JP2007104700A - Packet relay processing apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To speed up service processing of a server by arranging a common process used in many network services to a network connecting device. <P>SOLUTION: A packet processing unit and a session managing unit, which are conventionally arranged in a server, are arranged in a network connecting device 2, and the network connecting device 2 performs a packet relay process based on session management. A process distributing unit 2c and service processing units 2d are arranged in the network connecting device 2, so that the process distributing unit 2c distributes a packet to the service processing units 2d, based on session management according to a policy set by the server 1. The server 1 performs session management according to a condition, the network connecting device 2 allows the server to conduct service processing, the server analyzes a packet and sets the contents of the service in the network connecting device 2, and thereafter, the network connecting device 2 performs a relay process for the same session, based on the contents of the service. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a packet relay processing apparatus for optimizing a server having server load distribution control, NAT (Network Address Translation), bandwidth control, VPN (Virtual Private Network), and a firewall service function.

  Currently, the scale of the Internet is rapidly increasing due to the spread of packet communication services in WWW (World Wide Web), E-mail, and mobile phones. Along with this, there is an increasing demand for higher speed networks and higher functions such as security. The current network service execution form is generally configured by a server and a network connection device such as a NIC (Network Interface Card). Today's network services are becoming more complex, and a server platform is suitable because it can respond flexibly to various and new requirements.

  FIG. 39 shows the configuration of a conventional packet relay processing apparatus. This figure shows a general configuration in which a server and a network connection device realize a service on a network, arrows indicate the flow of control information, and thick arrows indicate packet information.

In FIG. 1, reference numeral 100 denotes a server, which includes a packet processing unit 101, a service 1 processing unit to a service n processing unit 102, and a service 1 control unit to a service n control unit 103.
The service 1 processing unit to the service n processing unit 102 perform session management, routing, and service processing such as filtering and load distribution according to the policy defined by the service 1 control unit to the service n control unit 103.

Reference numeral 104 denotes a network connection device, and a packet input from the network via the network connection unit is sent to the packet processing unit 101 of the server 100 via the network connection device 104 and the packet communication unit 105 to process the packet. .
JP 2000-349851 A Japanese Patent Laid-Open No. 11-4261 JP 2001-16254 A

  Due to the recent rapid expansion of the Internet, the amount of packets flowing through the network has shown an exponential growth. For this reason, the conventional server cannot meet the required processing speed, and a technology for speeding up the server is required. Also, we want to avoid losing as much as possible the ability to integrate many services of the server in creating a new platform.

  The present invention has been made in order to solve the above-described problem. By locating common processing used in many network services in a network connection device, it is possible to speed up server service processing. Objective.

  FIG. 1 is a diagram for explaining the outline of the present invention. In the figure, 1 is a server and 2 is a network connection device. In the present invention, the network connection device is integrated, and the packet processing unit and the session management unit that are conventionally arranged on the server are arranged on the network connection device 2 to form the packet relay processing unit, and the packet relay processing unit Thus, packet relay processing based on session management is performed on the network connection device 2.

  In addition, a processing distribution unit 2c and a plurality of service processing units 2d are provided on the network connection device 2, and session management to the plurality of service processing units 2d is performed by the processing distribution unit 2c in accordance with a policy set by the server 1. Sort based on.

  Further, the server 1 can be provided with an external session management function so that the server 1 can perform session management when the number of sessions exceeds the number of registered session tables of the network connection device 2.

  The server 1 is provided with an external service processing unit, and the processing distribution unit 2c transfers the packet to the server 1 so that the external service processing unit of the server 1 executes the service processing, or the server 1 A detailed analysis unit is provided, and the server 1 analyzes the packet to determine the service, sets the determined service content in the network connection device 2, and the network connection device 2 subsequently determines the service content determined above for the same session. It is also possible to perform relay processing based on the above.

As described above, in the present invention, the above-described problems are solved as follows.
(1) The network connection device 2 is provided with a packet relay processing unit based on session management, which includes a packet processing unit 2a and a session management unit 2b, and the network connection device 2 performs relay processing based on session management.

As described above, since the network connection device 2 performs the function that has been conventionally arranged on the server, the CPU usage rate of the server 1 can be reduced. In addition, since session management is performed by the network connection device 2 and the output destination is registered in the session table at the start of the session, even if the routing table is changed during the session, consistency is maintained for the ongoing session. Can hold.
(2) In (1) above, the server 1 of the packet relay processing device is provided with an external session management function, and the network connection device 2 transfers the session information to the server 1 according to the given conditions. Perform session management.

Thereby, even when the number of sessions exceeds the number of registered session tables of the network connection device 2, the server 1 can manage the overflow of the network connection device 2.
(3) In (1) above, the network connection apparatus 2 is provided with a processing distribution unit 2c and a plurality of service processing units 2d, and the processing distribution unit 2c distributes packets to the plurality of service processing units 2d. To perform service processing.

As described above, by arranging the processing distribution unit 2c and the plurality of service processing units 2d in the network connection device 2 capable of processing at higher speed than the server 1, the usage rate of the CPU of the server 1 can be reduced. Service processing can be speeded up.
(4) In (3) above, the server 1 is provided with an external service processing unit, and the processing distribution unit 2c distributes packets according to the given conditions and executes the service processing in the external service processing unit of the server 1 Let

By enabling service processing to be executed by both the network connection device 2 and the server 1 as described above, service processing that is difficult to be realized on the network connection device 2 can be performed by the server 1. Even if the service requires complicated processing, it can be handled.
(5) In the above (1), the network connection device 2 is provided with a distribution processing unit 2c and a service processing unit 2d, and the server 1 is provided with a packet detail analysis unit (not shown). The packet is transferred to the server 1 according to the given condition, the server 1 analyzes the packet to determine the service, sets the determined service content in the network connection device 2, and the network connection device 2 thereafter performs the same session. Then, relay processing is performed based on the set service content.

  As described above, the server 1 analyzes the packet to determine the service, sets the determined service content in the network connection device 2, and the network connection device 2 thereafter performs the same session based on the determined service content. By performing the relay process, the service process can be realized at a higher speed than when all the processes are performed by the server 1.

  According to the present invention, since the network connection device 2 performs the function that has been conventionally arranged on the server, the CPU usage rate of the server 1 can be reduced.

FIG. 2 is a diagram showing the configuration of the packet relay processing apparatus according to the first embodiment of the present invention.
In the figure, reference numeral 11 denotes a server, which includes a network control unit 12, and the network control unit 12 writes the routing information input by the administrator to the routing table 23 a of the network connection device 20 through the control information communication unit 31. . The control information communication unit 31 is, for example, a PCI (Peripheral Components Interconnect) bus or a serial interface.

  Reference numeral 20 denotes a network connection device. The network connection device 20 according to the present embodiment is obtained by integrating a plurality of network connection devices 104 shown in FIG. 39, and includes a packet processing unit 21, a session management unit 22, a session table 22a, The network connection device 20 performs the packet processing, session management, routing processing, and the like that are performed by the server of FIG.

  2, the packet shown in FIG. 3 input from the network is sent to the packet processing unit 21 of the network connection device 20 through the network connection unit 30. The network connection unit 30 is, for example, an Ethernet (registered trademark) controller.

  The packet processing unit 21 performs processing shown in a flowchart of FIG. 4 to be described later, and sends the packet to the session management unit 22. The session management unit 22 performs session management as shown in a flowchart of FIG. 5 described later, and passes the packet to the packet processing unit 21.

The packet processing unit 21 processes the packet as shown in FIG. 4 described later, and outputs the packet to the network via the network connection unit 30.
FIG. 4 shows a processing flow of the packet processing unit.

  As shown in the figure, the packet processing unit 21 performs buffering of packets input from the network (step S1) and checks the checksum (step S2). Next, the packet processing unit 21 performs packet defragmentation (step S3), and sends the packet to the session management unit 22 (step S4).

  Then, the packet processing unit 21 performs fragmentation of the packet sent from the session management unit 22 (step S5), performs checksum recalculation (step S6), and outputs the packet to the network. The processing in the packet processing unit 21 is the same as the processing in the conventional packet processing unit.

FIG. 5 shows a processing flow of the session management unit 22.
As shown in the figure, when a packet is sent to the session management unit 22, the session management unit 22 searches the session table 22a for session data corresponding to the packet (step S11). The session table 22a is a table that stores session data for managing a session. FIG. 6 shows a configuration example of the session table 22a. As shown in FIG. 6, the session data includes a session ID (IDentifier) for identifying the session, a session search key (destination / source address, destination / source port, protocol) for uniquely determining the session, Has items such as status and output destination.

  In step S11, the session management unit 22 searches the session table 22a using information such as the source / destination IP address in the IP header of the packet and the protocol, source / destination port in the TCP header as keys.

  If the session data whose session search key matches the information in the header of the packet sent to the session management unit 22 is not registered in the session table 22a (step S12: No), the sent packet Is the first packet of a session, the session management unit 22 registers the session data related to the session in the session table 22a (step S13). That is, in step S13, the session management unit 22 adds a session search key (destination / source address, destination / source port, destination) to the session table 22a shown in FIG. 6 based on the information in the header of the transmitted packet. Protocol) and session status.

Next, the routing processing unit 23 searches the routing table 23a, and writes the output destination obtained as a result of the search to the session table 22a (step S14).
On the other hand, when session data whose session search key matches the information in the header of the packet is registered in the session table 22a (step S12: Yes), the session management unit 22 checks the state of the session. Then, it is determined whether or not the state transitions (step S15). If the state changes (step S15: Yes), the session management unit 22 rewrites the session state in the session table 22a (step S16).

  When the session state transition ends and the session is closed, that is, when the session state is TIME_WAIT and CLOSED (step S17: Yes), the session management unit 22 determines the session search key, session state, and The output destination and the like are deleted from the entry in the session table 22a (step S18). Then, the processed packet is sent to the output destination. When the session state is not session closed (step S17: No), the session management unit 22 does not perform step S18, and the processed packet is sent to the output destination.

The determination of the state transition differs between TCP and other protocols. Hereinafter, TCP and other protocols will be described separately.
FIG. 7 shows a session state in the case of TCP. In the case of TCP, as shown in FIG. 7, six states of CLOSED, SYN_RECV, ESTAB, FIN_RECV, FIN_SENT, and TIME_WAIT are set in the session state.

In the session state of the session table 22a, as shown in FIG. 6, which of the above five states excluding CLOSED is written.
When the session is not registered, the state is CLOSED. When a SYN packet arrives in this state, the session state changes to SYN_RECV. At that time, the session management unit 22 rewrites the “session state” in the session table 22a to SYN_RECV. Next, the session state transitions to the ESTAB <Established> state, and packets are transmitted and received. Then, the session is terminated by the FIN packet. Similarly, the session management unit 22 can detect the start and end of the session by detecting the arrival of the SYN packet and the FIN packet.

FIG. 8 shows an example of state transition from session start to session end in the case of TCP.
As shown in the figure, when communication is performed between a client and a server, a SYN packet is first transmitted from the client. Next, a SYN_ACK packet is returned from the server, and in response to this, an ACK packet is transmitted from the client to the server. As a result, the session state transitions from the SYN state to the ESTAB (Established) state, and thereafter, the client and the server transmit and receive packets to and from each other. When the session is terminated, for example, the client transmits a FIN packet to the server, the server transmits a FIN_ACK packet to the client, and in response thereto, the client transmits an ACK packet to the server to terminate the session ( CLOSED state).

  On the other hand, except for TCP, there is no SYN or FIN flag in the packet. FIG. 9 shows a state transition in the case of UDP as an example. As shown in FIG. 9, when a packet belonging to a session not registered in the session table 22a arrives, the session management unit 22 sets the session state to ESTAB. Since the end of the session cannot be detected, the session management unit 22 responds by deleting the session from the session table 22a when the timer does not pass the packet for a certain period of time.

  As described above, in this embodiment, the network connection device 20 is provided with a packet relay processing function based on session management, and the network connection device 20 performs the function that has been conventionally arranged on the server 11. The usage rate of the CPU of the server 11 can be lowered.

  In addition, since the session management unit 22 is provided in the network connection device 20 and the output destination is registered in the session table 22a at the start of the session, even if the entry of the routing table 23a is changed during the session, the currently ongoing session Can keep consistency.

  FIG. 10 is a diagram showing the configuration of the packet relay processing apparatus according to the second embodiment of the present invention. In this embodiment, in the packet relay processing apparatus of the first embodiment shown in FIG. 2, a server transfer unit 24 for transferring session information to the server 11, a session information communication unit 32 for communicating session information, an external session A management unit 13 and an external session table 13a are provided. When the session table 22a of the network connection device 20 becomes full, the external session management unit 13 provided in the server 11 performs session management. Other operations are the same as those in the first embodiment.

FIG. 11 shows a processing flow in the session management unit and the external session management unit in this embodiment.
As shown in the figure, when a packet is sent to the session management unit 22, the session management unit 22 and the external session management unit 13 use the information stored in the header of the packet as a search key to search the session table 22a and the external session. The table 13a is searched (step S21). The session tables 22a and 13a are tables storing information for managing the session described with reference to FIG.

  When the session data whose session search key matches the information in the header of the packet sent to the session management unit 22 is not registered in the session table 22a and the external session table 13a (step S22: No), the packet Is the first packet of a session, the session management unit 22 first checks whether the session table 22a is full (step S23).

  If the session table 22a is not full (step S23: No), the session management unit 22 registers the session data of the session in the session table 22a as described above (step S24). Next, the routing processing unit 23 searches the routing table 23a, and writes the output destination in the session table 22a (step S25).

  If session data whose session search key matches the information in the packet header is registered in the session table 22a (step S22: Yes), the session management unit 22 checks the session state and It is determined whether or not transitions (step S26). If the state transitions (step S26: Yes), the session management unit 22 rewrites the session state of the session data stored in the session table 22a (step S27).

  If the session is closed after the session state transition is completed (step S28: Yes), the session management unit 22 deletes the session data from the entry of the session table 22a (step S29). The processed packet is sent to the output destination.

  On the other hand, when registering the first packet of the session, if the session table 22a is full (step S23: Yes), the external session management unit 13 of the server 11 performs the same processing as described above.

  That is, as described in steps S24 and S25, the external session management unit 13 registers the session data of the session of the packet in the external session table 13a (step S30), and the routing processing unit 23 stores the routing table. And the output destination is written in the external session table 13a (step S31).

  If session data whose session search key matches the information in the header of the packet is registered in the external session table 13a (step S22: Yes), the external session management unit 13 stores the data in the external session table 13a. The session state is inspected to determine whether or not the session state transitions (step S26). When the state transitions, the external session management unit 13 rewrites the “session state” in the external session table 13a (step S27). When the session is closed after the session state transition ends (step S28: Yes), the external session management unit 13 deletes the session data from the entry in the session table 13a (step S29).

  As described above, in this embodiment, the network connection device 20 is provided with a packet relay processing function based on session management, and the network connection device 20 performs the function that has been conventionally arranged on the server 11. As in the first embodiment, the usage rate of the CPU of the server 11 can be lowered. As in the first embodiment, even if the routing table is changed during the session, consistency can be maintained for the currently ongoing session.

  Furthermore, if the number of sessions exceeds the number that can be registered in the session table of the network connection device 20, the session management is performed by the external session management unit 13 provided in the server 11, so 11 can be managed.

  In the above description, the external session management unit 13 is provided in the server 11 and the server 11 performs session management. However, only the external session table 13 a is provided in the server 11, and session management is performed by the session management unit 22 of the network connection device 20. The session overflowing in the session table 22a may be registered in the external session table 13a.

  FIG. 12 is a diagram showing the configuration of the packet relay processing apparatus according to the third embodiment of the present invention. According to this embodiment, the network connection device 20 is provided with a processing distribution unit 26, a service processing unit 27, and a policy table 25, and the network connection device 20 performs filtering, load balancing, NAT, etc. according to the policy set by the server 11. Execute the service process.

  In the figure, reference numeral 11 denotes a server. The server 11 includes a service control unit 14, and the service control unit 14 writes a policy in the policy table 25 of the network connection device 20 through the control information communication unit 31. Here, the policy is a rule for executing services such as filtering and load distribution. For example, in the case of filtering, it is set based on the policy whether to discard or pass the packet within the range of the policy search key. In the case of load distribution, a virtual (representative) IP address: port number and IP addresses: port numbers of all servers to which distribution is made are set based on the policy. In the case of NAT, the converted IP address: port number is set based on the policy.

  Reference numeral 20 denotes a network connection device. The network connection device 20 of this embodiment includes a packet processing unit 21, a session management unit 22, and a session table 22a ′, as in the first embodiment, and further includes the policy table 25, A processing distribution unit 26 and a plurality of service processing units 27 are provided. A plurality of service processing units 27 are provided according to the type of service applied to the packet.

  According to the present embodiment, when the session management unit 22 receives a packet, the session management unit 22 searches for session data from the session table 22a 'using information in the header of the received packet. When session data indicated by information in the header of the packet is registered in the session table 22a ', processing similar to the above is performed.

  On the other hand, when the session data indicated by the information in the header of the packet is not registered in the session table 22a ′, the session management unit 22 refers to the policy table 25 and based on the policy to be applied to the packet. The session data is created, and the created session data is stored in the session table 22a ′.

  The processing distribution unit 26 determines the application service for the packet based on the session data stored in the session table 22a ', and distributes the process to the service processing unit 27 corresponding to the determined application service. The plurality of service processing units 27 perform processing necessary for each service.

  Hereinafter, the session table 22a 'and the policy table 25 according to the present embodiment will be described with reference to FIGS. FIG. 13 shows a structural example of the session table 22a 'according to the present embodiment. The session table 22a 'is a table for storing session data for managing a session as described above. The session data includes, as items, a session ID, a session search key (destination / source address and port, protocol, etc.), a session state, and an output destination. In the present embodiment, as shown in FIG. 13, in addition to the above information, the session data further includes an applicable service type (such as filtering and load distribution), its service-specific information (such as a distribution destination address), and consistency. Includes retention time, event flag, etc. as items. The applied service type indicates a service to be applied to the packet. The service specific information indicates information specific to the service to be applied. For example, when the applied service type is load balancing, the distribution destination address can be considered as the service specific information. The consistency retention time indicates the time for which session data should be retained after the session ends. In other words, until the consistency retention time elapses, the session data is not deleted from the session table 22a 'even if the session ends. The event flag indicates whether or not to log the packet or the header of the packet. When the event flag is “ON”, the packet or the header of the packet is transferred to the server, and a log is collected by the server.

  FIG. 14 shows a configuration example of the policy table. The policy table stores a policy that is a rule for executing a service on a packet. As shown in FIG. 14, the policy includes a policy ID, a policy search key, an applied service type, service specific information, a priority, a group ID, an event flag, a consistency retention time, and a policy hit count.

  The policy ID is information for identifying a policy. The policy search key is information for determining a policy to be applied to the packet. The applied service type indicates a service applied to the packet based on the policy. The service-specific information indicates information specific to the applicable service, like the session data. The priority is a numerical value indicating the priority order of policies. The lower the priority value, the better the policy. The priority is used when determining which policy should be prioritized when the information in the header of the packet matches the policy search key of a plurality of policies. The group ID is information for identifying the group to which the policy belongs. The event flag and the consistency holding time are the same as the session data. The policy hit count stores the count value of the session corresponding to the policy.

The description of the process using the event flag, the consistency retention time, the group ID, and the policy hit number will be described later as a modification of each modification.
The operation of the packet relay processing apparatus according to the third embodiment shown in FIG. 12 will be described below with reference to FIGS.

First, in the packet relay processing apparatus shown in FIG. 12, a packet input from the network passes through the network connection unit 30 and is sent to the packet processing unit 21.
As shown in the processing flow of FIG. 4, the packet processing unit 21 performs buffering of the input packet, checksum check, and defragmentation, and then sends the packet to the session management unit 22. Then, the packet processing unit 21 performs a fragment and checksum recalculation on the packet sent from the session management unit 22 and outputs it to the network via the network connection device 30.

FIG. 15 shows a processing flow of the session management unit 22 of this embodiment.
As shown in the figure, when a packet is sent to the session management unit 22, the session management unit 22 uses the information in the header of the packet to retrieve session data from the session table 22a ′ shown in FIG. (Step S41).

  As in the first embodiment, the session table is searched using the source / destination IP address in the packet IP header, the protocol in the TCP header, and the source / destination port information as keys.

  When session data whose session search key matches the information in the packet header is not registered in the session table 22a ′ (step S42: No), the session management unit 22 determines that the session is the first packet of the session. In order to determine an applicable service for a policy, a policy is searched from the policy table 25 shown in FIG. 14 using information in the header of the packet (step S43).

  The policy table 25 has routing information, and also includes a policy search key (destination / source address and port, protocol, which can be specified arbitrarily or in a range) that specifies a range to which a service is applied, and an applicable service type (filtering discard or load distribution) Etc.), information specific to the service (such as all distribution destination addresses), and priority.

  As a result of the search, when the entry in the policy table 25 matches the information in the packet header, the policy is written in the applicable service type column of the session table 22a '. That is, the session management unit 22 acquires from the policy table 25 a policy having a policy search key that matches information stored in the packet header. Subsequently, the session management unit 22 creates session data using the information in the packet header as a session search key, and registers the session data in the session table 22a '. Furthermore, the session management unit 22 writes the applied service type and service specific information included in the policy in the applied service type column and service specific information column of the registered session data, respectively (step S44).

  However, when a plurality of policies are matched, the policy table 25 is processed in descending order of priority. If the same service matches multiple times, the one with the highest priority is adopted and the rest are invalidated.

  Hereinafter, the processing in the case where there are a plurality of policies having policy search keys that match the information stored in the packet header when the policy table 25 is searched will be described more specifically.

  First, when the applied service types included in the acquired plurality of policies do not conflict with each other, the session management unit 22 selects the plurality of applied service types in the order of decreasing policy priority values (that is, in descending order of priority). Write in the application data type field of the session data. As a result, the packet receives a plurality of applied services in descending order of priority.

  When the applied service types included in the acquired plurality of policies conflict with each other, the session management unit 22 selects only the applied service type of the policy having the lowest policy priority value from among the plurality of policies. Write in the applicable service type column. As a result, the packet receives only the application service with the highest priority.

Hereinafter, a specific example will be described. Assume that the following six policies are acquired as policies having a policy search key that matches information stored in the header of a packet.
Policy 1: Applicable service = filter pass, priority = 10
Policy 2: Applicable service = filter pass, priority = 100
Policy 3: Applicable service = filter pass, priority = 200
Policy 4: applied service = load distribution, priority = 1000
Policy 5: applied service = load distribution, priority = 2000
Policy 6: applied service = load distribution, priority = 3000
In this case, filter passing and load balancing are applicable service types that do not compete with each other. In addition, since all the applied service types from policy 1 to policy 3 are filter-passing, they compete with each other. Similarly, all of the applied service types from policy 4 to policy 6 are load balancing and thus compete with each other. The session management unit 22 has a policy 1 with the lowest priority value among the policies whose application service type is filter pass and a policy 4 with the lowest priority value among the policies whose application service type is filter pass. Is adopted. Subsequently, since the priority of the policy 1 filter passage is lower than the load distribution priority of the policy 4, the session management unit 22 sets the filter data in the application data type column of the session data first. Write pass and load distribution. As a result, the packet receives the load distribution service after passing through the filter.

  The processing related to the session state transition from step S45 to step S48 performed when Yes in step S42 is the same as that described in the first embodiment. That is, when session data is registered in the session table 22a ', the session management unit 22 checks the session state of the session table 22a' and determines whether or not the state transitions (step S45). If the session state transitions (step S45: Yes), the session management unit 22 rewrites the state of the session table 22a '(step S46). Then, after the session state transition is completed, the session management unit 22 deletes the session data of the session from the entry of the session table 22a '(step S48). The packet that has been processed is sent to the processing distribution unit 26 (step S49).

The processing flow of the processing distribution unit 26 / service processing unit 27 is shown in FIG.
The processing distribution unit 26 / service processing unit 27 determines an applicable service for the packet and performs processing necessary for each service.

  In FIG. 16, when a packet is input to the processing distribution unit 26, the processing distribution unit 26 searches the session table 22a ′ for session data corresponding to the input packet using information in the header of the packet. To do. If the applied service type indicated by the session data obtained as a result of the search is a routing process (step S51), the processing distribution unit 26 distributes the process to the service processing unit 27 that performs the routing process.

  When the routing destination is not written in the session table 22a 'corresponding to the input packet, the routing table (not shown) of the policy table 25 is drawn and the output destination interface and the destination MAC address are written in the session table 22a'.

  More specifically, the processing distribution unit 26 determines whether or not a routing destination is included in the session data (step S51). If the routing destination is not included in the session data (step S51: Yes), the service processing unit 27 to which the process has been assigned uses the destination IP address included in the session data, and the routing table (not shown in FIG. 12). The output destination interface and the destination MAC address obtained as a result of the search are determined as the routing destination (step S52), and the determined routing destination is written in the session data (step S53). Thereafter, the session packet corresponding to the session data is transferred to the determined routing destination. Subsequently, the service processing unit 27 proceeds to step S56.

  Further, the processing distribution unit 26 refers to the applied service type field of the session data obtained as a result of searching the session table 22a ′, and the input packet is a packet that is to receive the load balancing service, and is assigned to the session data. When it is determined that the destination server is not included, that is, it is determined that the destination server has not yet been determined (step S56: Yes), the processing distribution unit 26 performs the service distribution process. The processing is distributed to the unit 27. The service processing unit 27 to which the process has been assigned determines a distribution destination server (step S57), and writes the determined distribution destination address in the service specific information column of the corresponding session table 22a ′ (step S58). Proceed to step S61.

  If the processing distribution unit 26 determines that the input packet is a packet that should receive the filtering discard service by referring to the applied service type field of the session data obtained as a result of searching the session table 22a ′ (step S21). S61: Yes), the processing distribution unit 26 distributes the processing to the service processing unit 27 that performs the packet discarding process. The service processing unit 27 to which the process has been distributed discards the packet (step S62) and ends the process. If the determination in step S61 is No, the process proceeds to step S63.

  If the processing distribution unit 26 refers to the applied service type field of the session data obtained as a result of searching the session table 22a ′, and the input packet is a packet for executing load distribution or NAT service, the input packet is a header. It is determined that the packet is to be rewritten (step S63: Yes). The processing distribution unit 26 distributes the process to the service processing unit 27 that performs the header rewriting process. The service processing unit 27 to which the process is assigned rewrites the IP header and the source / destination IP address, the source / destination port, etc. on the TCP header according to the session data stored in the session table 22a ′ ( Step S64) The process is terminated. When a plurality of application services are stored in the session data, the plurality of application services are executed on the input packet in the order in which they are stored.

  As described above, in this embodiment, as in the first embodiment, the CPU usage rate of the server 11 can be reduced, and even if the routing table is changed during the session, it is currently ongoing. Consistency can be maintained for sessions.

  Furthermore, since the processing distribution unit 26 and a plurality of service processing units 27 corresponding to a plurality of services are arranged in the network connection device 20 capable of processing at a higher speed than the server 11, the usage rate of the server CPU can be reduced. At the same time, service processing can be speeded up.

  Furthermore, according to the present embodiment, the network connection device 20 is provided with a plurality of service processing units 27 according to services. As a result, when a new service is required, a flexible configuration that can be easily handled by adding a new service processing unit 27 corresponding to the required service to the network connection device 20 is realized. Realize. For example, when a new VPN (Virtual Private Network) encryption service or decryption service is required, a service processing unit 27 that performs a VPN encryption service and a service processing unit 27 that performs a decryption service are newly added. It is possible to cope with it.

  Hereinafter, the header rewriting process will be described in more detail with reference to FIG. FIG. 17 shows a packet flow when the network connection apparatus 20 performs the load distribution service in this embodiment. Note that the packet flow shown in FIG. 17 corresponds to session data whose session IDs are 2 and 3 in the session table 22a ′ shown in FIG. The direction of the arrow indicates the direction in which the packet is transmitted.

  When a packet is transmitted from the client whose address is 10.25.1.230 to the server whose address is 192.168.100.75, first, as indicated by arrow A1, “destination address: 192.168.100.75, transmission” is sent from the client to the network connection device 20. The packet P1 having the original address “10.25.1.230” stored in the header is transmitted. The session management unit 22 of the network connection device 20 refers to the session table 22a ′ shown in FIG. 13 using the transmission source address 10.25.1.230 and the destination address 192.168.100.75 included in the packet P1 as keys, and the session ID = 3. Get session data.

  Since the applied service type in the acquired session data is “header rewriting”, the processing distribution unit 26 in the network connection device 20 distributes the processing to the service processing unit 27 that performs the header rewriting process. Since the unique information in the session data is “destination address: 192.168.100.100”, the service processing unit 27 to which the process is assigned changes the destination address in the packet P1 from “192.168.100.75” to “192.168.100.100”. rewrite. As a result, as indicated by an arrow A2, a packet P2 in which “destination address: 192.168.100.100, transmission source address: 10.25.1.230” is stored in the header from the network connection device 20 to the distribution destination server whose address is 192.168.100.100. Is sent.

  On the other hand, when a packet is transmitted from the distribution destination server with the address 192.168.100.100 to the client with the address 10.25.1.230, first, as indicated by the arrow A3, the distribution destination server to the network connection device 20 A packet P3 storing “destination address: 10.25.1.230, transmission source address: 192.168.100.100” in the header is transmitted. The session management unit 22 of the network connection device 20 refers to the session table 22a ′ shown in FIG. 13 using the source address and destination address included in the packet P3 as keys, and acquires session data with session ID = 2.

  Since the entry in the applied service type column in the acquired session data is “header rewriting”, the processing distribution unit 26 in the network connection device 20 distributes the processing to the service processing unit 27 that performs the header rewriting process. The service processing unit 27 to which the process has been assigned rewrites the source address in the packet from “192.168.100.100” to “192.168.100.75” based on the unique information in the session data. As a result, as indicated by an arrow A4, the packet P4 storing “destination address: 10.25.1.230, source address: 192.168.100.75” in the header is transmitted from the network connection device 20 to the client whose address is 10.25.1.230. The In this way, the network connection device 20 can distribute the load on the destination server of the packet by rewriting the header of the packet.

  FIG. 18 is a diagram showing the configuration of the packet relay processing apparatus according to the fourth embodiment of the present invention. In this embodiment, in the packet relay processing apparatus of the third embodiment, the server distribution function is provided in the processing distribution unit 26, the external service processing unit 15 is provided in the server 11, and the service processing is performed by the network connection device 20. And the server 11 can be executed. In this embodiment, when the service process is executed by the server 11, not only the service contents but also the transfer to the server 11 is set in the policy table 25. Other operations are the same as those of the third embodiment.

  As shown in FIG. 18, the external service processing unit 15 includes a plurality of external service processing units 15 in the server 11 according to the applied service type, similarly to the service processing unit 27 according to the third embodiment. Therefore, as with the service processing unit 27 in the third embodiment, when a new service type is required, it is easy to add a new external service processing unit 15 corresponding to the new service type to the server 11. It is possible to correspond to.

  Since the configuration of the session table 22a 'and the policy table 25 according to the present embodiment is almost the same as that of the third embodiment, detailed description thereof is omitted. The difference is that according to the fourth embodiment, in addition to the content of the service performed by the service processing unit 27, the content of the service transferred to the server 11 and performed by the external service processing unit 15 is changed to the session table 22a ′ and the policy table 25. It can be set to.

  The processing procedure in the processing distribution unit 26, service processing unit 27, and external service processing unit 15 of the present embodiment is shown in FIG. In FIG. 19, the processing from step S51 to step S64 is the same as that in FIG. For example, in the session data in the session table 22a ′ corresponding to the input packet, when the applied service type is “routing” and the routing destination is not written, the service processing unit 27 performs routing in the policy table 25. The table is drawn and the output destination interface and the destination MAC address are written in the session data in the session table 22a ′.

  In this way, referring to the applicable service type of the session table 22a ′, when the server transfer is not set in the applicable service type, as described in FIG. 16, the process according to the applicable service type is performed. In the case of a header rewrite packet, a header rewrite process is performed.

  Furthermore, according to the present embodiment, a part of the service is performed by the external service processing unit 15 in the server 11. For this purpose, the processing distribution unit 26 performs the following procedure in addition to the processing from step S51 to step S64 in FIG.

  That is, the processing distribution unit 26 determines whether or not the input packet is a packet to be transferred to the server 11 by referring to the applied service type field of the session data obtained by searching the session table 22a ′. (Step S71). If “server transfer: ON” and the applicable service type are set in the applicable service type column of the session data (step S71: Yes), the processing distribution unit 26 performs a process of attaching a transfer header to the packet. The processing is distributed to the service processing unit 27. The service processing unit 27 to which the process has been assigned attaches a transfer header to the packet. The contents of the transfer header are, for example, the applicable service type, the session ID of the session data of the packet, and the input interface. Subsequently, the service processing unit 27 transfers the packet to the external service processing unit 15 of the server 11 via the packet communication unit 33 (step S72). The external service processing unit 15 corresponding to the applied service type processes the received packet (step S73).

  The processing flow of the external service processing unit 15 is the same as that shown in FIG. For example, when the routing destination is not determined in the session data, the external service processing unit 15 determines the routing destination and writes the output destination interface and the destination MAC address in the session table 22a '.

  If the input packet is a packet to be subjected to the load distribution service and the distribution destination has not been determined in the session data, the external service processing unit 15 determines the distribution destination server and the corresponding session table. Write in the service-specific information column of the session data in 22a ′. If the input packet is a packet that should receive the filtering discard service, the external service processing unit 15 discards the packet.

  If the input packet is a packet to be subjected to load balancing or NAT service, the external service processing unit 15 sets the source / destination IP address, source / destination port, etc. on the IP header and TCP header of the packet, Rewriting is performed according to the session data in the session table 22a ′.

  The case where the external service processing unit 15 performs the same service as the service content in the network connection device 20 has been described above. However, in the external service processing unit 15, for example, encryption, decryption, proxy, content conversion, Service processing that is not performed on the network connection device 20 such as protocol conversion may be performed.

  As described above, in this embodiment, the network connection apparatus 20 is provided with a packet relay processing function based on session management, and the network connection apparatus 20 performs the function that has been conventionally arranged on the server. As a result, as in the first embodiment, the usage rate of the server CPU can be lowered. As in the first embodiment, even if the routing table is changed during the session, consistency can be maintained for the currently ongoing session. Furthermore, the processing distribution unit 26 is provided with a function for transferring packets to the server, and the server 11 is provided with the external service processing unit 15 so that the service processing can be executed by both the network connection device 20 and the server 11. Service processing that is difficult to realize on the network connection device 20 can be performed by the server 11, and even when the network service requires complicated processing, it can be dealt with.

  Next, a fifth embodiment will be described. FIG. 20 is a diagram showing the configuration of the packet relay processing apparatus according to the fifth embodiment of the present invention. As shown in FIG. 21, the packet relay processing apparatus according to the present embodiment further includes a packet detail analysis unit 16 in the server 11 constituting the packet relay processing apparatus according to the third embodiment. With this configuration, the processing distribution unit 26 of the network connection device 20 transfers the packet to the server 11 according to the given conditions, and the packet detail analysis unit 16 in the server 11 analyzes the packet and provides a service. The determined service content is set in the network connection device 20. Then, for the same session after the setting, the network connection apparatus 20 performs a relay process based on the determined service content.

  In FIG. 20, reference numeral 11 denotes a server. The server 11 includes a service control unit 14 as in the third and fourth embodiments, and the service control unit 14 passes through the control information communication unit 31 as described above. The policy is written in the policy table 25 of the network connection device 20. Furthermore, the service control unit 14 also writes the policy in a detailed analysis policy table (not shown in FIG. 20) provided in the server 11.

  In addition, the server 11 includes a packet detail analysis unit 16, which analyzes a packet based on a session table and policy table for packet detail analysis (not shown) and handles a session including the packet. The service is determined, and the determined service contents are reset in the session data of the session table 22a ′ of the network connection device 20. After resetting, the network connection device 20 performs relay processing based on the service content. The data structure of the session table and policy table for detailed analysis will be described later.

  Similar to the service processing unit 27 and the external service processing unit 15 of the third and fourth embodiments, a plurality of packet detail analysis units 16 are provided in the server 11 according to the applied service type. Therefore, when a new service type is required, it can be easily handled by adding a new packet detail analysis unit 16 corresponding to the new service type to the server 11.

  Reference numeral 20 denotes a network connection device. The network connection device 20 of this embodiment is similar to the third embodiment in that the packet processing unit 21, the session management unit 22, the session table 22a ′, the policy table 25, and the processing distribution unit 26 are used. The service processing unit 27 is provided, and the processing distribution unit 26 has a function of transferring a packet to the server.

  The operations of the packet processing unit 21, session management unit 22, processing distribution unit 26, and service processing unit 27 are the same as those in the third embodiment. Since the data structure of the policy table 25 according to the present embodiment is the same as that of the third embodiment, description thereof is omitted. The data structure of the session table 22a 'according to the present embodiment will be described later.

  In the present embodiment, the server 11 stores the packet to be transferred to the packet detail analysis unit 16 in advance in the application service column of the policy table 25 and the application service application range (for example, http is a packet subject to URL filtering application). Etc.). In the same way as described in the fourth embodiment, the processing distribution unit 26 refers to the policy table 25 to determine a packet to be transferred to the server 11, and attaches the type of applicable service type to the header of the packet. After that, the packet is transferred to the packet detail analysis unit 16 of the server 11 through the packet communication path 33.

  Hereinafter, the data structure of each table according to the present embodiment will be described with reference to FIGS. First, the session table 22a 'according to the present embodiment will be described with reference to FIGS. As shown in FIGS. 21 to 24, items included in the session data stored in the session table 22a 'are the same as those in the session table 22a' shown in FIG. However, according to the present embodiment, after the session data is registered in the session table 22a ′, the packet detail analysis unit 16 analyzes the packet and resets the session data in the session table 22a ′ based on the analysis result. .

  FIG. 21 and FIG. 22 show an example of the session table 22 a ′ when the session management unit 22 registers session data based on the policy table 25. As shown in FIGS. 21 to 22, since analysis by the packet detail analysis unit 16 has not yet been performed, “server transfer: ON” is set in the application service type column of each session data. Accordingly, the session packet corresponding to the session data is transferred to the server 11.

  23 and 24 show an example of the session table 22a 'after the packet detail analysis unit 16 resets the session data based on the packet analysis result. As shown in FIGS. 23 and 24, since the analysis by the packet detail analysis unit 16 is performed, “server transfer: OFF” is displayed in the column of the applied service type of each session data. Accordingly, the session packet corresponding to each session data is not transferred to the server 11 thereafter.

  Further, as a result of the session data being reset by the packet detail analysis unit 16, the session table 22a ′ shown in FIGS. 21 and 22 and the session table 22a ′ shown in FIGS. Different.

  As shown in FIG. 21, “URL filtering” is stored in the application service type column of the session data with session ID = 0 and 1. On the other hand, as a result of packet analysis by the packet detail analysis unit 16, it is determined that the packet is allowed to pass. Therefore, “filtering pass” is stored in the same column of the session data of the same session ID shown in FIG.

  As shown in FIG. 21, “URL load distribution” is stored in the application service type column of the session data with session ID = 2 to 5, but information on the distribution destination server is stored in the unique information column. It has not been. On the other hand, as a result of packet analysis by the packet detail analysis unit 16, the distribution destination server is determined. Therefore, as shown in FIG. 23, session data with session ID = 3 and 4 is deleted, and session ID = 2 and 5 are used. “Header rewriting” is stored in the application service type column of certain session data, and information on the distribution destination server is stored in the unique information column.

  As shown in FIG. 22, “FTP (File Transfer Protocol) filtering” is stored in the application service type column of the session data with session ID = 6 and 7. After that, as a result of packet analysis by the packet detail analysis unit 16, since it was determined to pass the packet of the session, as shown in FIG. 24, in addition to the session data for the control connection with session ID = 6 and 7, Session data for a data connection having session ID = 8 and 9 is newly registered, and “passing filtering” is stored in the applicable service type column of the session data.

  Next, a table provided in the packet detail analysis unit 16 will be described with reference to FIGS. 25 and 26. The packet detailed analysis unit 16 includes a detailed analysis session table and a detailed analysis policy table in order to analyze the packet.

  FIG. 25 shows a configuration example of the session table for detailed analysis. The detailed analysis session table shown in FIG. 25 corresponds to the session table 22a 'shown in FIGS. As shown in FIG. 25, the session data stored in the session table for detailed analysis includes a session ID, a session search key, a session state, a related session, and an applicable service type as items. Items other than the related session are the same as the session data stored in the session table 22a '. The related session is a session ID of a session determined to be related as a result of the packet detail analysis unit 16 analyzing the packet. The session data in the session table for detailed analysis is registered by the packet detailed analysis unit 16 when performing the detailed analysis based on the session data stored in the session table 22a ′, and when the detailed analysis ends, the packet detailed analysis unit 16 Deleted by.

  FIG. 26 shows a configuration example of the detailed analysis policy table. The detailed analysis policy table shown in FIG. 26 stores a more detailed policy than the policy table 25 shown in FIG. For example, with respect to URL filtering, a URL table for URL filtering indicating whether or not to discard a packet for each URL is provided in the detailed analysis policy table. For FTP filtering, for example, an FTP filtering table indicating whether a packet should be passed or discarded is provided for each IP address and port number. Furthermore, for example, with respect to URL load distribution, a URL load distribution table indicating a distribution destination server candidate IP address and a distribution method is provided for each URL. The detailed analysis session table shown in FIG. 25 corresponds to the session table 22a 'shown in FIGS.

  The operation concept of the packet relay processing apparatus according to the fifth embodiment will be described below with reference to FIG. In FIG. 27, a solid line arrow indicates the direction in which the packet proceeds, and a broken line arrow indicates reading data in the table and writing data to the table.

  First, the service control unit 14 in the server 11 writes the policy in the policy table 25 of the network connection device 20 and the detailed analysis policy table in the packet detailed analysis unit 16 via the control information communication unit 31 (arrow A11). ).

  Subsequently, when a packet is input to the network connection device 20, the session management unit 22 refers to the policy table 25 using information stored in the header of the packet, and the information in the header matches the policy search key. A policy is acquired, session data is created based on the policy, and stored in the session table 22a ′ (arrow A12).

  When “server transfer: ON” is stored in the applicable service type column of the session data, the processing distribution unit 26 transfers the packet to the packet detail analysis unit 16 via the packet communication unit 33. The packet detailed analysis 16 analyzes the packet using the detailed analysis policy table and the detailed analysis session table (arrow A13). The packet detail analysis unit 16 resets the session data stored in the session table 22a 'in the network connection device 20 based on the packet analysis result (arrow A14). After the packet analysis, the packet input to the network connection device 20 is processed by the service processing unit 27 without being analyzed by the packet detail analysis unit 16 and output from the network connection device 20 (arrow A15).

  The operation of the packet relay processing apparatus according to the fifth embodiment will be described below. The procedure of the processing by the packet processing unit 21 and the session management unit 22 is the same as that in the first to fourth embodiments, and thus description thereof is omitted. Hereinafter, the processing procedure by the processing distribution unit 26, the service processing unit 27, and the packet detail analysis unit 16 will be described with emphasis.

  FIG. 28 is a diagram illustrating a processing flow of the processing distribution unit 26 and the service processing unit 27. Of the processes shown in FIG. 28, the processes up to the header rewriting process (step S64) are the same as those in FIG. Further, according to the fifth embodiment, the processing distribution unit 26 determines whether or not the input packet is a corresponding packet to be transferred to the server 11 based on the applicable service type included in the session data (Step S1). S81). If “server transfer: ON” and the applicable service type are set in the applied service type, the distribution processing unit 26 determines that the packet is to be transferred to the server 11 (step S81: Yes). ), The process is distributed to the service processing unit 27 that performs the process of attaching the transfer header to the packet. The service processing unit 27 to which the process has been assigned attaches a transfer header to the packet. The contents of the transfer header are the same as in the fourth embodiment. The packet with the transfer header is transferred to the packet detail analysis unit 16 of the server 11 via the packet communication unit 33 (step S82). The packet detail analysis unit 16 analyzes the received packet, and resets the session data stored in the session table 22a 'via the control information communication unit 31 based on the analysis result (step S83).

  FIG. 29 is a flowchart illustrating a processing procedure of the packet detail analysis unit 16. The process shown in FIG. 29 corresponds to step S83 in FIG. In the present embodiment, as an example, a case where URL filtering, URL load distribution, and FTP filtering service are provided using the packet detail analysis unit 16 will be described.

First, the URL filtering service will be described.
The service control unit 14 of the server 11 sets a policy “transfer packet to the packet detail analysis unit 16 and performs URL filtering” in the policy table 25 via the control communication information unit 31 in advance.

Based on the set conditions, the processing distribution unit 26 of the network connection device 20 transfers the packet to the packet detail analysis unit 16.
Based on the applied service type “URL filtering” included in the transfer header of the received packet, the packet detail analysis unit 16 determines that the packet is to be subjected to the URL filtering service. The packet detail analysis unit 16 creates session data based on the information included in the received packet and stores it in the detail analysis session table (step S91: Yes). Thereafter, the packet detail analysis unit 16 manages the state of the session, and outputs the received packet as it is to the network until an HTTP GET request is received.

  If an HTTP GET request is received after the session state becomes ESTAB (step S92: Yes), the packet detail analysis unit 16 determines the URL and determines whether to pass or discard the packet. That is, the packet detail analysis unit 16 determines the passage / discard of the packet by referring to the URL filtering URL table included in the preset detailed analysis policy table using the URL included in the packet. (Step S93).

  When it is determined that the packet is to be discarded (step S93: Yes), the packet detail analysis unit 16 discards the packet of the session (step S103). Further, the packet detail analysis unit 16 refers to the session table 22a ′ by using the session ID included in the packet, and sets the application service type column of the session data corresponding to the session ID to “server transfer: ON / URL filtering”. To “discard” (not shown).

  If it is determined that the packet is allowed to pass (step S93: No), the packet detail analysis unit 16 refers to the session table 22a ′, and applies the service type of the session data corresponding to the session ID included in the packet. Is rewritten from “server transfer: ON / URL filtering” to “filtering pass” (step S94). In the session table 22a 'shown in FIGS. 21 and 23, the session data with session ID = 0 and 1 are examples of session data before and after packet analysis in the case of URL filtering.

  After resetting the session data in the session table 22a ', the packet detail analysis unit 16 deletes the session data corresponding to the session ID from the detail analysis session table (not shown).

  As described above, the packet detail analysis unit 16 resets the application type of the session data in the session table 22a ′ of the network connection device 20 from “server transfer: ON” to “filtering pass” or “discard”. Then, the network connection device 20 processes subsequent packets according to the passage condition. That is, the network connection device 20 passes or discards the packet without transferring the packet to the packet detail analysis unit 16 of the server 11.

FIG. 30 is a diagram for explaining the URL filtering operation.
Exchange of SYN, SYN_ACK and ACK packets between the client and server. Until the session transitions to the ESTAB state, these packets are transferred from the network connection device 20 to the packet detail analysis unit 16, and the packet detail analysis unit 16 manages the state of the session. That is, processing is performed by the “network connection device 20” and the “server 11”.

  When the session transitions to the ESTAB state and receives an HTTP GET request (URL is attached as GET “http://www.xxx.co.jp”), the packet detail analysis unit 16 of the server 11 The URL filtering URL table included in the detailed analysis policy is referred to determine whether the URL packet is a packet to be discarded or passed, and based on the determination result, the session table 22a ′ Rewrite the entry in the applicable service type column to “discard” or “pass”.

  Thereafter, the network connection device 20 discards or passes the packet until the session is ended according to the applied service type set in the session table 22a '. That is, processing is performed by the “network connection device 20”.

Next, returning to FIG. 29, the URL load distribution service will be described.
In URL load distribution, for example, after a client accesses a representative server, another server connected to the representative server is determined as a distribution destination server based on the URL, and a session is distributed to the distribution destination server. The load can be distributed to a plurality of distribution destination servers.

  When performing URL load distribution, first, the service control unit 14 of the server 11 sets a policy “transfer packet to the packet detail analysis unit 16 and performs URL load distribution” in the policy table 25 via the control communication information unit 31. Set in the applicable service type column.

Based on the set conditions, the processing distribution unit 26 of the network connection device 20 transfers the packet to the packet detail analysis unit 16 of the server 11.
Based on the application service type “URL load distribution” included in the received packet, the packet detail analysis unit 16 determines that the packet is to be subjected to the URL load distribution service. The packet detailed analysis unit 16 creates session data based on the information included in the received packet, and stores it in the detailed analysis session table, as in the case of URL filtering. Further, the packet detail analysis unit 16 makes a proxy response based on the source address, the destination address, the port number, etc. included in the header of the packet, registers the mutually related session data, and stores the related session field of the session data. The session ID of the related session data is stored in (Step S95: Yes).

  In the session table for detailed analysis shown in FIG. 25, session data with session ID = 2 to 5 is an example of session data in the case of URL load distribution. In FIG. 25, session data with session ID = 2 correlates with session data with session ID = 4, and session data with session ID = 3 correlates with session data with session ID = 5. You can see that

  The packet detail analysis unit 16 establishes a connection between the client and the server 11, and thereafter manages the session state. The packet detail analysis unit 16 has a function of terminating TCP (Transmission Control Protocol), and until the distribution destination server determines, the packet detail analysis unit 16 sends a response to the client instead of the distribution destination server. Do. If the packet detail analysis unit 16 receives an HTTP GET request after the session state becomes ESTAB (step S96: Yes), the packet detail analysis unit 16 sets in advance using the URL included in the packet. The distribution destination server is determined with reference to the URL load distribution table included in the detailed analysis policy table (step S97). Thereafter, the server 11 establishes a connection with the distribution destination server by exchanging SYN, SYN_ACK, and ACK packets.

  Further, the packet detail analysis unit 16 refers to the session data 22a 'of the network connection device 20, and acquires session data corresponding to the session ID included in the packet. The packet detail analysis unit 16 rewrites the applicable service type included in the acquired session data from “server transfer: ON / URL load distribution” to “server transfer: OFF / header rewrite”. Further, the packet detail analysis unit 16 sets the IP address: port number and sequence number / ACK number difference in the field of unique information of the session data according to the determined IP address of the allocation destination server (step S98). ). As a result, two session data determined to be related to each other are combined into one session data, so that two connections can be handled as one connection. Further, the packet detail analysis unit 16 deletes the remaining two unnecessary data from the session table 22a 'out of the four session data.

  After resetting the session data in the session table 22a ', the packet detail analysis unit 16 deletes the session data corresponding to the session ID from the detail analysis session table (not shown). Then, the server 11 sends an HTTP GET request to the distribution destination server.

  The session data having session IDs 2 to 5 in the session table 22a 'shown in FIGS. 21 and 23 are examples of session data before and after packet analysis in the case of URL load distribution. The two connections indicated by the two session data having session ID = 2 and 4 in FIG. 21 are grouped into one connection indicated by the session data having session ID = 2 in FIG. Similarly, the two connections indicated by the two session data with session ID = 3 and 5 in FIG. 21 are grouped into one connection indicated by the session data with session ID = 5 in FIG.

  After analyzing the packet, the packet is not sent to the packet detail analysis unit 16. The service processing unit 27 that performs the header rewriting process of the network connection device 20 rewrites the IP address: port number, sequence number, and ACK number in the packet based on the unique information in the session data stored in the session table 22a ′. After that, the packet is output to the network.

FIG. 31 is a diagram for explaining the operation of the URL load balancing service.
As shown in FIG. 31, SYN, SYN_ACK, and ACK packets are exchanged between the client and the packet relay processing device. When the session transitions to the ESTAB state and an HTTP GET request is received, the packet detail analysis unit 16 determines the URL of the GET request and determines a distribution destination server.

  Next, as described above, the SYN, SYN_ACK, and ACK packets are exchanged between the packet relay processing apparatus and the distribution destination server, and an HTTP GET request is transmitted to the distribution destination server. Up to this point, processing is performed by “network connection device 20” + “server 11”.

  After sending an HTTP GET request from the packet relay processing device to the distribution destination server, the network connection device 20 uses the session data stored in the session table 22a ′ until the session ends, and the client and the distribution destination Performs relay processing with the server.

  Next, returning to FIG. 29, the FTP filtering service will be described. FTP consists of a plurality of TCP connections including a control connection for control and one or more data connections for data transfer.

  The service control unit 14 of the server 11 sets a policy “transfer packet to the packet detail analysis unit 16 and performs FTP filtering” in the policy table 25 via the control communication information unit in advance.

  Based on the set condition, the processing distribution unit 26 of the network connection device 20 transfers the packet to the detailed analysis unit 16. As in the case of URL filtering, the packet detail analysis unit 16 determines that the packet is to be subjected to the FTP filtering service based on the applied service type included in the received packet, and the packet detail analysis unit 16 Stores the session data in the session table for detailed analysis (step S99: Yes). Subsequently, the packet detail analysis unit 16 manages the session state and outputs the received packet to the network as it is.

  After the session state becomes ESTAB, as shown in FIG. 32, when the ACK packet of the FTP PORT command or the PASV command is received (step S100: Yes), the packet detail analysis unit 16 receives the IP included in the packet. The address and port number are determined, and based on the determination result, it is determined whether to pass or discard the packet of the session (step S101).

  That is, the packet detail analysis unit 16 refers to the FTP filtering table in the detailed analysis policy table set in advance using the IP address and the port number, and determines whether to pass or discard the packet of the session. To do. When it is determined that the packet is to be discarded (step S101: Yes), the packet detail analysis unit 16 acquires the session data corresponding to the session ID included in the packet transfer header from the session table 22a ′, and the session data "Discard" is set in the column of the applicable service type, and the packet is discarded (step S103).

  If it is determined that the packet is allowed to pass (step S101: No), the packet detail analysis unit 16 determines the IP address and port number described in the data part of the ACK packet of the previous PORT command or PASV command. Based on the above, the session data for the data connection is registered in the session table 22a ′, and “passing filtering” is set in the application service type column of the session data (step S102).

  When the packet detail analysis unit 16 resets the session data in the session table 22a 'as described above, the network connection device 20 processes a packet related to the subsequent data connection in accordance with the passage condition. That is, the packet is passed or discarded without being transferred to the packet detail analysis unit 16 of the server 11.

  FIG. 32 is a diagram for explaining the operation of the FTP filtering. Until the SYN, SYN_ACK, and ACK packets are exchanged between the client and the server 11 and the state transits to the ESTAB state, the packet is transferred to the packet detailed analysis unit 16, and “network connection device 20” + “server 11”. Processing is performed.

  When the session state transits to the ESTAB state and receives an FTP PORT command or an ACK (PASV command) ACK (IP address and port number are attached), the packet detail analysis unit 16 receives the IP address and port included in the packet. By referring to the detailed analysis policy table using the number, it is determined whether the packet should be discarded or passed. When it is determined that the packet is to be discarded, the packet detail analysis unit 16 sets that the packet is to be discarded in the session data of the session table 22a '. When it is determined that the packet is allowed to pass, the packet detail analysis unit 16 registers the session data for the data connection in the session table 22a ′ and resets “pass” in the applicable service type column. Thereafter, the network connection device 20 performs a packet discard process or a data connection packet passage process.

  Finally, when the packet relay processing device receives the FIN packet of the control connection from the client, the packet is transferred from the network connection device 20 to the session detail analysis unit 16 of the server 11 via the packet communication unit 33. The server 11 performs the session closing process via the session detail analysis unit 16. Further, the session detail analysis unit 16 deletes the session data regarding the session to be closed based on the session ID included in the packet transfer header.

  Hereinafter, the flow of packets in the fifth embodiment will be described with reference to FIGS. 33 and 34, taking the case of the URL load distribution service as an example. Each figure corresponds to session data of session ID = 2 to 5 stored in the session table shown in FIG. 21, FIG. 23, and FIG. FIG. 33 shows a packet flow before session data is reset by the packet detail analysis unit 16.

  Before the session data is reset, as shown by an arrow A21, “destination address: port number = 192.168.200.1: http” is transmitted from the client whose address: port number is 192.168.30.30:11950 to the network connection device 20. A packet P11 having a header of “original address: port number = 192.168.30.30: 11950” is transmitted. The session management unit 22 of the network connection device 20 refers to the policy table 25, acquires a policy whose information in the header matches the policy search key, and creates session data with session ID = 2 based on the policy. And stored in the session table 22a ′.

  Since the applicable service type in the session data is “server transfer: ON / URL load distribution”, the processing distribution unit 26 in the network connection device 20 distributes the processing to the service processing unit 27 that performs server transfer processing. After the service processing unit 27 to which the process has been assigned attaches a transfer header to the packet, the packet is transferred to the server 11 as indicated by an arrow A22. The packet detail analysis unit 16 of the server 11 registers the session data in the detail analysis session table based on the information included in the transferred packet.

  Similarly, when the packets P12, P13, and P14 are output from the server 11 to the client via the paths indicated by arrows A23 to A28, the session data with session IDs = 3, 4, and 5 are respectively stored in the session. The session management unit 22 stores the data in the table 22a ′, and the corresponding session data is stored in the detailed analysis session table by the packet detailed analysis unit 16.

  After registering the session data in each session table, the packet detail analysis unit 16 manages the state of each session until receiving an HTTP GET request, and based on the packet flow shown in FIG. Output to.

  After that, when an HTTP GET request is received after the session state becomes ESTAB, the packet detail analysis unit 16 analyzes the packet, and sets the session data stored in the session table 22a ′ based on the analysis result. fix. The session data after resetting is as shown in FIG.

  FIG. 34 shows a packet flow after the session data is reset by the packet detail analysis unit 16. After the session data is reset, the destination server: 192.168.200.1:3333 as the port number and the source address: 192.168.200.10 as the port number, as indicated by arrow A31, from the distribution destination server to the network connection device 20. When the packet P14 storing “: 8080” in the header is transmitted, the processing distribution unit 26 of the network connection device 20 refers to the session table 22a ′ using the information included in the header of the packet, and sets the session ID = 5 is acquired, and the process is distributed to the service processing unit 27 that performs the header rewriting process based on the session data. Based on the session data, the service processing unit 27 rewrites the destination address and port number in the packet header to “192.168.30.30:11950” and the client address and port number to “192.168.200.1:http”. Thus, the packet P12 is created. Thereafter, as indicated by an arrow A32, the network connection device 20 outputs the packet P12 to the distribution destination server.

  Similarly, as indicated by an arrow A33, from the client whose address: port number is 192.168.30.30:11950 to the network connection device 20, “destination address: port number = 192.168.200.1: http, transmission source address: port number = 192.168”. .30.30: 11950 "in the header is transmitted. The processing distribution unit 26 of the network connection device 20 refers to the session table 22a ′ using information included in the header of the packet, and acquires session data with session ID = 2. In this example, since “server transfer: OFF / header rewriting” is stored in the applicable service type column of the acquired session data, the processing distribution unit 26 performs processing on the service processing unit 27 that performs header rewriting processing. Sort out. Based on the session data, the service processing unit 27 rewrites the packet P13 by rewriting the destination address and port number in the header of the packet with the address and port number of the distribution destination server to “192.168.200.10:8080”. create. Thereafter, the network connection device 20 outputs the packet P13 to the distribution destination server as indicated by an arrow A34.

  As described above, after the session detail analysis unit 16 rewrites the session data based on the analysis result of the packet, the network connection device 20 performs the relay process of the packet without going through the server 11.

  As described above, in the present embodiment, the network connection device 20 is provided with a packet relay processing function based on session management, and the network connection device 20 performs the function that is conventionally arranged on the server. As in the embodiment, the usage rate of the CPU of the server 11 can be lowered. As in the first embodiment, even if the routing table is changed during the session, consistency can be maintained for the currently ongoing session.

  Further, according to the fifth embodiment, the packet detail analysis unit 16 of the server 11 analyzes the packet to determine the service, sets the determined service content in the network connection device 20, and thereafter connects to the same session through the network connection. The apparatus 20 performs a relay process based on the determined service content. Therefore, service processing can be realized at a higher speed than when all processing is performed by the server 11.

  Hereinafter, modifications of each embodiment will be described. First, a first modification will be described. In the first to fifth embodiments, by applying the first modification, the session data is not deleted immediately after the session is ended, but the session data is stored in the session table 22a ′ after a predetermined time has elapsed. It is good to do.

  Therefore, according to the first modification, as shown in FIGS. 13 and 14 and FIGS. 21 to 24, the policy table 25 and the session table 22a ′ further include a consistency retention time. Hereinafter, processing performed by the packet relay processing apparatus according to the first modification will be described. In the first modification, part of the processing performed by the session management unit 22 is different from the first to fifth embodiments. Processing performed by the session management unit 22 when the first modification is applied will be described with reference to FIG.

  In step S17 of FIG. 5, when the session management unit 22 determines that a certain session is closed (step S17: Yes), the session management unit 22 sets a timer. After waiting for the consistency holding time included in the session data, the session management unit 22 proceeds to step S18 in FIG. 5 and deletes the session data from the session table 22a '.

  As a result, if the session is reestablished after the session ends and before the consistency retention time elapses, if there is no change in the session search key, the session management unit 22 sets the session first. It can be handled as the same session as the session that ended. For example, in the load distribution service, it is possible to distribute packets to the same distribution destination server between a session once completed and a session reestablished. Furthermore, since the search of the policy table 25 by the session management unit 22 and the transfer of the packet to the server 11 by the processing distribution unit 26 can be omitted, the packet can be processed at high speed.

  Next, a second modification will be described. In the third to fifth embodiments, the second modification may be applied so that the policy applied to the session can be easily switched. Therefore, according to the second modification, a plurality of policies are divided into several groups. Furthermore, as shown in FIG. 14, the policy stored in the policy table 25 further includes, as an item, a group ID for identifying the group to which the policy belongs, and the network connection device 20 further includes a flag table shown in FIG. .

  Hereinafter, the data structure of the flag table will be described with reference to FIG. As shown in FIG. 35, the flag table stores a flag indicating the validity / invalidity of the policy corresponding to the group ID. In FIG. 35, as an example, the policy is invalid when the flag is “off (0)”, and the policy is valid when the flag is “on (1)”.

  Hereinafter, processing performed by the packet relay processing apparatus according to the second modification will be described. In the second modification, part of the processing performed by the session management unit 22 is different from the third to fifth embodiments. As an example, referring to FIG. 15 showing processing performed by the session management unit 22 according to the third embodiment, the processing performed by the session management unit 22 changes by applying the second modification to each embodiment. The point will be described in detail.

  In the second modified example, the session management unit 22 further performs the following processing between step S43 and step S44 in FIG. First, in step S43, the session management unit 22 searches the policy table 25 to obtain a policy having a policy search key that matches information stored in the header of the packet. The session management unit 22 refers to the flag table using the group ID included in the obtained policy, and determines whether the flag corresponding to the group ID is on or off.

  If the flag is off as a result of the determination, the session management unit 22 does not adopt the policy. On the other hand, when the flag is on, the session management unit 22 adopts the policy. In step S44, the session management unit 22 creates session data based on the policy and stores it in the session table 22a '. As a result, the policy to be adopted can be switched for each group.

  For example, when a plurality of normal policies and a plurality of emergency policies are created, according to the second modification, a normal group consisting of normal policies and an emergency policy consisting of emergency policies in advance A group is defined, and both a normal policy and an emergency policy are registered in the policy table 25. In the flag table, a flag corresponding to a group that the user of the packet relay processing apparatus wants to validate, that is, a normal group or an emergency group is turned on. As a result, the normal policy and the emergency policy can be easily switched for each group.

  Next, a third modification will be described. In the third to fifth embodiments, it is possible to collect a packet log by applying the third modification. Therefore, according to the third modification, the session data and the policy stored in the policy table 25 and the session table 22a ′ shown in FIGS. 13 and 14 and FIGS. 21 to 24 further include an event flag as an item. .

  The event flag includes an event flag related to a packet and an event flag related to a header. When the event flag regarding the packet is “ON (1)”, the packet is transferred to the server 11 in order to collect a log (history). When the event flag related to the header is on, the header of the packet is transferred to the server 11 in order to collect a log. The server 11 analyzes the transferred packet or the packet header and collects a log. Thus, for example, when a failure occurs in the system, it is possible to obtain useful information for recovering from the failure by analyzing the collected log using network management software.

  Next, a fourth modification will be described. According to the fourth modification, the network connection device 20 according to the first to fifth embodiments further includes a counter (not shown) in order to obtain statistical information about the packet. The network control unit 12 or the service control unit 14 of the server 11 refers to the counter value. As the statistical information, for example, the number of packet inputs and the number of outputs for each interface can be considered. This statistical information can be used when charging a client or the like.

  For the third to fifth embodiments, the number of sessions to which the policy is applied for each policy stored in the policy table 25 as statistical information, that is, the number of times the policy has been hit. It is also possible to obtain the number of policy hits.

  Therefore, according to the fourth modified example, as shown in FIG. 14, the policy stored in the policy table 25 further includes the number of policy hits as an item. When the session management unit 22 acquires a policy to be applied with reference to the policy table 25 in order to register the session data related to the new session in the session table 22a ′, the counter calculates the policy hit of the acquired policy. Increment the number. As a result, the network administrator can obtain information for determining whether or not the policy is effectively used.

  In addition, for the third to fifth embodiments, as the statistical information, for each distribution destination server in the load balancing service, a distribution destination hit number indicating the number of times the session has been distributed is obtained. Also good.

  For this purpose, the policy relating to the load distribution service stored in the policy table 25 shown in FIG. 14 or the detailed analysis policy table shown in FIG. 26 further includes, as an item, the number of destination hits for each destination server address. Including. Each time the service processing unit 27 or the packet detail analysis unit 16 performs a process of determining a session allocation server, the counter calculates the number of allocation destination hits corresponding to the server determined as the allocation destination server. Increment. As a result, the network administrator can obtain information for determining whether or not the load balancing distribution method is operating effectively.

  A program indicating processing performed by each unit configuring the network connection device 20 and each unit configuring the server 11 described in the present embodiment is recorded in a memory such as a RAM (Random Access Memory) and a ROM (Read Only Memory), respectively. The packet relay processing apparatus may be provided as hardware or software. Hereinafter, this case will be described.

  FIG. 36 shows the configuration of a computer (information processing apparatus). As shown in FIG. 36, the computer 40 includes at least a CPU 41 and a memory 42. Further, the computer 40 may include an input device 43, an output device 44, an external storage device 45, a medium driving device 46, and a network interface 47. The devices are connected to each other by a bus 48.

  The memory 42 includes, for example, a ROM, a RAM, and the like, and stores programs and data used for processing. The CPU 41 performs necessary processing by executing a program using the memory 42.

  When realizing functions corresponding to the server 11 and the network connection device 20 constituting the packet relay processing device in two or more computers 40, first, the packet relay processing device shown in FIGS. 2, 10, 12, 18, and 20 is configured. A program showing the processing performed by each unit is prepared. Then, a program (hereinafter, referred to as a program for the server 11) indicating processing performed by each unit provided in the server 11 is stored in a specific program code segment of the memory 42 in the computer in which the server 11 is to be realized.

  Further, a program (hereinafter referred to as a program for the network connection device 20) indicating processing performed by each unit included in the network connection device 20 is converted into a specific program code segment in the memory 42 in the computer in which the network connection device 20 is to be realized. To store. Here, the CPU of the computer that should realize the network connection device 20 is, for example, a network processor. In addition, the process performed by each part mentioned above is demonstrated using each flowchart in the above.

  The input device 43 is, for example, a keyboard, a pointing device, a touch panel, and the like, and is used for inputting instructions and information from the user. The output device 44 is, for example, a display or a printer, and is used for outputting an inquiry to a user of the computer 40, a processing result, and the like.

  The external storage device 45 is, for example, a magnetic disk device, an optical disk device, a magneto-optical disk device, or the like. The above-described program and data can be stored in the external storage device 45, and loaded into the memory 42 for use as required.

  The medium driving device 46 drives a portable recording medium 49 and accesses the recorded contents. As a portable recording medium 49, a memory card, a memory stick, a flexible disk, a CD-ROM (Compact Disc Read Only Memory), an optical disk, a magneto-optical disk, a DVD (Digital Versatile Disk), and the like can be read by any computer. A medium is used. The above-described program and data can be stored in the portable recording medium 49, and loaded into the memory 42 for use as required.

  The network interface 47 communicates with an external device via an arbitrary network (line) such as a LAN or a WAN, and performs data conversion accompanying the communication. If necessary, the above-described program and data can be received from an external device and loaded into the memory 42 for use.

FIG. 37 is a diagram for explaining computer-readable recording media and transmission signals that can supply programs and data to the computer of FIG.
By using the recording medium, the above-mentioned program and data stored in each table are supplied to the computer that should realize the server 11 and the computer that should realize the network connection device 20, thereby performing packet relay processing on two or more computers. It is also possible to perform functions corresponding to the apparatus.

  For this purpose, the above-described program and data are stored in advance in a computer-readable recording medium 49. Then, as shown in FIG. 37, the medium drive device 46 is used to cause the computer for the server 11 to read a program for the server 11 from the recording medium 49 and the memory 42 of the computer (server 11). Or temporarily stored in the external storage device 45, and the stored program is read and executed by the CPU 41 of the computer (server 11).

  Similarly, a program or the like for the network connection device 20 is temporarily stored in the memory 42 or the like of the computer that should realize the network connection device 20 from the recording medium 49 and stored in the CPU 41 of the computer (network connection device 20). Is read and executed.

  Further, instead of causing the computer to realize the server 11 and the computer to realize the network connection device 20 to read the program or the like from the recording medium 49, a communication line (network) is obtained from the DB 50 possessed by the program (data) provider. It is good also as downloading a program to each computer via 51. In this case, for example, in a computer having the DB 50 and transmitting a program, the program data representing the program is converted into a program data signal, and the converted program data signal is modulated using a modem. To obtain a transmission signal and output the obtained transmission signal to the communication line 51 (transmission medium). The computer that receives the program obtains the program data signal by demodulating the received transmission signal using a modem, and obtains the program data by converting the obtained program data signal.

  Next, with reference to FIG. 38, the loading of programs and data to the computer that implements the server 11 and the computer that implements the network connection device 20 will be described in more detail with examples.

  As shown in FIG. 38, the computer which should implement | achieve the server 11 and the network connection apparatus 20 is each provided with CPU and memory, and is connected via the above-mentioned control information communication part 31. FIG. For example, when the control information communication unit 31 is a PCI bus, the network connection device 20 may be realized as a PCI NIC (Network Interface Card).

  For example, when there is a recording medium in which a program for the server 11 and the like and a program for the network connection device 20 (firmware) are recorded, first, a medium driving device (not shown) provided in a computer that implements the server 11 is used. Then, the program for the server 11 and the program for the network connection device 20 are loaded from the recording medium into the memory of the server 11 (arrow A41). Subsequently, the network connection device 20 program stored in the memory of the server 11 is loaded into the memory of the network connection device 20 via the control information communication unit 31 (arrow 42). In this way, necessary programs and the like can be supplied to the computer that implements the server 11 and the computer that implements the network connection device 20, respectively. The CPU of the server 11 executes the program for the server 11 loaded in the memory of the server 11, and the CPU of the network connection apparatus 20 executes the program for the network connection apparatus 20 loaded in the memory of the network connection apparatus 20. To do.

  Needless to say, instead of loading a program or the like from a recording medium as described above, it may be recorded in a ROM or the like in advance. Moreover, it is good also as supplying a program etc. to the computer which should implement | achieve the server 11 using a transmission signal instead of a recording medium.

  Further, in the network connection device 20, each unit constituting the network connection device 20 may be configured by hardware using an ASIC (Application Specific Integrated Circuit) instead of the CPU.

As mentioned above, although embodiment of this invention was described, this invention is not limited to embodiment mentioned above, Various other changes are possible.
As described above, the following effects can be obtained in the present invention.
(1) A packet relay processing unit based on session management is provided in the network connection device, and relay processing based on session management is performed by the network connection device. Thereby, the CPU usage rate of the server can be lowered. Also, by managing the session on the network connection device and registering the output destination in the session table at the start of the session, even if the routing table is changed during the session, consistency is maintained for the ongoing session it can.
(2) By providing an external session management function in the server of the packet relay processing device, transferring session information from the network connection device to the server, and performing session management by the server, the number of sessions is the number of sessions registered in the network connection device. Even if the number exceeds the limit, the overflow of the network connection device can be managed by the server.
<3> By arranging the processing distribution unit and the plurality of service processing units in a network connection device capable of processing at higher speed than the server, the CPU usage rate of the server can be reduced and the service processing speeded up. be able to.
(4) By providing an external service processing unit in the server and enabling the service processing to be executed by both the network connection device and the server, service processing that is difficult to realize on the network connection device 2 is performed by the server. In addition, by allowing the network connection device to perform relay processing based on the determined service content, it is possible to realize service processing at a higher speed than when all processing is performed by the server.
(Supplementary note 1) A packet relay processing device having a network connection device,
A session management unit for managing a session by the network connection device;
A packet relay processing apparatus comprising: a packet processing unit that relays a packet based on session management by the session management unit.
(Supplementary Note 2) The network connection device further includes a routing table that stores routing information related to a routing destination of the packet;
A routing processing unit for determining a routing destination of the packet based on the routing information at the start of the session;
The packet processing unit outputs the packet to the routing destination;
The packet relay processing device according to appendix 1, wherein:
(Additional remark 3) The said packet relay processing apparatus is further provided with the server,
The server includes a network control unit that writes the routing information in the routing table.
The packet relay processing device according to appendix 1, wherein:
(Additional remark 4) The said packet relay processing apparatus is further provided with the server,
The server includes an external session management unit that manages the session,
The session management unit transfers session information related to the session to the server according to a given condition,
The external session management unit manages the session based on the received session information.
The packet relay processing device according to appendix 1, wherein:
(Supplementary Note 5) The network connection device further includes a processing distribution unit and a plurality of service processing units,
The processing distribution unit distributes the packet to at least one of the plurality of service processing units based on a service content for the packet,
The service processing unit to which the packet is distributed executes service processing for the packet.
The packet relay processing device according to appendix 1, wherein:
(Appendix 6) The packet relay processing apparatus further includes a server,
The server includes an external service processing unit,
The processing distribution unit transfers the packet to the server according to a given condition,
The external service processing unit executes a service for the received packet.
The packet relay processing device according to appendix 5, wherein
(Supplementary Note 7) The packet relay processing device further includes a server,
The server includes a packet detail analysis unit,
The network connection device further includes a processing distribution unit and a service processing unit,
The processing distribution unit transfers the packet to the packet detail analysis unit according to a given condition,
The packet detail analysis unit determines the service content for the packet by analyzing the packet, sets the determined service content in the network connection device,
After the setting, the network connection device processes the packet based on the determined service content.
The packet relay processing device according to appendix 1, wherein:
(Supplementary note 8) The packet relay processing device according to supplementary note 5, wherein the service processing unit has a function of rewriting a header of the packet.
(Supplementary note 9) The packet relay processing device according to supplementary note 5, wherein the service processing unit has a function of discarding a packet.
(Supplementary note 10) The packet relay processing device according to supplementary note 5, wherein the service processing unit has a function of determining a load distribution destination for load distribution of the server.
(Additional remark 11) The said network connection apparatus is provided with the session table which stores the session information regarding the said session, and the policy table which stores the policy describing the rule for performing the service with respect to the said packet,
When the session management unit receives the packet, the session management unit searches the session table using information included in the packet as a search key,
As a result of the search, if the corresponding session information is not registered in the session table, the session management unit further acquires the policy from the policy table based on a search key for information included in the packet. Based on the acquired policy, the session information is written to the session table,
As a result of the search, if the corresponding session information is registered in the session table, the session management unit manages the session information stored in the session table based on the state of the session. The packet relay processing device according to appendix 5, which is a feature.
(Supplementary Note 12) The packet relay processing apparatus includes a server,
The server includes a service control unit that writes the policy in the policy table.
The packet relay processing device according to appendix 11, characterized in that.
(Additional remark 13) The said search key at the time of searching the said session table contains the destination and transmission source IP address of an IP packet, a protocol, a destination and transmission source port number, and an input interface, The additional description 11 characterized by the above-mentioned. Packet relay processing device.
(Supplementary note 14) The packet relay processing device according to supplementary note 11, wherein the session table includes, as entries, the search key, the state of the session, an application service, and information unique to the application service.
(Supplementary Note 15) The policy table has entries of IP packet destination and source IP address, protocol, destination and source port number, application service, information unique to the application service, and priority. The packet relay processing device according to attachment 11.
(Supplementary note 16) The packet according to supplementary note 1, wherein the session management unit further deletes session information related to the terminated session from the session table after a predetermined time has elapsed since the session was terminated. Relay processing device.
(Additional remark 17) The said network connection apparatus is further provided with the counter for acquiring the statistical information regarding a packet, The packet relay processing apparatus of Additional remark 1 characterized by the above-mentioned.
(Appendix 18) Multiple policies are divided into multiple groups,
The packet relay processing device according to appendix 11, wherein the network connection device further sets whether or not each policy is valid for each group.
(Supplementary note 19) The packet relay processing device according to supplementary note 12, wherein the network connection device further transfers at least a part of the packet to the server in order to collect a log of the packet.
(Supplementary note 20) The packet relay processing device according to supplementary note 18, wherein a part of the packet is a header of the packet.
(Supplementary Note 21) The session information includes server transfer instruction information indicating whether or not to transfer the packet to the server, and the processing distribution unit transmits the packet based on the server transfer instruction information. 13. The packet relay processing device according to appendix 12, wherein it is determined whether or not to transfer to a server.
(Supplementary Note 22) When the packet transferred to the server is an HTTP protocol GET packet, the packet detail analysis unit further provides a service for the packet based on a URL (Uniform Resource Locator) included in the packet. Decide
The packet relay processing device according to appendix 7, wherein
(Additional remark 23) The said packet detailed analysis part is further based on the IP address and port number of the data connection of the said session, when the said packet transferred to the said server is a PORT command of FTP protocol, or ACK of a PASV command. To determine the service for the packet,
The packet relay processing device according to appendix 7, wherein
(Additional remark 24) When performing the process which distributes the load of the said server, the said packet detailed analysis part responds on behalf of the said allocation destination server until the allocation destination server used as the allocation destination of the said load is determined. The packet relay processing device according to appendix 7, wherein:
(Additional remark 25) The said packet detailed analysis part writes the kind of service with respect to the said packet, the IP address for translation, a port number, a sequence number, and an ACK number to the said session table by analyzing the said packet,
Item 22. The packet relay processing device according to appendix 21, wherein
(Supplementary note 26) A network connection device in a packet relay processing device,
A session management unit for managing a session by the network connection device;
A network connection device comprising: a packet processing unit that relays packets based on session management by the session management unit.
(Supplementary Note 27) The network connection device includes a server transfer unit that transfers session information related to the session to a server provided in the packet relay processing device according to a given condition.
The network connection device according to attachment 26, wherein the server manages the session based on the transferred session information.
(Supplementary Note 28) The network connection device further includes a processing distribution unit and a plurality of service processing units,
The processing distribution unit distributes the packet to at least one of the plurality of service processing units based on a service content for the packet,
The service processing unit to which the packet is distributed executes service processing for the packet.
The network connection device according to supplementary note 26, wherein:
(Additional remark 29) The said process distribution part transfers the said packet to the server with which the said packet relay processing apparatus was provided according to the conditions provided, The said server is made to perform the service process with respect to the said packet, It is characterized by the above-mentioned. The network connection device according to attachment 26.
(Supplementary Note 30) The network connection device further includes a processing distribution unit and a service processing unit,
The processing distribution unit forwards the packet to a server provided in the packet relay processing device according to a given condition to determine a service for the packet,
The network connection apparatus according to appendix 26, wherein the service processing unit processes the packet of the session based on the service content determined by the server after the service is determined by the server.
(Supplementary Note 31) A program for causing a computer provided in a network connection device to execute control for relaying a packet,
Manage sessions,
A program that causes the computer to execute processing including relaying the packet based on the session management.
(Supplementary Note 32) Transfer session information related to the session to a server connected to the network connection device according to a given condition so that the server manages the session.
32. The program according to appendix 31, wherein the computer is further caused to execute processing including the above.
(Additional remark 33) Based on the content of the service with respect to the said packet, the said packet is distributed to the apparatus or program segment which performs the process corresponding to the said service,
32. The program according to appendix 31, wherein the computer is further caused to execute processing including the above.
(Supplementary Note 34) The packet is forwarded to a server connected to the network connection device according to a given condition so that the server can execute a service for the packet.
34. The program according to appendix 33, which causes the computer to execute a process further including the above.
(Supplementary Note 35) According to the given conditions, the packet is transferred to a server connected to the network connection device in order to determine a service for the packet,
The program according to appendix 31, wherein the computer is caused to execute processing including processing the packet based on the determined service content after the server determines the service for the packet.
(Supplementary note 36) A program to be executed by a server connected to a network connection device having a function of relaying a packet,
In order for the network connection apparatus to process the packet, a policy describing a rule for executing a service for the packet is set in the network connection apparatus.
A program that causes the server to execute processing including the above.
(Supplementary Note 37) The packet transferred from the network connection device is received, and the service for the received packet is executed.
37. The program according to appendix 36, which causes the server to execute processing including the above.
(Supplementary Note 38) A program to be executed by a server connected to a network connection device having a function of relaying a packet,
Receiving the packet transferred from the network connection device;
By analyzing the packet, the service content for the packet is determined,
In order to cause the network connection device to process the packet based on the determined service content, the content of the determined service is set in the network connection device.
A program that causes the server to execute processing including the above.
(Supplementary note 39) A recording medium recording a program for causing a computer provided in a network connection device to execute control of relaying a packet,
Manage sessions,
The recording medium which recorded the program which makes the said computer perform the process including relaying the said packet based on the said session management.
(Supplementary Note 40) Transfer session information related to the session to a server connected to the network connection device according to a given condition so that the server manages the session.
40. The recording medium according to appendix 39, wherein a program for causing the computer to execute a process further including the above is recorded.
(Additional remark 41) Based on the content of the service with respect to the said packet, the said packet is distributed to the apparatus or program segment which performs the process corresponding to the said service,
40. The recording medium according to appendix 39, wherein a program for causing the computer to execute a process further including the above is recorded.
(Supplementary Note 42) The packet is forwarded to a server connected to the network connection device according to a given condition so that the server can execute a service for the packet.
40. The recording medium according to appendix 39, wherein a program for causing the computer to execute a process further including the above is recorded.
(Supplementary Note 43) Transferring the packet to determine a service for the packet to a server connected to the network connection device according to a given condition,
40. The recording medium according to appendix 39, wherein a program for causing the computer to execute processing further including processing the packet based on the determined service content after the server determines the service for the packet.
(Supplementary Note 44) A recording medium recording a program to be executed by a server connected to a network connection device having a function of relaying a packet,
In order for the network connection apparatus to process the packet, a policy describing a rule for executing a service for the packet is set in the network connection apparatus.
The recording medium which recorded the program which makes the said server perform the process including this.
(Supplementary Note 45) The packet transferred from the network connection device is received, and the service for the received packet is executed.
45. A recording medium according to supplementary note 44, in which a program for causing the server to execute processing further including the above is recorded.
(Supplementary Note 46) A recording medium recording a program to be executed by a server connected to a network connection device having a function of relaying a packet,
Receiving the packet transferred from the network connection device;
By analyzing the packet, the service content for the packet is determined,
In order to cause the network connection device to process the packet based on the determined service content, the content of the determined service is set in the network connection device.
The recording medium which recorded the program which makes the said server perform the process including this.

It is a figure explaining the outline | summary of this invention. It is a figure which shows the structure of the packet relay processing apparatus of 1st Example of this invention. It is a figure which shows the flame | frame structure of a transfer packet. It is a figure which shows the processing flow of a packet process part. It is a figure which shows the processing flow of a session management part. It is a figure which shows the structural example of a session table. It is a figure which shows the state transition of TCP. It is a figure explaining the state transition from the session start of TCP to the session end. It is a figure which shows the state transition of UDP. It is a figure which shows the structure of the packet relay processing apparatus of 2nd Example of this invention. It is a figure which shows the processing flow in the session management part of the 2nd Example, and an external session management part. It is a figure which shows the structure of the packet relay processing apparatus of 3rd Example of this invention. It is a figure which shows the structural example of the session table concerning 3rd Example. It is a figure which shows the structural example of the policy table in connection with 3rd Example. It is a figure which shows the processing flow of the session management part of the 3rd Example of this invention. It is a figure which shows the processing flow in the process distribution part and service processing part of a 3rd Example. It is a figure which shows the packet flow in the load distribution service after the policy search completion | finish in 3rd Example. It is a figure which shows the structure of the packet relay processing apparatus of the 4th Example of this invention. It is a flowchart which shows the procedure of the process in the process distribution part, the service processing part, and an external service processing part concerning a 4th Example. It is a figure which shows the structure of the packet relay processing apparatus of the 5th Example of this invention. It is FIG. (1) which shows an example of the session table concerning 5th Example. It is FIG. (2) which shows an example of the session table concerning 5th Example. It is FIG. (1) which shows an example of the session table after completion | finish of packet detailed analysis in 5th Example. It is FIG. (2) which shows an example of the session table after completion | finish of the packet detailed analysis in 5th Example. It is a figure which shows the structural example of the session table for detailed analysis. It is a figure which shows the structural example of the policy table for detailed analysis. It is a figure which shows the operation | movement concept of the packet relay processing apparatus concerning 5th Example. It is a flowchart which shows the procedure of the process in the process distribution part, the service processing part, and the packet detailed analysis part concerning a 5th Example. It is a flowchart which shows the procedure of the process in a packet detailed analysis part. It is a figure explaining operation | movement of URL filtering. It is a figure explaining operation | movement of URL load distribution service. It is a figure explaining the operation | movement of FTP filtering. It is a figure which shows the packet flow in the URL load distribution service before the detailed analysis in 5th Example. It is a figure which shows the packet flow in the URL load distribution service after the detailed analysis in 5th Example. It is a figure which shows an example of the data structure of a flag table. It is a block diagram of a computer. It is a figure explaining the recording medium and transmission signal which supply a program and data to a computer. It is a figure explaining loading of the program and data to a server and a network connection apparatus. It is a figure which shows the structure of the conventional packet relay processing apparatus.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Server 2 Network connection apparatus 11 Server 12 Network control part 13 External session management part 13a External session table 14 Service control part 15 External service processing part 16 Packet detailed analysis part 20 Network connection apparatus 21 Packet processing part 22 Session management part 22a Session table 22a 'session table 23 routing processing unit 23a routing table 24 server transfer unit 25 policy table 26 processing distribution unit 27 service processing unit 30 network connection unit 31 control information communication unit 32 session information communication unit 33 packet communication path 40 computer 41 CPU
42 memory 43 input device 44 output device 45 external storage device 46 medium drive device 47 network interface 48 bus 49 portable recording medium 50 database 51 line A arrow P packet S step

Claims (8)

A packet relay processing device having a network connection device,
A session management unit for managing sessions by the network connection device, and a packet processing unit for relaying packets based on session management by the session management unit;
The packet relay processing device further includes a server,
The server includes an external session management unit that manages the session,
The session management unit transfers session information regarding the session to the server according to a given condition, and the external session management unit manages the session based on the received session information.
A packet relay processing apparatus. A packet relay processing device having a network connection device,
A session management unit for managing a session by the network connection device; a packet processing unit for relaying a packet based on session management by the session management unit; a routing table for storing routing information regarding a routing destination of the packet; and the session A routing processing unit that determines a routing destination of the packet based on the routing information at the start of
The packet processing unit outputs the packet to the determined routing destination;
The packet relay processing device further includes a server,
Wherein the server, the packet relay processing apparatus characterized by comprising a pre SL network controller for writing the routing information in the routing table. A packet relay processing device having a network connection device,
A session management unit for managing sessions by the network connection device; and a packet processing unit for relaying packets based on session management by the session management unit,
The packet relay processing device further includes a server,
The server includes a packet detail analysis unit,
The network connection device further includes a processing distribution unit and a service processing unit, and the processing distribution unit transfers the packet to the packet detail analysis unit according to a given condition. packet determines the service content for the packet by analyzing the sets the determined the service content before SL network connection device, after the setting, the pre SL network connection device, on the basis of the service contents to the determined Process the packet;
A packet relay processing apparatus. 4. The packet relay processing device according to claim 1, wherein the network connection device further includes a counter for acquiring statistical information about the packet. 5. The packet detail analysis unit further determines a service for the packet based on a URL (Uniform Resource Locator) included in the packet when the packet transferred to the server is an HTTP protocol GET packet. The packet relay processing device according to claim 3. The packet detail analysis unit further, based on the IP address and port number of the data connection of the session, when the packet transferred to the server is an PORT command of FTP protocol or an ACK of a PASV command The packet relay processing apparatus according to claim 3, wherein a service for the packet is determined. The packet details analyzing unit, when performing the processing to distribute the load of the server, to distribution destination server to which the distribution destination before Symbol load is determined, to respond on behalf of the distribution destination server The packet relay processing device according to claim 3, wherein: The packet detail analysis unit writes the service type, translation IP address and port number, sequence number, and ACK number difference for the packet into the session table by analyzing the packet. Item 4. The packet relay processing device according to Item 3.

Images