved because it helps to ensure consistency in QoS, but it generates additional costs (the deployment of a router) and a constraint on the administration domains. This solution therefore only partially satisfies the second problem PB2. On the other hand, the third, fourth, fifth and sixth problems PB3, PB4, PB5, PB6 are not solved.

The different elements mentioned above belong to different areas of administration. It is necessary to distinguish between the administration domain of the first WAN_M, the administration domain of the second WAN_C, and the administration domain of the site or sites S1, S2. (Depending on the extent of the perimeter of each of these sites S1, S2, there may be several different administration domains).

It is assumed that the administration domain comprises the administration of the security part, ie the encryptors which are an integral part of the sites administration domains. These domains form, in the sense of the Internet, Autonomous Systems (AS), as illustrated in Figure 4. This implies the use of standardized IGP and EGP protocols for inter-domain exchanges. An additional problem is identified in this architecture, it concerns the QoS router (QoS_S1 for example). This router is from the SA domain serving the first site S1 and as such, it is configured, supervised and maintained by the staff of the first site S1. But the encryptor which encapsulates all the flows coming from the router R1_S1 does not make it possible to reach the router QoS1_S1. To enable the QoS1_S1 router to be administered, it is necessary to implement a specific secure configuration to guarantee the integrity of the first site S1 through encryptors dedicated to this function. This seventh problem is referenced PB7.

Each autonomous system implements IGP and EGP protocols to route flows, in our architecture the protocols used are BGP ("Border Gateway Protocol") as EGP and OSPF protocol as IGP protocol. The routing topology, shown in Figure 5 is described below.

The autonomous systems representing the sites S1, S2, implement the OSPF protocol, this routing domain comprises the router R1_S1, R1_S2 but excludes the encryptors Z1_S1, Z1_S2. Encryptors do not implement the OSPF protocol, they do not route the OSPF protocol, and they are not able to establish a routing topology from the source (themselves) to the recipients. The routing of the flows in the encryptors is carried out by the Security Policy (SP) and Security Association (SA) routing policy, information contained in the SPD ("Security Policy Database").

The QoS_Sx routers implement the OSPF protocol to allow to take into account in complex architectures an administratively independent entity of the main site (represented by the user A3_S1), but using the resources common to the different WANs. The QoS routers being managed (Administration / Supervision) by the entity of the main site. The set of QoS routers of the sites of the same organizational unit form a transit federator with respect to the service sites they connect and this for a given flow category (sensitive or non-sensitive). The BGP protocol is implemented between the QoS_Sx routers and the WAN_M and WAN_C. It makes it possible to communicate to the various WANs the prefixes of the subnetworks present in the services. WANs implement a routing protocol (OSPF for example). It ensures the routing of flows between the different interconnected services. This protocol makes it possible to establish a routing topology by assigning costs to the borrowed paths. The choice of the road is that of lower cost. The prefixes indicated in the routing tables of the WAN routers are the prefixes of the black addresses of the encryptors, the addresses of the user plane being masked by the encryptors. The OSPF protocol is a link state protocol, to work, it requires that the routers that use this protocol are adjacent, which can be translated as "being connected by a direct link", but the encryptors do not allow not having a direct link between an unprotected entity and a protected entity. To restore connectivity between routers R1_S1, R1_S2, it is necessary to use GRE tunnels, then run an OSPF on these "GRE interfaces". GRE tunnels are implemented overlay of the IPsec layer (ESP protocol) and they generate an overhead of 4 additional bytes. From then on it is possible to reconstruct an OSPF routing topology between the services through the GRE tunnels.

QoS management is implemented in the QoS routers (respectively QoS1_S1 and QoS2_S1 for the Si site). In each router it must comply with the quality of service policy vis-à-vis the WAN, WAN_M and WAN_C networks and that of the Rx_S1 routers installed on the site for the benefit of administrative entities. The overall coherence of the quality of service for the benefit of a collective user who must convey sensitive and non-sensitive flows is only feasible by configuration operations independent of the QoS routers, each router has to process sensitive or non-sensitive flows. . In summary, the existing architectures suffer in particular the following unsolved problems: the first problem PB1 referral flows according to a flow management policy; the second problem PB2 of taking into account the overhead caused by IPsec encapsulation; The third problem PB3 of extensibility of GRE tunnels; the fourth problem PB4 of simultaneous use of the different WANs; - the fifth PB5 problem of congestion treatment in the event of resource shortages; The sixth PB6 problem of dealing with the lack of resources on the WANs; the seventh PB7 problem of QoS router administration behind IP encryptors. An object of the invention is to solve at least one of the aforementioned problems. The proposed solution allows routing decisions to be made before encrypting the information and integrating into one product all the functions needed to interconnect MAN to WANs. IPsec tunnels are established between encryptors (Z) of adjacent sites. The red router function (before Z) makes it possible to have a visibility 35 on the routing topology and to direct the flows (in the tunnels) according to the characteristics of the users of the services (MAN) and their associated services. This solution also implements Traffic Engineering (TE) by the use of MPLS-TE and associated routing protocols RSVP-TE, OSPF-TE, in particular.

The use of the device according to the invention, illustrated in FIG. 16b, also makes it possible to reserve resources in the Military WAN by cooperation between the red router and the military WAN. This feature uses the process object of the French patent published under number FR 2924552 filed for Thales.

The routing function implemented in the red router performs intelligent routing of the flows and realizes traffic load distribution according to multiple criteria. Control mechanisms are implemented in the product to avoid bagoting situations during rapid variations in the states of the connections. The firewall function ensures integrity to flows from services and protection of flows from the WAN Civil. The services are protected vis-à-vis these flows by the fact that they are opposed to encryption equipment in contrast to the previous solution or the same 20 flows were opposed to a router equipment, so potentially fallible. The switch function makes it possible to connect different organizations on the same physical machine while providing the latter with a partitioning in terms of SLA and exploitation. Since the routing is carried out before the encryption, the contents of the packets are visible, the addresses of the users origins and destinations are exploitable, the signaling protocols (SIP for the telephony for example), are also exploitable and because of this it is possible to to make routing decisions taking these elements into account and, on the other hand, by analyzing the characteristics of the WAN networks, obtained either by the routing or resource reservation protocols or by the implementation of QoS (active probes). As a result, a flow management policy can be implemented based on the following criteria: 35 - QoS (packet) - Session flow type (voice, data, image) - Type of operational flow (Vital, no vital) - SLA traffic contract (Max rate, jitter, delays, etc.) - WAN network cost depending on the topology. - Resilience: Network congestion, loss of links, connectivity, simultaneous use of WANs, distribution of traffic between WANs. The network and service model applied to defense applications is characterized by: - a need for protecting the exchange of information between applications, which is implemented by third-party applications (SIC, SIAG, SIOC). a need to protect the traffic flows exchanged between the functional entities of the transport layer, which is achieved by the implementation of IPSec VPN at the level of the transit and / or access networks (protection at the exit of an enclave ). - a need for interworking between metropolitan and theater networks that have different employment characteristics, which translates into functional requirements with different technical, functional and organizational characteristics. - a need for voice, data and video services with particular constraints in terms of quality of service, availability, resilience, etc. which results in a functional addition to the COTS databases. - a need to separate the security functions of the management functions from an organizational point of view, which is reflected in the implementation of the SOC and NOC centers. Unlike conventional systems, the routing and encryption device according to the invention: - reverses decision-making between encryption and routing; - works at the "protocol level 2" (MPLS) without implementing GRE tunnels between the red routers installed in the services, which simplifies the administration; - cooperates the encryption instances (the red zone of the encryptor) and the router that makes the routing decision via a decision module; - does not involve the equipment of the service in the decision-making. An advantage of the proposed solution is to be able to interconnect a MAN with WANs by providing operational resilience functions. The use of the router according to the invention to manage secure data flows includes the following advantages: - allow cooperation between the red routing plans and the establishment of IPsec tunnels; allow simultaneous use of the two WAN networks taking into account the "instantaneous" characteristics of these WANs, resource occupancy rate, packet transit delay, jitter (QoS indicators); - to direct the flows coming from the services according to the states of the WAN and according to the character of these flows (priority, type of flow, etc.); 15 - guarantee the routing of a certain category of flows (vital flows); - guarantee end-to-end quality of service, from user to user; - provide operational resiliency functions; - ensure consistent end-to-end routing over secure VPNs; 20 - optimize transit resources.

Other characteristics will become apparent on reading the detailed description given by way of nonlimiting example which follows, with reference to appended drawings which represent: FIG. 1, an example of an architecture of a system according to FIG. prior art; FIG. 2, a second example of a system according to the prior art; FIG. 3, a third example of a system according to the prior art; FIG. 4, an illustration of the administration domains forming autonomous systems within an architecture according to the prior art; FIG. 5, an illustration of the routing of the data flows; FIG. 6, an illustration of the general architecture of the system according to the invention; FIG. 7, an exemplary implementation of a first function F1 of the method according to the invention; FIG. 8, an example of implementation of a second function F2 of the method according to the invention; FIG. 9, an exemplary implementation of a third function F3 of the method according to the invention, - FIG. 10, an example of implementation of a fourth function F4 of the method according to the invention, - FIG. 11, an example of implementation of a fifth function F5 of the method according to the invention, - Figure 12, an example of implementation of a sixth function F6 io of the method according to the invention, - Figure 13 , an example of implementation of a seventh function F7 of the method according to the invention, - Figure 14, an example of implementation of an eighth function F8 and a ninth function F9 of the method according to the invention FIG. 15, a diagram illustrating the problem of managing secure data flows, FIG. 16a, an archi According to the prior art, FIG. 16b illustrates an illustration of the use of a routing and encryption device according to the invention in a network, FIG. 17, an illustration of a network using the device of FIG. 18, the position of the routing and encryption device according to the invention in a network, FIG. 19, the position of the routing and encryption device according to the invention in FIG. a telecommunications network.

Data transfer over IP networks is not subject to any guarantee of routing and delivery of this data to an end user, this mode of operation in Best Effort is the nominal operating mode of IP networks. Apart from some specific features built on the processing of the DSCP field of the IP packet, associated with a queue management allowing priority routing of some IP packets compared to others. To guarantee the routing of the data, it is implicitly necessary on the one hand to establish a permanent relationship between the two ends (users) during the duration of the communication. Only a connected mode of operation makes it possible to guarantee this relationship and secondly to reserve resources on the WAN networks corresponding to the needs of the communication on the path thereof. These resources being reserved in each equipment involved in the communication. Routing protocols, and in particular OSPF, although a protocol distributed over all the equipment involved in the routing, do not make it possible to influence the choice of a dynamically established route by taking account of events ( congestion, flow characteristics, events, etc.) that do not affect road availability (failure).

The architecture of a system according to the invention implements functions making it possible, on the one hand to ensure a coherent operation of the system, and on the other hand to solve the problems PB1, PB2, PB3, PB4, PB5. , PB6, PB7 identified previously. An F1 function provides IPsec protection for the streams coming from the interfaces 11 and to the interfaces 12 and 13. The function F1 is decomposed into sub-functions F11 to F1 n, where n represents the number of WANs interfaced with the method. An interface lx is assigned to a subfunction F1 n. A function F2 ensures the establishment of point-to-point links between the local process and the remote processes. An F3 function ensures the routing of the flows to and from the interface 11. The flow switching separates the flows in session mode from the other streams (un-session flows). An F4 function handles the processing of flows in session mode. A function F5 handles the relations between function F1 and function F4. It allows in particular to indicate the function F1, the beginnings and endings of sessions as well as the N ° of the sessions. An F6 function handles the processing of congestion aspects and the processing of Trafic Engineering (TE) aspects.

An F7 function provides interworking with the black WANs, it is in charge of retrieving TE information from the black WANs, synthesizing them and communicating them to the F1 function. An F8 function provides the administration of the network functions. The functions F2, F3, F4 and F5 are network functions. An F9 function handles the processing of the security functions. The F1 function is a security function. Databases are associated with these functions, they make it possible to store information specific to the network functions, security or information common to these two functions. These MIB ("Management Information Base") are the following: - a BD1 MIB which is dedicated to the administration and supervision of network functions, accessible for reading and writing by the F8 function. A BD2 MIB which is dedicated to the administration and supervision operations of the security functions, accessible for reading and writing by the function F9. - A BD3 MIB, common to network and security functions, read-only. FIG. 7 shows an exemplary implementation of the first function F1 of the method according to the invention. The incoming and outgoing flows of the MANs on the interfaces 11 require protection. This protection is provided by the implementation of the function F1. The F1 function is an IPsec 25 function in tunnel mode. The tunnels are dynamically established between the functions F1 n and all the functions F1 n remote implemented in the remote processes. The F1 function implements a method of automatic discovery of remote processes. It provides remote process authentication, maintains IPsec tunnel connectivity between local and remote F1 n entities. FIG. 8 shows an exemplary implementation of the second function F2 of the method according to the invention. The function F2 allows the resolution of the third problem PB3. The use of IPsec tunnels established through WAN requires the positioning of other GRE tunnels in overlay 35 of these IPsec tunnels, this principle is not extensible on major network topologies. To overcome this defect, the proposed solution is to use an "underlay" function, ie to work at a level lower than IPsec to establish the relationships between remote entities. This function designated F2 makes it possible to establish a point-to-point connection between two remote units, MPLS protocol ("Multi-Protocol Label Switching") is one of the protocols which makes it possible to satisfy this function. Other techniques such as VLANs can also satisfy the F2 function. The links between the functions F2 are established on the interfaces 12 and 13. The information transmitted or received by this function F2 takes the interfaces 12 and 13.

FIG. 9 shows an exemplary implementation of the third function F3 of the method according to the invention. The function F3 is in full duplex relation with the interface 11, that is to say in bidirectional communication. The flows coming from the interface 11 are switched according to their characteristics to the function F4 or to the function F2. Session-mode flows, such as the Session InitiationProtocol (SIP) protocol, are routed to the F4 function, the other flows are routed to the F2 function. Function F3 also extends the partitioning characteristics between users, such as Virtual Local Area Networks (VLANs) or Virtual Routing and Forwarding Table (VRF), to the process. These characteristics can be routed by the local process to the remote processes. FIG. 10 shows an example of implementation of the fourth function F4 of the method according to the invention. Function F4 allows the resolution of the sixth problem PB6. Function F4 receives only session mode streams from function F3 (eg SIP). The function F4 interprets the "session" protocol and identifies in the protocol the field carrying the MLPP information indicating the priority of the session, this information has been forged in the field concerned (the RP field in the case of the SIP protocol). by functional entities of the MAN. An RSVP (Resource ReSerVation Protocol) or RSVP-TE (Resource ReSerVation Protocol - Traffic Extension) request according to the underlying WAN is generated to the function F4 of the remote destination method of the session via the function. F3.

The function F4 implements an IGP ("Interior Gateway Protocol") having the capacity to establish a topology of links including metrics of bandwidth availability, occupied band, in particular. The OSPF-TE protocol is one of those protocols that may be suitable for this part of function. Associated with this IGP protocol, a better path calculation sub-function taking into account the metrics mentioned above makes it possible to define the best routes to join the remote processes. The subfunction C-SPF is one of the functions to satisfy this calculation. The information from C-SPF is indicated as a parameter in the RSVP-TE request. Function F4 generates RSVP or RSVP-TE requests only to WANs that accept these requests. FIG. 11 shows an example of implementation of the fifth function F5 of the method according to the invention. The function F5 allows the dialogue between the functions F4 and each entity F1.x. This function is a control function that transmits and / or receives messages from or to functions F4 and F1. The messages are conveyed by the UDP protocol ("User Datagram Protocol"). The main messages make it possible to send and receive information on the communication sessions to be opened, to close or on the behavior to be maintained with respect to the communications based on parameters derived from the function F1 and in particular its part black interface ". The function F5 makes it possible to make the connection between the session number (for example, an LSP number) and an IPsec context (for example an SPI number, "Security Parameter Index"), information contained in the SDP.

FIG. 12 shows an exemplary implementation of the sixth function F6 of the method according to the invention. The function F6 allows the resolution of the first problem PB1, the fourth problem PB4 and the fifth problem PB5. Function F6 is related to functions F3, F4. It implements several means and mechanisms for managing congestion or influencing the processing of flows, the operations implemented by F4 and F6 functions being referred to as "flow processing policy". The F4 function has all the contexts of the sessions established and being established, as well as the priority levels of these sessions. In nominal operation, the flows are routed to the WANs present in active-active mode, ie the routing chooses one of the WANs according to the types of flows to be routed and the constraints associated with these flows. This principle makes it possible to use all the WAN capabilities at the same time without operating the "active-backup" type. In the case of congestion indicated in function F6, the main methods used to influence flow processing are as follows, this list not being exhaustive: - DiffServ mode: flow routing is performed according to the DSCP field and according to a number of classes of service; ECN bit mode: A congestion signaled on positioning of the ECN bit on a session or class of service of the "data" type causes a change in the routing path of the flows concerned by this congestion; - SAA mode: The function implements tools to measure certain characteristics of flows across WANs.

These tools measure jitter, transit delay, latency and this on each WAN. The analysis of the results can cause a change of the routing path of the flows concerned by the analysis of the metrics, if they are in values outside the limits prescribed in the SLA; - Denial of service mode. A denial of service attack is detected by the function F1 and reported to the function F4 through the function F5 is retransmitted to the function F6 which causes a change in the routing path of the flows concerned by this attack.

FIG. 13 shows an example of implementation of the seventh function F7 of the method according to the invention. Function F7 allows the resolution of the second problem PB2. The incoming and outgoing flows to and from the WANs on the interfaces 12, 13 and In1 are conveyed to these interfaces by the function F7. The function F7 is duplicated in as many functions (F7.1 to F7.n) as there is WAN, this duplication makes it possible to make the actions and treatments independent on the WANs. The F7 function provides several subfunctions and in particular: a sub-function for managing the IPsec overhead. The function F7 takes into account the overhead imposed by the IPsec encryption implicitly by a management command communicated by the function F6. The overhead is expressed in an additional number of bytes to be taken into account in the calculation of the quality of service. The function F7 expresses a bandwidth user need corresponding to the SLA (Service Level Agreement) requested by the user, this requirement expression is carried out according to the classes of services. A calculation is carried out by the function F7 to check the coherence between the physical flows of the interfaces MAN and WAN, and the requests expressed by the user in the classes of services expressed. - a sub-function for calculating the best paths to be used on the WAN from the function F7.x concerned and taking into account TE metrics (OSPF-TE and MPLS-TE). - a sub-function in relation to the ECN bit for the calculation of congestion, number of packets in congestion, incriminated session number, etc. The information obtained is specified in a message to the F5 function. The F1 function retranscribes this information to function F5. The messages are of the TLV type, the function being represented by the "T" (Type) field.

FIG. 14 shows an exemplary implementation of the eighth function F8 and the ninth function F9 of the method according to the invention. The functions F8 and F9 allow the resolution of the seventh problem PB7. All F1, F2, F3, F4, F5, F6 and F7 functions are implemented on a common hardware and software basis. The NOC and SOC administration functions can cohabit more easily, which makes it possible to have MIBs dedicated to an operating domain, a network MIB and a security MIB, as well as a common MIB containing the "network" information and the data. "non-sensitive security" information. Sensitive information such as cryptographic elements (keys) are contained in the MIB dedicated to security. As a result, the security information is always accessible and they do not require any additional equipment for their accessibilities. The method groups all the functions. It belongs to one and only one autonomous system (SA). Its administration is ensured by a WAN autonomous system or by a MAN autonomous system. To facilitate the tracking of SLAs, information from the Network and Security Administration MIB (Common MIB) is read-only by the autonomous system that is not responsible for administering the process, in order to provide vision of the quality of service to the autonomous system that does not provide this administration. Function F8 is related to functions F2, F3, F4, F5 and F6 to perform the administration (configuration) and supervision of these functions. Function F9 is related to function F1 and F7 to perform the administration (configuration) and supervision of this function. The function F8 is related to the database BD1. Database BD1 is in read and write mode. The function F9 is in relation with the database BD2 and the database BD2 is in read and write mode. Finally, the database BD3 receives information from the database DB1 and BD2, the database BD3 being in read only mode.

In summary, according to an implementation of the secure flow management method according to the invention the following steps are performed: - Use the IPsec protocol in tunnel mode to implement the function F1 and the subfunctions F1 .x; - Use a point-to-point level 2 protocol between the F2 function of the local process and the remote processes. MPLS is a candidate protocol for this function; - Use a level 2 protocol between function F2 and function F1. The 802.1Q protocol (VLAN) is this protocol. The VLAN number maps to the SPI number, the identifier of the session's encryption context; - Feed the flows from the LAN / MAN to the F4 function and / or to the F2 function. The switch to the F4 function concerns the flows in session mode; - Generate via the F4 function RSVP requests to the F1 function. The F1 function interprets this request, directs it to the remote through the IPsec tunnel considered and the F1 function generates the RSVP request to the black WAN which carries the attributes of the context of the session; - Use a communication protocol between the F1 functions and the function F5 to allow the exchange of signaling messages between these functions and in particular the information on the numbers of the sessions between local and remote process; - To communicate to the function F4 and F6 via the function F5 the information coming from the function F1; - Using function F6, use the information from function F7 and subfunctions F7.x retransmitted via function F1. This information is conveyed as messages and contains Quality of Service information from black WANs; - Analyze the information from the black WANs via the F7 function and the F7.x subfeatures. Communicate this information to the F1 function; - Direct flows to F1.x functions based on the analysis of received information or preempt current sessions to free up resources; - Filter the information coming from function F7 by function F1 and communicate this information to function F5; - Administer the network information of the F2, F3, F4, F5 and F6 functions via the F8 function and store this information in a database (BD1). Make this information accessible in read and write mode by the designated functions; - Administer the safety information of F1, F7 functions via function F9 and store this information in a database (BD2). Make this information accessible in read and write mode by the designated functions; - Communicate the network (BD1) and security (BD2) databases to extract the common information and store it in a database (BD3). Make this information accessible in read only mode by the designated functions; functions F1 to F9 being integrated on a single hardware and software platform.

The distribution of functions F1 to F9 can also be performed with different hardware and software platforms. The communication protocol between these platforms is a level 2 protocol. According to one implementation of the method according to the invention, the referral of the flows to the function F4 concerns all the flows in session mode and all the flows in unsigned mode. According to an implementation of the method according to the invention, the information from the function F7 concerning Traffic Engineering information (TE) is transmitted to the function F6 via the 1 o function F1. According to one implementation of the method according to the invention, the administration of the network and security information is consolidated in a single database. The method according to the invention has multiple advantages - an improvement in the resilience of communications and services; - optimization of leased transmission resources (VPN Operators); the possibility of implementing mechanisms for pre-empting vital flows and thus ensuring the guarantee of delivery of the vital flows; - an improvement in the quality of service to all flows by discriminating the types of flows according to uses. It carries out the routing operations and in particular the choice of the route to reach the target before carrying out the encryption operations 25 taking into account qualitative criteria on the state of the paths taken (quality of service, transit delays, rate of resource occupation, packet loss, for example). It requires close collaboration between the encryption entities and the routing entity.

Encrypting router device To implement the aforementioned security method, it is also proposed a routing device and encryption or "encryption router" for interconnecting MANs to WANs while providing an improvement in resilience, a better security level, and a reduction in costs.

The originality of this device is to direct flows to the WAN before encrypting, the currently deployed solutions routing already encrypted flows. Flow referrals are therefore based on their content. Therefore, it is possible to implement flow management policies at the WAN level which allows for example to ensure the delivery of vital flows and optimize the bandwidth requirements on the WAN. The encryption router can be redundant. Figure 17 shows an NGN architecture applied to the Defense and the positioning of the routing and encryption device according to the invention. As illustrated in FIG. 18, the routing and encryption device according to the invention is positioned at the boundary between different networks that are administered by entities with distinct responsibilities. Figure 19 shows the functions of the three functional entities of the routing device according to the invention. It is broken down into: a function whose role is to identify the IDP-RIP6 neighbors, to maintain the connectivity between these neighbors, to set up the tunnels between neighbors, to learn the visible S / Rs behind these neighbors. This function is performed by the IDP-RIP6 Inter Red Routing function. This function is implemented in the "red encryptor" functional entity. a macro function whose role is to establish LSPs between PI WANs and maintain them according to the local environment, PI WAN remote events and ND transit events. This macro function is implemented in the "red router" functional entity. a macro function whose function is to maintain a label routing table (LIB), to perform the SPI mapping to labels, to update the FIB. This macro function is implemented in the functional entity "red router". a macro function whose function is to transmit in clear to the ND transit RSVP requests and to locally maintain and manage the table of available resources on the ND transit. This macro function is implemented in the functional entity "black router".

One objective is to obtain an MPLS plane between the red routers of the WAN PIs, to obtain a VPN plan between the black encryptors of the PI WANs, to obtain a dynamic routing plan between the red routers of the PI WANs and to obtain a resource control plan between the black PI WAN encryptors and the ND transit. The objective is to control resources from the information obtained and to implement preemption mechanisms on preemptable flows.

Claims (1)

REVENDICATIONS1. System for managing secure flows transmitted CLAIMS1. System for managing secure flows transmitted between a first local area network (S1) and at least one second local area network (S2) interconnected via a plurality of WAN wide area networks (WI, WAN M, WAN C), said local area networks (SI, S2) comprising at least one input / output interface II, said WAN extended networks comprising at least one input / output interface 12, said system being characterized in that it comprises for each network local (SI, S2) a plurality of functions F1 to F9 integrated on a single hardware and / or software platform connected to said interfaces 11,12,13 of said local and wide area networks, said functions FI to F9 executing the following functionalities: o the function FI provides IPsec protection for the streams coming from the interfaces 11 and to the interfaces 12 and 13, the function F1 being decomposed into subfunctions F1.1 to F1.n, where n represents the number of WAN wide area networks, the f F2 anointing ensures the establishment of a plurality of point-to-point links between said hardware platforms connected to the input / output interfaces of each local network (SI, S2), where the function F3 provides the switching, according to their characteristics of flows from and to the interface I1 of said local network (SI) by separating the flows in session mode from the other flows, where the function F4 handles the processing of flows in session mode, where the function F5 handles the processing of exchanges between the FI function and the F4 function, in particular by indicating to the function FI, the beginnings, endings and session numbers included in said flows, where the function F6 ensures the processing of the congestion, where the function F7 ensures the interworking with the functions WAN wide area networks, by retrieving the traffic engineering information (TE), synthesizing it and communicating it to the FI function, where the functions F2, F3, F4 and F5 are network functions whose In administration is provided by the function F8, the function F9 provides the administration of the security functions such as the function FI. System for the management of secure flows according to claim 1, characterized in that the function F4 executes the following steps: the reception of the session-mode streams coming from the function F3, the interpretation of the "session" protocol and the identification in said protocol of information indicating the priority of the session, the receipt of a resource reservation request, for example an RSVP ("Resource ReSerVation Protocol") or RSVP-TE request ("Resource ReSerVation Protocol -Trafic Extension"). as a routing protocol, for example an Interior Gateway Protocol (IGP) such as the OSPF-TE protocol, adapted to establish a link topology including at least bandwidth availability metrics and / or band, the implementation of a better path calculation sub-function, for example the sub-function C-SPF, taking into account said metrics to define the mei their routes to communicate between said local networks (SI, S2). 3. System for the management of secure flows according to one of claims 1 or 2 characterized in that the function F6 executes, to combat congestion problems, at least one of the following steps: a flow routing, in DiffServ mode , performed according to the DSCP field and according to a number of service classes, o signaling a congestion by positioning an ECN bit on a session or class of service of the "data" type so as to cause a change the routing path of the flows concerned by this congestion, the generation of metrics from at least one measure of the jitter, the transit delay or the latency on each of the extended networks (WAN) and a change of the routing path flows when said metrics have a value out of a prescribed limit, o a change of the routing path of the streams for which a denial of service attack is detected by the FI function and reported to the function it is F4 through function F5 and then retransmitted to function F6. 4. System for secure flow management according to one of claims 1 to 3 characterized in that: o the FI function and the subfunctions F1.1 to F1.n are implemented by the IPsec protocol in tunnel mode, the function F2 is implemented by a level 2 protocol such as the MPLS protocol, where the exchanges between the function F2 and the function FI are carried out using a level 2 protocol such as the protocol 802.1Q , generating, via the function F4, RSVP requests to the function FI interpreting this request, sends it to a remote local area network (S2) through the IPsec tunnel considered, the function FI generates to at least one wide area network ( WAN) the RSVP request which carries the attributes of the context of the session, where the functions FI and F5 exchange signaling messages comprising in particular the information relating to the numbers of the sessions established between said hardware platforms connected to the interferences. input / output faces of each local network (S1, S2) by means of a communication protocol, the information coming from the function F1 is communicated to the functions F4 and F6 via the function F5, o Service quality information from Wide Area Networks (WAN) is analyzed by the F7 function and the F7.x sub-functions and passed to the F6 function via the F1 function, o Filter information from the function F7 by the function FI and communicate the filtered information to the function F5, o administer the network information of the functions F2, F3, F4, F5 and F6 via the function F8 and store this information in a database (BD1), o administer security information of FI, F7 functions via function F9 and store this information in a database (BD2), o communicate network databases (BD1) and security (BD2) ) to retrieve the common information and store it in a database (BD3). A secure flow management method transmitted between a first local area network (S1) and at least one second local area network (S2) interconnected through a plurality of WAN wide area networks (RWI, WAN M, WAN C), said local area networks (S1, S2) having at least one input / output interface I1, said WAN extended networks comprising at least one input / output interface 12, said method being characterized in that it comprises at least the following steps for each local network (S1, S2): defining a plurality of functions FI to F9 that can be integrated on a single hardware and / or software platform connected to said interfaces I1, 12, 13 of said local and wide area networks, the function FI provides the IPsec protection of the flows coming from the interfaces II and to the interfaces 12 and 13., the function FI being decomposed into subfunctions FI.I to FI.n, n representing the number of WAN extended networks, o the funct ion F2 ensures the establishment of a plurality of point-to-point links between said hardware platforms connected to the input / output interfaces of each local network (SI, S2), where the function F3 provides the switching, according to their characteristics of flows from and to the interface II of said local network (SI) by separating the flows in session mode from the other flows, where the function F4 handles the processing of flows in session mode, where the function F5 handles the processing of exchanges between the FI function and the F4 function, in particular by indicating to the FI function the beginnings, endings and session numbers included in said flows, the function F6 ensures the processing of congestions, the function F7 ensures interworking with the wide area networks WAN, by retrieving the traffic engineering information (TE), synthesizing it and communicating it to the FI function, the functions F2, F3, F4 and F5 are network functions whose administration n is provided by the function F8, the function F9 provides the administration of security functions such as the function FI. 6. Secure flow management method according to claim 1, characterized in that the function F4 executes the following steps: the reception of the session mode flows coming from the function F3, the interpretation of the "session" protocol and the identification in said protocol, information indicating the priority of the session, the receipt of a resource reservation request, for example an RSVP ("Resource ReSerVation Protocol") or RSVP-TE ("Resource ReSerVation Protocol -Trafic Extension") request, the implementation of a routing protocol, for example an Interior Gateway Protocol (IGP) such as the OSPF-TE protocol, adapted to establish a link topology including at least bandwidth availability metrics and / or or occupied band, the implementation of a better path calculation sub-function, for example the sub-function C-SPF, taking into account said metrics for defining the best routes for communicating between said local networks "SI, S2). 7. secure flow management method according to one of claims 5 or 6 characterized in that the function F6 performs, to combat congestion problems, at least one of the following steps: o routing flows, in DiffServ mode , performed according to the DSCP field and according to a number of service classes, o signaling a congestion by positioning an ECN bit on a session or class of service of the "data" type so as to cause a change the routing path of the flows concerned by this congestion, o the generation of metrics from at least one measure of the jitter, the transit delay or the latency on each of the wide area networks (WAN) and a change of the path of routing of the streams when said metrics have a value out of a prescribed limit, o a change of the routing path of the streams for which a denial of service attack is detected by the function F1 and reported to the function it is F4 through function F5 and then retransmitted to function F6. 8. secure flow management method according to one of claims 5 to 7 characterized in that: o the FI function and the subfunctions F1.1 to F1.n are implemented by the IPsec protocol in tunnel mode, the function F2 is implemented by a level 2 protocol such as the MPLS protocol, where the exchanges between the function F2 and the function FI are carried out using a level 2 protocol such as the protocol 802.1Q, where generate, via the function F4, RSVP requests to the function FI which interprets this request, sends it to a remote local area network (S2) through the IPsec tunnel in question, where the function F1 generates to at least one wide area network ( WAN) the RSVP request which carries the attributes of the context of the session, where the functions FI and F5 exchange signaling messages comprising in particular the information relating to the numbers of the sessions established between said hardware platforms connected to the interfaces. these input / output of each local network (S1, S2) using a communication protocol, o the information from the function F1 is communicated to the functions F4 and F6 via the function F5 , where Service quality information from WANs is analyzed by the F7 function and the F7.x sub-functions and passed to the F6 function via the FI function, o filter information from of the function F7 by the function FI and to communicate the filtered information to the function F5, o to administer the network information of the functions F2, F3, F4, F5 and F6 via the function F8 and to store this information in a database of data (BD1), o administer the security information of the FI, F7 functions via the function F9 and store this information in a database (BD2), o communicate the network databases (BD1) and security ( BD2 ) to retrieve the common information and store it in a database (BD3).