JP2006345366A - Packet repeater, program for realizing the packet repeater, and recording medium stored with the program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To suppress or evade an overload state without considerably changing a configuration with respect to a packet repeater having a forwarding engine mounted thereon, and also to provide software for realizing the packet repeater, and a recording medium having the software stored therein. <P>SOLUTION: The packet repeater is composed of: a filtering means for filtering packets of a preliminarily registered classification; and a control means for defining a classification designated by a packet processing application, as the preliminarily registered classification input of packets to the filtering means. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a packet relay device that is configured as hardware and performs packet filtering and other communication control by a forwarding engine, software that implements the packet relay device, and a recording medium that stores the software.

2. Description of the Related Art In recent years, a forwarding engine, which is dedicated hardware that performs packet filtering at high speed, is being installed in packet relay apparatuses such as routers for the purpose of realizing high throughput and low cost.
FIG. 3 is a diagram illustrating a configuration example of a router equipped with a forwarding engine.
In the figure, a router 10 is connected to an information terminal device 22 via a LAN (Local Area Network) 21 and also connected to a WAN (Wide Area Network) 23.

  The router 10 includes a network interface unit 11-1 connected to the LAN 21 and a network interface unit 11-2 connected to the WAN 23. Between the network interface units 11-1 and 11-2, the router 10 is provided. A forwarding engine 12 is arranged. The forwarding engine 12 includes a table 12T. Furthermore, the network interface units 11-1 and 11-2 and the forwarding engine 12 are connected to corresponding input / output ports of the processor 13.

  In the router 10 having such a configuration, the network interface unit 11-1 corresponds to a packet (here, “multicast request” compliant with the protocol MLD (Multicast Listener Discovery)) from the information terminal device 22 via the LAN 21. Assuming that the packet is called a “request packet” below (FIG. 4 (1)), the packet is delivered to the forwarding engine 12.

  According to the above-described protocol MLD, a terminal that desires multicast declares a desired multicast group to the network in advance, and a packet of the multicast group to which the network device corresponds to the port of the terminal that has made the declaration. (Unlike packets that are unicasted, the destination is not specified as a single address, so network devices such as routers and switches cannot distribute to ports that are determined according to this single address. )), The load on the network can be reduced. Hereinafter, such multicast group packets are referred to as “multicast packets”.

  The forwarding engine 12 registers the request packet described above in a built-in buffer memory (not shown). Further, the forwarding engine 12 includes control information (for example, “type of multicast packet and transfer destination”) necessary for predetermined packet filtering and other communication control among the information included in the header of the request packet. If it is not registered in the table 12T, the corresponding request packet is delivered to the processor 13.

The processor 13 extracts the control information described above from the request packet and registers the control information in the table 12T (FIG. 4 (2), step S1 in FIG. 5)).
In addition, when the control information is registered in the table 12T before the request packet registered in the buffer memory is read from the buffer memory, the forwarding engine 12 determines the corresponding request packet based on the control information. Perform filtering (forwarding).

In such a filtering process, for example, the request packet is delivered to the network interface unit 11-2, and is further delivered to the WAN 23 via the network interface unit 11-2 (FIG. 4 (3)).
However, as described above, when the control information included in the control packet delivered from the network interface unit 11-1 is already registered in the table 12T, the forwarding engine 12 delivers the control packet to the processor 13. Instead, packet filtering (forwarding) is performed based on the control information.

Note that such packet filtering is not limited to the above-described control packet, but, for example, is delivered as a sequence of multicast packets distributed from the WAN 23 side as shown in FIG. 4 in response to the aforementioned “multicast request”. Both the original and the delivery destination are also applied to all packets corresponding to either the WAN 23 or the LAN 21.
Further, in the above-described packet filtering process, not only the above-described packet delivery and transfer, but also, for example, by discarding a packet that satisfies a specific condition such as “IP address, protocol, etc., the security of the information terminal device 22 is improved. The process of securing is also performed.

Further, for example, when IPv6 (Internet Protocol Version 6) is applied, the control information described above is arranged in the header of the packet as shown in FIGS. 6A and 6B, and FIG. ) To (h), it is given in various formats according to the type of the corresponding packet.
As prior art related to the present invention, for example, as described in Patent Documents 1 and 2 to be described later, “the validity of time-to-live information (TTL) in a network is checked when a packet passes through”. To prevent unauthorized access prevention, which is characterized by filtering packets between inside and outside of logical groups configured in the network, and "to packet in order to perform high-speed and advanced IP packet filtering" A communication control device characterized in that it determines whether or not the packet can be passed using an applicable byte code.
JP-A-10-271154 JP 2004-180159 A

Incidentally, in the above-described conventional example, all packets including control information not registered in the table 12T are delivered to the processor 13 by the forwarding engine 12. In addition, the processor 13 is likely to fall into an overload state because such a packet is frequently delivered depending on the adopted protocol.
It is an object of the present invention to provide a packet relay device, a program, and a recording medium in which the above-described overload state is suppressed or avoided without greatly changing the configuration.

In the packet relay apparatus according to the present invention, the filtering means filters the types of packets registered in advance. The control means sets the kind designated by the application processing the packet as the kind registered in advance before the packet is inputted to the filtering means.
That is, the type of the packet to be filtered is automatically specified before the packet is input to the filtering unit.

Therefore, as compared with the conventional example in which the above-mentioned type is not specified until the packet to be filtered is actually input to the filtering means, the configuration is surely performed without changing the configuration significantly. Therefore, it is possible to reduce the processing speed necessary for this.
In the packet relay apparatus according to the present invention, the filtering means filters the types of packets registered in advance. The control means specifies a type determined based on a protocol used for reception or transfer of the packet before the packet is input to the filtering means, and sets the type as the previously registered type.

That is, the type of the packet to be filtered is automatically specified before the packet is input to the filtering unit.
Therefore, as compared with the conventional example in which the above-mentioned type is not specified until the packet to be filtered is actually input to the filtering means, the configuration is surely performed without changing the configuration significantly. Therefore, it is possible to reduce the processing speed necessary for this.

In the packet relay apparatus according to the present invention, the control means sets a type including an address used at a specific base to which the packet destination belongs to the type registered in advance at the time of startup.
The packet to be delivered to the destination indicated by such an address is filtered by the filter link means without special setting by the operator of the packet relay apparatus according to the present invention and without changing the network configuration. Is automatically set to the target.

Therefore, adaptation to various protocols is possible.
In the packet relay device according to the present invention, the control means sets the type including the address of the terminal accommodated in the packet relay device as the type registered in advance at the time of startup.
The packet to be delivered to the destination indicated by such an address is filtered by the filter link means without special setting by the operator of the packet relay apparatus according to the present invention and without changing the network configuration. Is automatically set to the target.

Therefore, adaptation to various protocols is possible.
In the packet relay apparatus according to the present invention, the control means sets the type including a specific address meaning all terminals as the type registered in advance at the time of startup.
The packet to be delivered to the destination indicated by such an address is filtered by the filter link means without special setting by the operator of the packet relay apparatus according to the present invention and without changing the network configuration. Is automatically set to the target.

  Therefore, adaptation to various protocols is possible.

In the present invention, it is possible to reduce the processing speed necessary for specifying the type of packet to be filtered without significantly changing the configuration as compared with the conventional example.
In the present invention, adaptation to various protocols is possible.
Therefore, in the communication system to which the present invention is applied, the overload state can be reduced or avoided without significantly increasing the cost, and the reliability and service quality can be improved.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Since the hardware configuration of the embodiment described below is as shown in FIG. 3, the description thereof is omitted here.
[First embodiment]
FIG. 1 is an operation flowchart of the information terminal device according to the first embodiment of the present invention.

FIG. 2 is a diagram for explaining the operation of the first embodiment of the present invention.
The operation of the first embodiment of the present invention will be described below with reference to FIGS. 1 to 3 and FIG.
The feature of this embodiment is the following processing procedure performed by the information terminal device 22 and the processor 13 shown in FIG.
For example, in the course of execution of a predetermined application system, the information terminal device 22 needs to receive a sequence of multicast packets to be distributed from the WAN 23 side (that is, a new control information is not registered in the table 12T). When it is identified that the type of packet is subject to filtering, the control information (multicast group ID indicating the corresponding multicast group) necessary for receiving the sequence of these multicast packets is included in the router 10 via the LAN 21. ) Is transmitted (step S1 in FIG. 1, FIG. 2 (a)). Such a control packet may be merged with a packet corresponding to the aforementioned “multicast request”.

In the router 10, the network interface unit 11-1 delivers this control packet to the forwarding engine 12 (FIG. 2 (b)).
The forwarding engine 12 registers this control packet in the aforementioned buffer memory. Further, the forwarding engine 12 is applicable when the control information necessary for packet filtering of the above-described multicast packet sequence is not registered in the above-described table 12T among the information included in the header of the control packet. The control packet is also delivered to the processor 13.

The processor 13 extracts the control information described above from the control packet and registers the control information in the table 12T (step S1 in FIG. 5, FIG. 2 (c)).
Further, when the control information is registered in the table 12T by the time the control packet registered in the buffer memory is read from the buffer memory, the forwarding engine 12 determines the corresponding control packet based on the control information. Filtering is performed (here, it is assumed that the process is excluded from the passage target).

Further, the information terminal device 22 sends a request packet corresponding to the aforementioned “multicast request” to the router 10 via the LAN 21 as in the conventional example.
In the router 10, the network interface unit 11-1 delivers this request packet to the forwarding engine 12 (FIG. 2 (d)). The forwarding engine 12 registers the request packet in a built-in buffer memory (not shown), but the control information included in the header of the request packet (indicating “the type and forwarding destination of the multicast packet”). As described above, since it is already registered in the table 12T, the corresponding request packet is not delivered to the processor 13.

  Furthermore, since the control information is registered in the table 12T when the request packet registered in the buffer memory is read from the buffer memory, the forwarding engine 12 registers the corresponding request packet based on this control information. Perform filtering. Therefore, the request packet delivered to the network interface unit 11-2 based on such filtering is delivered to the WAN 23 via the network interface unit 11-2 (FIG. 2 (3)).

As shown in FIG. 2, a multicast packet sequence is distributed from the WAN 23 in response to the above-described “multicast request”. The packet filtering performed by the forwarding engine 12 on the multicast packet sequence is a conventional example. Therefore, the description thereof is omitted here.
That is, before both the request packet and the “multicast packet sequence” are actually given to the router 10, the control information necessary for filtering these packets is automatically stored in the table 12T. Registered without any unnecessary work.

Therefore, according to the present embodiment, the processor necessary for reliably registering the control information in the table 12T in spite of no change in the hardware configuration and a significant change in the software configuration. 13 can be reduced, and the possibility that the processor 13 falls into an overload state is reduced.
[Second Embodiment]
The operation of the second embodiment of the present invention will be described below with reference to FIG.

A feature of the present embodiment is the following processing procedure performed by the processor 13 provided in the router 10.
At the time of start-up, the processor 13 generates a 64-bit interface ID by converting the MAC address of the router 10 into a prescribed format as shown in FIG. 6E, and places the interface ID on the LSB side. In addition, by placing a prescribed prefix (filler) in the remaining upper bits, a “site local address” that is an address used in a specific site under the above-described IPv6 is a single link. A “link local address” used within a range not exceeding the router 10 is generated.

Furthermore, the processor 13 registers control information including these “site local address” and “link local address” in the table 12T.
Such control information includes, for example, the above-mentioned “link local address” as a destination address, the above-described interface ID is arranged on the LSB side, and the prefix “11111110100” is added to the remaining higher order. It is configured by including the arranged source address.

In IPv6, the above-mentioned delivery of “site local address” and “link local address” between local areas is not permitted (defined) as a protocol.
That is, a packet in which a terminal arranged in the above-mentioned specific base or within a range not exceeding the router 10 corresponds to the destination is not subject to special setting by the operator of the router 10 and the configuration of the entire network. Without being changed unnecessarily, it is set as an object of passage by the forwarding engine 12.

Therefore, according to this embodiment, ICMP (Dynamic Host Configuration Protocol), NDP (Neighbour Discovery Protocol), MLD (Multicast Listener Discovery), etc. adapted to the “site local address” and “link local address” described above are used. Internet Control Message Protocol) can be realized.
[Third embodiment]
The operation of the third embodiment of the present invention will be described below with reference to FIG.

A feature of the present embodiment is the following processing procedure performed by the processor 13 provided in the router 10.
At the time of start-up, the processor 13 registers control information including a well-known multicast address (meaning a packet type required to be receivable by all nodes) in the table 12T.

  Note that such control information includes a destination address in which the above-described interface ID is arranged on the LSB side, and any of the remaining upper orders is arranged with any of “111111110000001”, “111111110000010”, and “111111110000101”. And it is configured without including valid information as a source address. Further, the above-mentioned “well-known multicast address” is an address essential for realizing ICMP that enables acquisition of various addresses, neighborhood search, and the like in IPv6.

That is, a packet that is delivered from the WAN 23 or the LAN 21 based on the various protocols that are the ICMP and whose destination is indicated by a “well-known multicast address” is used without changing the network configuration and the operation of the router 10. Even if the person does not make any special setting, it is automatically set as a passing target by the forwarding engine 12.
Therefore, according to the present embodiment, various ICMPs such as DHCP, NDP, MLD, etc. adapted to the above-mentioned “well-known multicast address” can be realized.

In each embodiment described above, the present invention is applied to a computer network using IPv6.
However, the present invention is not limited to such a computer network, and the present invention can also be applied when IPv4 is used.
Further, in each of the above-described embodiments, the present invention is applied to multicast based on MLD.

  However, if a control packet is given to the router 10 based on the procedure of the application described before a packet or a sequence of packets that are not registered in the table 12T is input to the forwarding engine 12, The present invention is also applicable to filtering (forwarding) of packets input to the router 10 based on such a protocol.

Further, in each of the above-described embodiments, the process in which the processor 13 registers the control information in the table 12T is that the control packet sent by the information terminal device 22 based on the procedure of execution of the application system is delivered via the forwarding engine 12. When it is activated.
However, such processing may be started by the processor 13 when the processor 13 identifies autonomously based on a predetermined protocol, for example.

Further, in each of the above-described embodiments, the detailed configuration of the forwarding engine 12 and the method of the interface between the forwarding engine 12 and the processor 13 are not shown in detail.
However, the forwarding engine 12 may be configured in any way as long as the linkage between the processor 13 and the network interfaces 11-1 and 11-2 is realized as described above.

Further, in each of the above-described embodiments, the LAN 21 including one segment is connected to the network interface unit 11-1.
However, the LAN 21 may be composed of a plurality of segments, and the network interface unit 11-1 may have a path corresponding to each of these segments.
In each embodiment described above, the router 10 is configured as a single device.

However, the router 10 may be configured as, for example, a package mounted on a general information terminal device. In such a case, a part of the function of the processor 13 or the processor 13 and the information terminal device The processing for realizing the linkage may be configured as a driver of a corresponding package or a BIOS (Basic Input Output System).
Further, the form of packet filtering realized by the forwarding engine 12 may be, for example, NAT (Network Address Translation), or “L3 switch supporting many protocols” and “layer 3 and layer 4 information”. And L4 switch that performs packet switching and routing based on the above and can set QoS for each application flow.

  Further, the present invention is not limited to the above-described embodiments, and various configurations of embodiments are possible within the scope of the present invention, and any improvements may be made to some or all of the constituent devices. Good.

It is an operation | movement flowchart of the information terminal device in 1st embodiment of this invention. It is a figure explaining operation | movement of 1st embodiment of this invention. It is a figure which shows the structural example of the router by which the forwarding engine is mounted. It is a figure explaining operation | movement of a prior art example. It is an operation | movement flowchart of a processor. It is a figure which shows the various control information arrange | positioned at the header of a packet.

Explanation of symbols

10 router 11 network interface unit 12 forwarding engine 12T table 13 processor 21 LAN
22 Information terminal equipment 23 WAN

Claims (7)

Filtering means for filtering a packet of a pre-registered type;
A packet relay apparatus comprising: a control unit configured to set a type designated by an application for processing the packet to the type registered in advance before the packet is input to the filtering unit. Filtering means for filtering a packet of a pre-registered type;
A control unit that identifies a type determined based on a protocol used for receiving or transferring the packet before the packet is input to the filtering unit, and sets the type to the pre-registered type. A packet relay device. In the packet relay device according to claim 1 or 2,
The control means includes
A packet relay apparatus characterized in that a type including an address used at a specific base to which the packet destination belongs is the type registered in advance at the time of startup. In the packet relay device according to any one of claims 1 to 3,
The control means includes
A packet relay device characterized in that a type including an address of a terminal accommodated in the packet relay device is the type registered in advance at the time of startup. In the packet relay device according to any one of claims 1 to 4,
The control means includes
A packet relay apparatus characterized in that a type including a specific address that means all terminals is the type registered in advance at the time of startup.   The program which makes a computer function as a control means which comprises the packet relay apparatus of any one of Claim 1 thru | or 4. 5. A computer-readable recording medium in which a program for causing a computer to function as control means constituting the packet relay apparatus according to claim 1 is stored.

Images