JP2008060763A - Network node - Google Patents

Network node Download PDF

Info

Publication number
JP2008060763A
JP2008060763A JP2006233196A JP2006233196A JP2008060763A JP 2008060763 A JP2008060763 A JP 2008060763A JP 2006233196 A JP2006233196 A JP 2006233196A JP 2006233196 A JP2006233196 A JP 2006233196A JP 2008060763 A JP2008060763 A JP 2008060763A
Authority
JP
Japan
Prior art keywords
packet
information
address
processor
input
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2006233196A
Other languages
Japanese (ja)
Other versions
JP4758302B2 (en
Inventor
Haruhiro Kaganoi
Mitsuru Nagasaka
Satoyuki Oku
晴大 加賀野井
智行 奥
充 長坂
Original Assignee
Alaxala Networks Corp
アラクサラネットワークス株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alaxala Networks Corp, アラクサラネットワークス株式会社 filed Critical Alaxala Networks Corp
Priority to JP2006233196A priority Critical patent/JP4758302B2/en
Publication of JP2008060763A publication Critical patent/JP2008060763A/en
Application granted granted Critical
Publication of JP4758302B2 publication Critical patent/JP4758302B2/en
Application status is Active legal-status Critical
Anticipated expiration legal-status Critical

Links

Images

Abstract

In a network node, a resource amount of a routing module is suppressed and a rapid load factor fluctuation of a main processor module is suppressed.
A processor 52 capable of changing a function to be executed according to an extended function, a bridge 51 capable of changing a packet handling method according to the extended function, and an extended function (processing / response / And a memory 53 for storing information necessary for statistics collection and the like. The bridge 51 has a packet output destination set in advance for each packet input source, and outputs the packet input from the packet transfer unit, the line IF 60-2, and the processor 52 according to the setting. For example, a packet received from the line IF 60-2 is transferred to the processor 52 by the bridge 51, and the processor 51 executes the extended function before the packet received from the line IF 60-2 is input to the packet transfer unit. The extension function is executed.
[Selection] Figure 2

Description

  The present invention relates to a network node (hereinafter referred to as a node), and in particular, in a circuit board that can be attached to a node that forwards a packet, performs an additional function process on the packet, and further deals with a traffic situation that the node transmits and receives. The present invention relates to a network node including a circuit board that can prompt the update of the intra-node database.

  As a means for realizing additional function processing such as encryption for a packet received by a node, a system using a line accommodation board equipped with a processor specialized for additional function processing is disclosed (for example, see Patent Document 1). In Patent Document 1, when a packet to which additional function processing is applied is received at a node, the first routing module connected to the line control module does not output the packet toward the transmission line, and the function execution module. Output to. The function accelerator in the function execution module processes the input packet and outputs the processed packet to the second routing module connected to the function execution module. When the processed packet is input, the function execution module and the connected second routing module execute the search for the output destination information based on the header information of the processed packet, and the transmission destination line obtained as a search result Output the processed packet to the control module. That is, in the network node of Patent Document 1, in the first and second routing modules, output destination information search based on header information before processing an input packet, output destination information search based on header information of the processed packet, Is running.

  The terminal may use a private IP address that can be used within a local IP (Internet Protocol) network. In a node, NAT (Network Address Translation) processing may be applied as additional function processing when transferring a packet transmitted from a terminal to an external network. The NAT process converts a private IP address into a global IP address necessary for communicating with other networks.

In contrast to Patent Document 1, which uses a destination address and a source address as a search key for packet output destination information search, the destination address of the packet is used as a search key necessary for the route search unit of the node to search the packet route information A system using only the above is disclosed (for example, see Patent Document 2).
JP 2002-281072 A JP 2005-333220 A

  In Patent Document 1, the function execution module describes packet additional function processing. However, the generation of information (for example, filter information) according to the traffic situation transmitted and received by the node and the utilization of the generated information (for example, None of the packet filtering) based on the generated information is disclosed.

  In addition, the function execution module of Patent Document 1 takes into consideration the suppression of load increase of the main processor module in charge of device control. However, even when the function execution module executes a packet addition function process in order to suppress a load increase in the main processor module, the packet always passes through the second routing module connected to the function execution module. In other words, the node of Patent Document 1 places a certain load on the routing module. Therefore, it may not be possible to suppress an increase in the load of all modules constituting the node only by executing the additional function processing by the function execution module.

  Furthermore, when it is assumed that the node of Patent Document 1 applies NAT to a packet transmitted to an external network, it is difficult to suppress the amount of database resources used for packet transfer as follows.

  For example, when a packet is transmitted from the internal network to the external network, the packet source address must be converted. When executing NAT processing in a node, the routing module uses at least a destination address whose address is not converted and a source address after address conversion as information (search key) necessary for output destination information search for the processed packet. it is conceivable that.

  Further, when the node performs NAT processing when receiving a packet from the external network, the destination address of the received packet is converted. For example, a global IP address is converted into a private IP address. At this time, the routing module is considered to use at least the destination address after the address conversion and the source address that does not convert the address as a search key necessary for the output destination information search for the processed packet. Therefore, the number of combinations of addresses before and after conversion increases, and the amount of database resources used for packet transfer increases.

As a means for suppressing the resource amount, for example, an output destination information search method described in Patent Document 2 can be cited. However, when the output destination information search method described in Patent Document 2 is implemented in the node of Patent Document 1, it is assumed that a packet transmitted from a terminal using a private IP address is transferred to an external network, Since the destination address of the packet after NAT application is the same, the second routing module described above transfers the packet to the function execution module based on the destination of the packet. Therefore, the packet falls into a loop state between the routing module and the function execution module.
In addition, a response to a control packet or a sudden addition variation of a device control unit in a node with respect to an attack packet lacks the stability of the entire node and may cause a decrease in network reliability.

  In view of the above, the present invention identifies an input packet in a board that accommodates a network node line, and executes handling (processing such as processing, response, and statistics collection) according to the type of packet, The purpose is to suppress the load for routing or handling a packet by each module constituting the node by handling. Another object of the present invention is to improve the stability of the apparatus control unit.

  An object of the present invention is to reduce the amount of resources in a node necessary for packet transfer. Another object of the present invention is to prevent packets from falling into a loop state within a node. Another object of the present invention is to reduce the amount of database resources for packet transfer by converting private addresses and global addresses with a circuit board.

Another object of the present invention is to encourage the packet transfer unit to update the packet filter based on the traffic tendency. For example, in view of the importance of security in the network, the present invention analyzes the tendency of traffic passing through the circuit board and updates the packet filter necessary for determining whether or not the packet flow can be passed to the main processor module. The purpose is to encourage.
An object of the present invention is to allow a line accommodation board to perform a proxy response to a control packet.

  In the present invention, in order to solve the above-mentioned problems, a bridge between the line control module and the routing module, an extended function execution processor specialized for packet handling, and an extended function for storing information necessary for executing the extended function A memory (policy database) is provided on the circuit board. The extended function execution processor is connected to the bridge, and the extended function memory is connected to the extended function execution processor.

  When a packet is input from the line control module / the routing module, the bridge executes identification of the packet. In the bridge, the packet output method differs depending on the extended function realized by the line accommodation board, depending on the packet identification result. For example, when the line accommodation board needs to handle the packet, the bridge outputs the packet to the extended function execution processor.

  Further, when it is necessary to collect statistics of packets input to the line accommodation board, a packet or a copy of the packet is output to the processor for executing an extended function. Note that a copy can be generated at the bridge. Further, when the bridge determines that it does not require handling / statistics collection of the input packet, the bridge outputs the packet to the routing module / the line accommodation module.

  The processor for executing an extended function searches a database in which content necessary for handling is stored in determining processing / response (handling) content for the input packet. The extended function execution processor outputs the handled packet to the bridge after executing the handling indicated by the content of the search result for the packet (provided that the content is “discard instruction of the packet”). The extended function execution processor discards the packet). When the extended function execution processor executes statistics collection of the packet / copy, flow information is extracted from the header of the packet / copy, and statistics for each flow are collected. Thereafter, the extended function execution processor outputs the packet from which the flow information has been extracted toward the bridge. Incidentally, the copy from which the flow information has been extracted is discarded by the extended function execution processor.

  The bridge that has received the packet from the extended function execution processor outputs the packet to the line control module / routing module based on the information in the packet in order to prevent the occurrence of the loop described above.

  The processor for executing an extended function analyzes a traffic trend from the statistics when the statistics of the packet / copy are collected by the line accommodation board. As a result of the trend analysis, the extended function execution processor generates filter information necessary for updating the intra-node packet filter in order to discard the packet flow to be excluded within the node. Thereafter, the extended function execution processor outputs the filter information to the main processor module described above. The main processor module to which the filter information is input issues a filter flow necessary for updating the packet filter and a signal for requesting the packet filter update based on the filter information.

According to the first solution of the present invention,
In a network node having a packet transfer function for transferring a received packet to another device, a network node for executing an extended function other than the packet transfer,
A first line accommodating unit for connecting to the first network;
A second line accommodating unit for connecting to a second network;
A forwarding database in which the destination address of the packet and the output destination information for outputting the packet are stored corresponding to each other, and the corresponding output is referred to by referring to the forwarding database based on the destination address of the input packet A packet transfer unit that transfers the packet to the first and second line accommodating units according to the destination information,
The first and / or second line accommodating portion is:
A line interface for accommodating a line connected to the first or second network;
A storage unit in which information for executing the predetermined extended function is stored in advance;
A processor that executes the extended function based on information included in the input packet and information stored in the storage unit;
For each packet input source, an output destination of the packet is set in advance, and the packet transfer unit, the line interface, and a packet input from the processor are set according to the setting, the packet transfer unit, the line interface, and A bridge that outputs to any of the processors,
The packet received from the line interface is transferred to the processor by the bridge, and the processor executes the extension function based on the packet, so that the packet received from the line interface is input to the packet transfer unit. And / or the extension is executed before
The packet received from the packet transfer unit is transferred to the processor by the bridge, and the processor executes the extended function based on the packet, so that the packet transferred by the packet transfer unit is output from the line interface. The network node is provided in which the extended function is performed before being performed.

According to the second solution of the present invention,
In a network node having a packet transfer function for transferring a received packet to another device, a network node for executing an extended function other than the packet transfer,
A first line accommodating unit for connecting to an external network;
A second line accommodating unit for connecting to the internal network;
A forwarding database in which the destination address of the packet and the output destination information for outputting the packet are stored corresponding to each other, and the corresponding output is referred to by referring to the forwarding database based on the destination address of the input packet A packet transfer unit that transfers the packet to the first and second line accommodating units according to the destination information,
The first line accommodating portion is
A line interface for accommodating a line connected to an external network;
An address conversion table storing a private address in the internal network and a global address in the external network corresponding to the private address;
The extended function includes a processor that converts a private address and a global address with reference to the address conversion table,
The forwarding database uses a global address of an external network as a destination address to be stored, an identifier of the first circuit accommodating unit as corresponding output destination information, and a private address of the internal network as a destination address to be stored. The address and the identifier of the second line accommodating unit are used for the corresponding output destination information,
The processor is
When a packet addressed to the internal network using a global address as a destination address is input via the line interface,
The address conversion table is referenced based on the destination address of the input packet, the corresponding private address is acquired, the destination address of the input packet is rewritten with the acquired private address, and output to the packet transfer unit ,
The packet forwarding unit refers to the forwarding database based on the destination address of the input packet whose destination address is rewritten to a private address, and outputs the input packet to the second line accommodation unit according to corresponding output destination information And
The second line accommodation unit is provided with the network node that outputs the packet to an internal network.

According to the third solution of the present invention,
In a network node having a packet transfer function for transferring a received packet to another device, a network node for executing an extended function other than the packet transfer,
A first line accommodating unit for connecting to the first network;
A second line accommodating unit for connecting to a second network;
A transfer database in which a destination address of a packet and output destination information for outputting the packet are stored correspondingly, and a policy including a packet discard instruction or a priority change instruction corresponding to the packet flow information A packet filter database storing information, obtaining the corresponding output destination information by referring to the forwarding database based on the destination address of the input packet, and the packet filter based on the flow information of the packet A packet transfer unit that acquires corresponding policy information with reference to a database, and transfers packets to the first and second line accommodating units or discards packets according to the acquired output destination information and policy information ,
The first line accommodating portion is
A line interface for accommodating a line connected to the first network;
For each packet flow information, a flow statistics table storing statistical information indicating the number of received packets within a predetermined time; and
A processor that collects the statistical information for each flow information of the packet as the extended function and changes a filtering policy of the packet according to the statistical information;
The processor is
When a packet is input via the line interface, based on the flow information of the input packet, the statistical information corresponding to the flow information corresponding to the flow statistical table is increased,
The network for identifying the flow information for which the statistical information exceeds a predetermined threshold, and generating and outputting filter information for updating the packet filter database, including the flow information and predetermined policy information A node is provided.

According to the fourth solution of the present invention,
In a network node having a packet transfer function for transferring a received packet to another device, a network node for executing an extended function other than the packet transfer,
A first line accommodating unit for connecting to the first network;
A second line accommodating unit for connecting to a second network;
A forwarding database in which the destination address of the packet and the output destination information for outputting the packet are stored corresponding to each other, and the corresponding output is referred to by referring to the forwarding database based on the destination address of the input packet A packet transfer unit that transfers the packet to the first and second line accommodating units according to the destination information,
The first line accommodating portion is
A line interface for accommodating a line connected to the first network;
A table in which the IP address of the node responsible for the gateway and the MAC address of the node are stored correspondingly;
A processor for executing the extended function,
The processor is
Receiving a MAC address acquisition request including an IP address of a node serving as a gateway from a terminal in the first network via the line interface;
Refer to the table based on the IP address of the node responsible for the gateway included in the received MAC address acquisition request, and acquire the corresponding MAC address;
The network node is provided for transmitting a MAC address acquisition response including the acquired MAC address to the terminal via the line interface.

  According to the present invention, in a board accommodating a network node line, an input packet is identified, and handling (processing such as processing, response, and statistics collection) according to the type of packet is performed. It is possible to suppress a load for each module to configure routing or handling a packet. Further, according to the present invention, the stability of the device control unit can be improved.

  According to the present invention, the amount of resources in a node required for packet transfer can be suppressed. Further, according to the present invention, it is possible to prevent a packet from falling into a loop state within a node. Furthermore, according to the present invention, the private address and the global address are converted by the circuit board, and the amount of database resources for packet transfer can be suppressed. In addition, by identifying the packet to which the bridge is input, it is possible to prevent the packet from falling into a loop state between the routing module and the processor for executing the extended function, and the database used when the routing module transfers the packet. The amount of resources can be suppressed, for example, from the device disclosed in Patent Document 1.

  According to the present invention, it is possible to prompt the packet transfer unit to update the packet filter based on the traffic tendency. For example, according to the present invention, in view of the importance of security in the network, the trend of traffic passing through the circuit board is analyzed, and the update of the packet filter necessary for determining whether or not the packet flow can be passed is updated to the main processor module. Can be encouraged.

  According to the present invention, the processor for executing an extended function can analyze the traffic input to the line accommodation board, and can generate the above-described filter information based on the analysis result. The extended function execution processor outputs the filter information to the main processor module, so that the main processor module can dynamically update the packet filter in the node using the filter information.

  According to the present invention, the line accommodation board can make a proxy response to the control packet. When the bridge recognizes a packet that cannot be transmitted by normal packet transfer, it outputs the packet to the processor for executing the extended function. Thereafter, the extended function execution processor executes a response to the packet instead of the main processor module, thereby reducing the load on the main processor module.

  As described above, according to the present invention, an increase in the transfer load per packet can be suppressed for each module constituting the network node, and the stability of the apparatus operation can be maintained. In addition, the stability of the network can be maintained by the dynamic update of the packet filter.

1. First embodiment 1-1. System Configuration Hereinafter, a first embodiment will be described with reference to the drawings. Here, NAT will be described as the extended function processing of the node. However, the device to be applied and the type of packet are not limited to these.

FIG. 1 is a block diagram of a node device (network node).
The node device 10 includes a device control unit (control unit) 20, a packet transfer unit 30, a line accommodation board (second line accommodation unit) 40, and a function expansion board (first line accommodation unit) 50. . The node device 10 is connected to the management terminal 15 via the signal line L7. In the example of FIG. 1, one circuit accommodating board 40 and one function expansion board 50 are illustrated, but a plurality of circuit accommodating boards 40 and function expansion boards 50 may be provided. Further, the plurality of function expansion boards 50 may execute different functions.

FIG. 3 is a configuration diagram of the apparatus control unit 20.
The device control unit 20 includes a device control processor 21 and a device control memory 22. The device control processor 21 accesses, via the signal line L1, a packet transfer database (to be described later) necessary for transferring a packet to another network device and a packet filter (to be described later) for determining whether or not to transfer the packet. To do. In addition, the device control processor 21 issues a control packet to be transmitted to another network device and performs an operation according to the control packet received from the other network device. The use of the device control memory 22 includes, for example, holding information set in the packet transfer database 32 and the packet filter 33 in the packet transfer unit 30.

  The device control unit 20 is connected to the bridge and processor of the function expansion board 50. The device control unit 20 sets a predetermined extended function in the processor of the function expansion board 50 at a desired timing. Further, the device control unit 20 stores information for executing the extended function in the storage unit of the function expansion board 50. Further, the device control unit 20 sets an output destination for each input source of the packet in the bridge according to the extended function.

  The extended function is, for example, an address conversion function that converts a private address and a global address, and collects statistical information indicating the number of received packets within a predetermined time for each flow information of the packet. A filter update function for changing a filtering policy and a proxy response function for the processor to respond to a packet received from a terminal via the line interface can be used. However, the present invention is not limited to these functions. The appropriate function may be used. The filter update function and the proxy response function will be described later as another embodiment.

FIG. 4 is a configuration diagram of the packet transfer unit 30.
The packet transfer unit 30 includes a packet transfer processor 31, a packet transfer database (transfer database) 32, and a packet filter (packet filter database) 33. In packet transfer, when a packet is input, the packet transfer processor 31 outputs the packet toward a destination. More specifically, the packet transfer processor 31 searches the packet transfer database 32 in order to determine a packet transmission line.

FIG. 12 shows a configuration example of the packet transfer database 32.
The packet transfer database 32 stores, for example, a destination address and output interface information (output destination information) corresponding to the destination address. Here, the output interface information refers to, for example, the line accommodation board 40 and the function expansion board 50, and may further include port information of ports included in each board.

  In the search of the packet transfer database 32, the packet transfer processor 31 generates a search key from the destination address described in the input packet, and compares the search key with the search key in the packet transfer database 32 (stored in the table). To match the destination address). If there is a comparison element that matches the search key as a result of the match comparison, a search result (output interface information) corresponding to the comparison element is acquired from the packet transfer database 32. Thereafter, the packet transfer processor 31 outputs the packet toward the transmission interface obtained as a search result.

FIG. 13 shows a configuration example of the packet filter 33.
The packet filter 33 includes, for example, a combination of a transmission source address, a destination address, a transmission source port number, and a destination port number, and policy information corresponding to the combination. The search for the packet filter 33 by the packet transfer processor 31 is executed in the same manner as the search for the packet transfer database 32, and policy information is acquired. The packet transfer processor 31 executes processing according to the acquired policy information. The policy information indicates, for example, whether or not packet transfer is possible. Information such as a packet discard instruction and priority change may also be used.

  Further, when a control packet addressed to the node device 10 is input from the signal line L2 or the signal line L3, the packet transfer processor 31 outputs the control packet to the device control unit 20 via the signal line L5.

FIG. 5 is a configuration diagram of the line accommodation board 40.
The line interface 60-1 in the line accommodation board 40 outputs a packet received from each accommodated line to the packet transfer unit 30, and the packet input from the packet transfer unit 30 is described in the output destination information search result. Sent from the interface.

FIG. 2 is a configuration diagram of the function expansion board 50.
The function expansion board 50 includes a line interface 60-2, a bridge 51, an expansion function execution processor (processor) 52, and an expansion function memory (storage unit) 53. In the extended function memory 53 of the present embodiment, for example, an address conversion table 5301 necessary for NAT processing is configured.

FIG. 14 shows a configuration diagram of the address conversion table 5301.
The address conversion table 5301 includes packet header information (a combination of a source IP address, a destination IP address, a source port number, and a destination port number) transmitted and received by the function expansion board 50, and a conversion for converting the IP address of the packet. The later IP address and the port number for converting the port number of the packet are stored correspondingly. For example, the source IP address is a private IP address, and the IP address of the search result is a global IP address. The destination IP address is a global IP address, and the IP address of the search result is a private IP address.

Whether or not to apply NAT processing to a packet input to the function expansion board 50 can be set from the management terminal 15 by the administrator of the node device 10. Information on whether or not to apply NAT processing is input from the management terminal 15 to the device control processor 21 via the signal line L7. The device control processor 21 outputs application necessity information to the signal line L4 and the signal line L6. The extended function execution processor 52 that has received the application necessity information from the signal line L4 records the application necessity information. Further, the bridge 51 that has received the application necessity information from the signal line L6 also records the application necessity information. It should be noted that the application necessity information setting can be changed at any timing by the administrator.
When a packet is input, the bridge 51 determines an output destination according to the handling contents executed in other blocks before the packet is input and the input source of the packet.

1-2. Bridge Operation FIG. 6 is a processing flow for determining the packet output destination in the bridge 51. In the present embodiment, a case where NAT processing is applied in the function expansion board 50 will be described.
When the packet is input (step 700), the bridge 51 determines whether or not the packet is input from the packet transfer unit 30 (step 701). For example, if it is input from the signal line L3, it is determined that it is input from the packet transfer unit 30. When a packet is input from the packet transfer unit 30 (step 701, Yes), the bridge 51 outputs the packet to the extended function execution processor 52 via the signal line L501 (step 703).

  On the other hand, when no packet is input from the packet transfer unit 30 (step 701, No), the bridge 51 determines whether or not the packet is input from the line interface 60-2 (step 704). For example, if a packet is input via the signal line L503, it is determined that the packet is input from the line interface 60-2. When the packet is input from the line interface 60-2 (step 704, Yes), the bridge 51 outputs the packet to the extended function execution processor 52 (step 703).

  When the packet input source is neither the packet transfer unit 30 nor the line interface 60-2 (No in Step 704), the bridge 51 determines that the packet is input from the extended function execution processor 52, and the packet is external. It is determined whether or not it has been transmitted from the network to the node device 10 (step 705). At this time, the bridge 51 executes Step 705 based on information (for example, output destination information) described in the packet. When the packet is a packet transmitted from the internal network or output destination information is added, the bridge 51 outputs the input packet handled by the extended function execution processor 52 to the line interface 60-2. (Step 706). When the packet is a packet received from an external network, or when output destination information is not added, the bridge 51 directs the input packet handled by the extended function execution processor 52 to the packet transfer unit 30. (Step 707).

  Through the above processing, the packet (first packet) input from the line interface 60-2 is transferred to the extended function execution processor 52, and the extended function is executed by the extended function execution processor 52 and returned. Are transferred to the packet transfer unit 30. Also, the packet (second packet) input from the packet transfer unit 30 is transferred to the extended function execution processor 52, and the extended packet is executed and returned by the extended function execution processor 52. Transferred to interface 60-2. The output destination for each input source of such a packet can be set by the device control unit 20 according to the extended function executed by the extended function execution processor 52, for example.

FIG. 7 is an explanatory diagram showing an example of a format of a variable-length packet transmitted over a network.
A packet 800 transmitted through the network includes a header 810 and a payload 850. The header 810 includes an L2 header 820, an L3 header 830, and an L4 header 840. The L2 header 820 transmits the type 821 including the L3 protocol of the packet 800 and the transmission line medium, the destination MAC address 822 which is the physical address of the network device to which the packet 800 is transferred, and the packet 800 to another network. Source MAC address 823, which is a physical address of the network device. The L3 header 830 includes L3 control information 831 including the transmission priority of the packet 800, a destination IP address 832 indicating the destination of the packet 800, and a source IP address 833 indicating the source of the packet 800. . Further, the L4 header 840 is used to identify L4 control information 841 necessary for ensuring communication reliability, a destination port number 842 indicating a service that the packet desires to the destination network device, and a flow of the packet 800. The necessary transmission source port number 843 is included.

FIG. 8 is an example of a connection state in the present embodiment.
Hereinafter, based on the above, the NAT processing in the node device 10 for the packet (transmission packet) transmitted from the node device 10 to the external network and the packet (reception packet) received by the node device 10 from the external network will be described. To do. In the present embodiment, as shown in FIG. 8, it is assumed that the function expansion board 50 accommodates a line connected to an external network, and the line accommodation board 40 accommodates a line connected to the internal network. In FIG. 8, the device control unit 20 and the packet transfer unit 30 are omitted.

1-3. NAT Processing for Transmission Packet First, processing when transmitting to an external network will be described.
When receiving the packet 800 transmitted from the network device belonging to the internal network, the line interface 60-1 of the line accommodating board 40 outputs the packet 800 to the signal line L2. The destination of this packet is, for example, an external network device, and uses a global IP address. For example, the private IP address of the terminal is used as the source IP address.

  When the packet transfer processor 31 receives the packet 800 from the signal line L2, the packet transfer processor 31 searches the output destination information of the packet 800 stored in the packet transfer database 32 (output destination search key), and the packet filter 33. And a search key (policy search key) for obtaining policy information to be applied to the packet 800 stored in. For example, the output destination search key includes the destination address of the input packet. For example, the policy search key includes a source address, a destination address, a destination port number, and a source port number of the input packet. In addition, a command for comparing the output destination search key with the packet transfer database 32 (output destination search command) and a command for comparing the policy search key with the packet filter 33 (policy search command) are generated. . Thereafter, the packet transfer processor 31 outputs an output destination search key and an output destination search command to the signal line L301, and searches the packet transfer database 32. The packet transfer processor 31 outputs a policy search key and a policy search command to the signal line L302, and searches the packet filter 33. Note that, for example, a CAM (Content Addressable Memory) described in Patent Document 2 may be used as a device for setting a condition to be matched and compared with an output destination search key or a policy search key.

  As a result of the search, output destination information (IP address, port number) for the packet 800 is obtained from the packet transfer database 32, and policy information for the packet 800 is obtained from the packet filter 33. The policy information includes, for example, a transmission priority change instruction and a discard instruction for the packet 800. When the change of the transmission priority is instructed as the policy information, the information for instructing the change and the transmission priority after the change are obtained. When discarding is instructed as policy information, the packet transfer processor 31 discards the packet. When the transmission priority is instructed as the policy information, the packet transfer processor 31 changes the priority of the L3 control information 831 of the packet to the obtained transmission priority. When discarding is not instructed as the policy information, the packet transfer processor 31 adds the obtained output destination information 910 to the packet 800 and outputs the packet 900 with output destination information to the signal line L3. The node device 10 outputs to the signal line L2 when transmitting to the internal network, and outputs to the signal line L3 when transmitting to the external network. Here, since the input packet is addressed to the external network, it is output to the signal line L3.

  In the function expansion board 50, the bridge 51 outputs the packet 900 with output destination information input from the signal line L3 to the signal line L501 in accordance with the flowchart of FIG. The extended function execution processor 52 that has received the packet 900 with output destination information from the signal line L501 converts the transmission source IP address 833-1 (in this case, the private IP address) of the packet 900 with output destination information. A search key (conversion search key) is generated from the L3 header 830 of the packet 900 with information. For example, the conversion search key includes a source IP address, a destination IP address, a source port number, and a destination port number. The extended function execution processor 52 searches the address conversion table 5301 described above based on the generated search key. When searching the address conversion table 5301, the extended function execution processor 52 outputs a conversion search key and a search command (conversion information search command) necessary for conversion to the signal line L502. The address translation table 5301 is searched by the same method as the packet transfer database 32.

  When the source IP address 833-2 to be converted (after conversion) (here, the global IP address) is obtained as a search result, the extended function execution processor 52 uses the obtained source IP address 833-2. Then, the source IP address 833 of the output destination information-added packet 900 is rewritten.

  When packet flows transmitted from a plurality of terminals using private IP addresses share the same global IP address as a source address, the source port number 843 can be converted to identify the packet flow. For example, it is necessary to assign a different source port number 843 for each flow. This is called NAPT (Network Address Port Translation). When the extended function execution processor 52 executes NAPT, the L3 header 830 and the L4 header 840 are used when generating the conversion search key. At this time, in the address conversion table 5301, in addition to the destination IP address 832 and the source IP address 833, at least the destination port number 842 and the source port number 843 must be set. When the flow information of the transmission packet and the conversion information corresponding to the flow (for example, the transmission source IP address and the transmission source port number) are not set in the address conversion table 5301, the conversion information is displayed when the address conversion table 5301 is searched. Not. At this time, the extended function execution processor 52 assigns the conversion information corresponding to the flow, and then sets the flow and the conversion information in the address conversion table 5301. Since the number of port numbers is limited, the flow and conversion information set in the address conversion table 5301 may be deleted after a certain time.

  The extended function execution processor 52 uses the source port number 843-2 (global IP address port number) obtained as a search result of the address translation table 5301, and sets the source port number 843 of the packet 900 with output destination information as the port. The source port number 843-1 (port number for private IP address) before conversion is converted. The port number conversion can be performed simultaneously with the above-described conversion of the transmission source IP address 833. Thereafter, the extended function execution processor 52 outputs the packet 900 with output destination information obtained by converting the transmission source IP address 833 and the transmission source port number 843 to the signal line L501.

The bridge 51 that has received the packet 900 with output destination information from the signal line L501 outputs the packet 900 with output destination information to the signal line L503, for example, according to the flowchart of FIG. After that, the line interface 60-2 to which the output destination information-added packet 900 is input from the signal line L503 removes the output destination information 901 from the output destination information-added packet 900. At this time, the packet is in the state of packet 800. In addition, the line interface 60-2 transmits the packet 800 from the line described in the output destination information 901.
The extended function execution processor 52 may use an appropriate process for converting a private address and a global address in addition to the above-described process.

1-4. NAT Processing for Received Packet Next, processing when receiving a packet from an external network will be described.
When the line interface 60-2 of the function expansion board 50 receives the packet 800 transmitted from the network device belonging to the external network, the line interface 60-2 outputs the packet 800 to the signal line L503. The destination of this packet is, for example, an internal network device, and a global IP address is used here.

  The bridge 51 to which the packet 800 is input from the signal line L503 outputs the packet 800 to the signal line L501 in accordance with the flowchart of FIG. The extended function execution processor 52 to which the packet 800 is input from the signal line L501 generates a search key for conversion from the L3 header 830 of the packet 800 in order to convert the destination IP address 832-2 (global IP address) of the packet 800. To do. For example, the conversion search key includes a source IP address, a destination IP address, a source port number, and a destination port number. The extended function execution processor 52 searches the address conversion table 5301 described above based on the generated search key. When the above-mentioned NAPT is executed in the function expansion board 50, the extended function execution processor 52 uses the L3 header 830 and the L4 header 840 as elements for generating the conversion search key as described above. When the extended function execution processor 52 searches the address conversion table 5301, it outputs a conversion search key and a conversion information search command to the signal line L502.

  When the destination IP address 832-1 (private IP address) to be converted is obtained as a search result, the extended function execution processor 52 rewrites the destination IP address 832 of the packet 800 using the destination IP address 832-1.

  When executing NAPT, the extended function execution processor 52 uses the destination port number 842-1 (private IP address port number) obtained as a search result of the address translation table 5301, and uses the destination port number 842 of the packet 800. Is converted from the destination port number 842-2 (port number for global IP address) before port conversion. The port number conversion can be performed simultaneously with the above-described conversion of the destination IP address 832. After executing the above conversion operation, the extended function execution processor 52 outputs the packet 800 to the signal line L501.

  When the flow information of the received packet and the translation information (destination IP address and destination port number) corresponding to the flow are not set in the address translation table 5301, the translation information is not shown when searching for the address translation table 5301. At this time, the extended function execution processor 52 can determine that the received packet is an attack from the external network and discard the received packet. However, when the received packet is an ICMP (Internet Control Message Protocol) packet used for failure notification on the IP network, the extended function execution processor 52 outputs the ICMP packet to the signal line L501 without discarding the ICMP packet. The ICMP packet is handled by, for example, the device control unit 20.

The bridge 51 to which the packet 800 is input from the signal line L501 outputs the packet 800 to the signal line L3 according to the flowchart of FIG.
The packet transfer processor 31 to which the packet 800 is input from the signal line L3 searches the packet transfer database 32 and the packet filter 33. The search operation by the packet transfer processor 31 is the same as that already described, and is omitted here. Here, the line interface 60-1 corresponding to the internal network is obtained as the output destination information. The packet transfer processor 31 outputs the packet 900 with output destination information to the signal line L2 after the search operation.

  The line interface 60-1 that has received the packet 900 with output destination information from the signal line L2 removes the output destination information 901 from the packet 900 with output destination information. At this time, the packet is in the state of packet 800. The line interface 60-1 transmits the packet 800 from the line described in the output destination information 901.

According to the present embodiment, it is possible to provide a NAT / NAPT function capable of suppressing the resource amount of the packet transfer database 32. Although not particularly mentioned in this embodiment, the extended function for the packet header applies IP tunneling or IPsec for adding an IP header to an input packet regardless of the NAT / NAPT function for performing IP address conversion or the like. May be.
The extended function execution processor 52 may use an appropriate process for converting a private address and a global address in addition to the above-described process.

19 and 20 are explanatory diagrams of resource suppression of the transfer database.
In the figure, “Apri” is a private address of terminal A in the internal network, and “A′glo” is a global address corresponding to “Apri”. “Bglo” is the global address of terminal B in the external network. A solid line with an arrow indicates a packet to the external network, while a broken line with an arrow indicates a packet to the internal network.

  FIG. 19A is a configuration example in the case where a processor that executes NAT processing and a line interface are connected via a packet transfer unit as in a conventional apparatus, for example. In this case, it is necessary to set an entry for transferring to the CPU and an entry for transferring to the interface in the transfer table of the packet transfer unit (FIG. 19B). Furthermore, since the destination address is a global address when transmitting to an external network, it is difficult to configure a transfer table with only the destination address. If only the destination address is configured, for example, if the destination address corresponds to the global address of the device on the external network and the output destination is the processor, the packet from the processor is also transferred to the processor again, and the loop state is entered. I fall. Therefore, output destination information is stored in correspondence with the transmission source address and the destination address.

  FIG. 20 is an example of a packet flow and a transfer database according to the present embodiment. In this embodiment, since NAT processing is executed by the function expansion board 50 (IF-2 in FIG. 20), the packet transfer unit outputs a packet addressed to the device of the external network to the function expansion board 50, and the internal network. The packet addressed to the device may be output to the line interface board 40 (IF-1 in FIG. 20). Therefore, the transfer table may store at least output destination information corresponding to the destination address. Furthermore, no entry is required for transfer to the processor.

  As shown in FIG. 20B, for example, in the transfer database of this embodiment, the global address of the external network is used as the destination address to be stored, and the identifier of the function expansion board 50 is used as the corresponding output destination information. In addition, the private address of the internal network is used as the stored destination address, and the identifier of the line interface board is used as the corresponding output destination information.

2. Second embodiment 2-1. System Configuration In this embodiment, as an extended function process of a node, a packet filter update based on an analysis of a traffic trend triggered by packet statistics collection will be described. In the present embodiment, as in the first embodiment, it is assumed that the function expansion board 50 accommodates a line connected to an external network, and the line accommodation board 40 accommodates a line connected to the internal network. (See, for example, FIG. 8). However, in the present embodiment, it is assumed that the IP address used in the internal network is a global IP address, and the function expansion board 50 does not execute NAT and NAPT processing for the packet. When a private IP address is used in the internal network, NAT processing or the like may be executed by combining with the above-described first embodiment.

FIG. 15 shows a configuration diagram of the flow statistics table 5302.
The extended function memory 53 of this embodiment stores a flow statistics table 5302 necessary for collecting statistics for each packet flow. The flow statistics table 5302 illustrated in FIG. 15 includes packet flows (for example, combinations of a source IP address, a destination IP address, a source port number, and a destination port number) transmitted and received by the function expansion board 50, and packet flows. And statistical information. The statistical information indicates, for example, the number of received packets within a predetermined time. Other configurations of the node device 10 are the same as those in the first embodiment described above.

2-2. FIG. 9 is a flowchart showing the operation of the bridge 51 with respect to the necessity of generating a packet input source / packet copy.
In the present embodiment, the bridge 51 in the function expansion board 50 determines a handling method for a packet input to the bridge 51 according to the flowchart of FIG. 9.

  When a packet is input (step 700), the bridge 51 identifies whether the input source of the packet is the packet transfer unit 30 or the line interface 60-2 (steps 701 and 704). If the packet input source is neither the packet transfer unit 30 nor the line interface 60-2, the process proceeds to step 705. Steps 705 to 707 are the same as those in the first embodiment described above, and are omitted here.

  On the other hand, when the packet input source is either the packet transfer unit 30 or the line interface 60-2, the bridge 51 determines whether it is necessary to generate a copy of the packet (step 702).

  The necessity of generating a copy of the packet is set in advance by the administrator of the node device 10 from the management terminal 15, for example. The copy generation necessity information is input to the apparatus control processor 21 via the signal line L7. The device control processor 21 outputs the generation necessity information to the signal line L4 and the signal line L6. The extended function execution processor 52 that has received the generation necessity information from the signal line L4 records the generation necessity information. In addition, the bridge 51 that receives the generation necessity information from the signal line L6 also records the generation necessity information. Note that the setting of the generation necessity information can be changed by an administrator at an arbitrary timing.

If the setting for generating a copy of the packet has been made (step 702, Yes), the bridge 51 generates a copy of the packet (step 708), and directs the copy to the extended function execution processor 52 via the signal line L501. (Step 709). Thereafter, the bridge 51 determines whether or not the packet input source is the packet transfer unit 30 (step 710). As a result of Step 710, when the packet input source is the packet transfer unit 30 (Yes in Step 710), the bridge 51 outputs the packet to the line interface 60-2 (Step 711). On the other hand, when the packet input source is not the packet transfer unit 30 (that is, the line interface 60-2) (No in Step 710), the bridge 51 outputs the packet to the packet transfer unit 30 ( Step 712).
When the bridge 51 is not set to generate a copy of the packet (step 702, No), the bridge 51 outputs the packet to the extended function execution processor 52 via the signal line L501 (step 703).

  Through the above processing, the first packet input from the line interface 60-2 is transferred to the processor 52, and the first packet returned by executing the extended function by the processor 52 is transferred to the packet transfer unit 30. . The second packet input from the packet transfer unit 30 is transferred to the line interface 60-2.

2-3. Statistics Collection and Filter Update Processing In order to analyze traffic trends triggered by packet statistics collection, a “threshold per time” used for detecting an attack flow from packet / copy statistical information is set in advance. The threshold is set by the administrator from the management terminal 15, for example. The device control processor 21 to which the threshold value is input from the signal line L7 outputs the threshold value to the signal line L4. The extended function execution processor 52 to which the threshold value is input from the signal line L4 records the threshold value in an appropriate memory.

Based on the above, the update of the packet filter based on the traffic analysis in the node device 10 for the received packet will be described below.
When the line interface 60-2 in the function expansion board 50 receives the packet 800 transmitted from the external network, the line interface 60-2 outputs the packet 800 to the signal line L503.

  The bridge 51 to which the packet 800 is input from the signal line L503 determines whether or not to create a copy of the packet 800 according to the flowchart of FIG. When the copy is generated, the bridge 51 outputs the generated copy to the signal line L501 and outputs the packet 800 to the signal line L3. If no copy is generated, the bridge 51 outputs the packet 800 to the signal line L501.

FIG. 17 is a flowchart of statistical information collection.
When the extended function execution processor 52 receives the packet 800 / copy from the signal line L501 (step 101), the extended function execution processor 52 collects statistics for each flow to which the packet 800 / copy belongs. A search key (flow search key) necessary for identification is generated (step 103). The flow search key includes, for example, a transmission source IP address, a destination IP address, a transmission source port number, and a destination port number. When searching the flow statistics table 5302, the extended function execution processor 52 outputs a flow search key and a search command (flow search command) necessary for collecting statistics for each packet flow to the signal line L502.

  The flow statistics table 5302 is searched in the same manner as the packet transfer database 32. When the statistical value of the packet flow can be read out as a search result from the flow statistics table 5302 (when there is an entry that matches the flow search key), the extended function execution processor 52 increments the statistical value by, for example, 1 and increments by 1 The statistical value thus written is written back to the read address (step 105). That is, the number of received packets is measured. At this time, when a copy is input to the extended function execution processor 52, the extended function execution processor 52 discards the copy from which the statistical information is collected. When the packet 800 is input to the extended function execution processor 52, the extended function execution processor 52 outputs the packet 800, from which statistical information is collected, to the signal line L501. The bridge that receives the packet 800 from the signal line L501 outputs the packet 800 to the signal line L3 according to the flowchart of FIG. Handling in the packet transfer processor 31 to which the packet 800 is input from the signal line L3 is the same as in the first embodiment described above, and is therefore omitted here.

  When the flow information of the packet 80 / copy and the statistical information corresponding to the flow are not set in the flow statistical table 5302, the statistical information is not shown when the flow statistical table 5302 is searched. At this time, the extended function execution processor 52 assigns the initialized statistical information (for example, 0) corresponding to the flow, and then sets the flow and the initialized statistical information in the flow statistical table 5302.

FIG. 18 is a flowchart of packet filter update processing.
The extended function execution processor 52 checks (polls) the flow statistics table 5302, for example, at regular intervals (step 111). As a result of the polling, when the statistical information of a certain flow exceeds the set threshold value (step 113, Yes), the extended function execution processor 52 determines that the packet of the flow information is an attack from the external network. Thereafter, the extended function execution processor 52 generates information (filter information) indicating that the flow is an attack flow (step 115), and uses the filter information (attack information) for device control via the signal line L4. The data is output to the processor 21 (step 117). The filter information includes, for example, a transmission source IP address, a destination IP address, a transmission source port number, and a destination port number corresponding to statistical information that exceeds the threshold. Note that the extended function execution processor 52 may reset the statistical information of the flow statistical table 5302 at regular intervals.

  The device control processor 21 updates the packet filter (step 119). Specifically, the device control processor 21 to which the filter information is input from the signal line L4 accesses the device control memory 22 and checks the free address of the packet filter 33. Thereafter, the device control processor 21 generates a filter flow required for updating the packet filter 33 and a signal (filter update request) for requesting the packet filter update based on the filter information. Is output to the signal line L1. The filter flow includes, for example, a transmission source IP address, a destination IP address, a transmission source port number, and a destination port number. The filter update request includes a free address.

The packet transfer processor 31 that receives the filter flow and the filter update request from the signal line L1 generates a filter flow and a command necessary for writing to the packet filter 33, and outputs the command to the signal line L302. For example, in the packet filter 33, the policy information corresponding to the input filter flow is rewritten to “packet discard”. In addition to the apparatus control processor 21 updating the packet filter 33, the extended function execution processor 52 may directly update the packet filter 33.
According to the present embodiment, the packet filter 33 can be updated based on the analysis of traffic to the received packet.

3. Third embodiment 3-1. System Configuration In the present embodiment, an extended function execution processor 52 responds instead of the device control processor 21 (proxy response) as an extended function of a node. In this embodiment, as a proxy response, when a terminal belonging to an internal network communicates with an external network, a MAC address of a “gateway (a network device that connects a plurality of different networks)” through which a packet transmitted from the terminal passes ARP (Address Resolution Protocol) necessary to obtain the above will be described.

FIG. 11 is an example of a connection state in the present embodiment.
In the present embodiment, as shown in FIG. 11, the function expansion board 50 is connected to the internal network, and the line accommodation board 40 is connected to the external network. The IP address used in the present embodiment will be described as a global IP address for both the internal network and the external network. For example, NAT processing may be executed by using the line accommodation board 40 as the function expansion board 50 of the first embodiment, and a private address may be used in the internal network. In FIG. 11, configurations other than the line accommodation board 40 and the function expansion board 50 are omitted.

FIG. 16 is a configuration diagram of the post-processing information table 5303.
The extended function memory 53 according to the present embodiment stores a subsequent process information table 5303 necessary for determining the subsequent process to be applied to the packet 800 input to the extended function execution processor 52. The post-processing information table 5303 illustrated in FIG. 16 includes an L2 header component (for example, a destination MAC address) and a component of the payload 850 (for example, a device IP address) of the packet 800 received by the function expansion board 50, and the packet 800. And post-processing information (for example, device MAC address) to be applied. The other configuration of the node device 10 is the same as that of the above-described first embodiment.

  The transmission source terminal of the packet 800 needs to know the device MAC address of the node device 10 when transmitting the packet 800 to the external network device. The transmission source terminal transmits a MAC address acquisition application (ARP request) packet in order to acquire the device MAC address of the node device 10. At this time, the transmission source terminal uses a broadcast address for transmitting the ARP request packet to all network devices in the internal network as information stored in the destination MAC address 822 of the ARP request packet. Here, as the payload 850 of the ARP request packet, the device IP address of the node device 10 serving as the gateway described above is used. In the type 821, a code indicating an ARP request is described.

  The node device 10 that has received the ARP request packet notifies the transmission source terminal of the device MAC address associated with the device IP address described in the ARP request packet. This notification is called an ARP response. In the type 821 of the packet indicating the ARP response, a code indicating the ARP response is described.

  The source terminal that has received the ARP response packet registers the device MAC address of the node device 10 as the MAC address of the gateway. Thereafter, the transmission source terminal uses the device MAC address of the node device 10 as the destination MAC address when transmitting the packet 800 to the external network device.

  The necessity of the proxy response described above is set in advance by the administrator of the node device 10 using the management terminal 15, for example. The proxy response necessity information is input to the device control processor 21 via the signal line L7. The device control processor 21 outputs proxy response necessity information to the signal line L6. Further, the device control processor 21 outputs the device MAC address corresponding to the above-described gateway IP address and the proxy response necessity information to the signal line L4. The extended function execution processor 52, to which the proxy response necessity information and the device MAC address are input from the signal line L4, updates the post-processing information table 5303 based on the input information. Further, the bridge 51 that receives the proxy response necessity information from the signal line L6 records the proxy response necessity information. The setting of proxy response necessity information can be changed by an administrator at an arbitrary timing.

3-2. FIG. 10 is a flowchart showing the operation of the bridge 51 for a packet / response packet that requires a response. When the function expansion board 50 is set to execute a proxy response, the bridge 51 of the function expansion board 50 determines a handling method for a packet input to the bridge 51 according to the flowchart of FIG.

  When a packet is input (step 700), the bridge 51 identifies whether the input source of the packet is the packet transfer unit 30 or the line interface 60-2 (step 701 and step 704). When the packet input source is the packet transfer unit 30 (step 701, Yes), the bridge 51 outputs the packet to the line interface 60-2 via the signal line L503 (step 706). When the input source of the packet is the line interface 60-2 (step 704, Yes), the bridge 51 outputs the packet to the extended function execution processor 52 via the signal line L501 (step 703).

  On the other hand, when the input source of the packet is neither the packet transfer unit 30 nor the line interface 60-2 (that is, the extended function execution processor 52) (both steps 701 and 704 are No), the bridge 51 The transmission instruction information described in the output destination information 910 added to is identified (step 713). Here, the output destination information 910 is added by the extended function execution processor 52. Details will be described later. At this time, based on the transmission instruction information, the bridge 51 executes the above-described step 706 when it is a transmission instruction to the internal network, and executes the above-described step 707 when the output destination information is not a transmission instruction to the internal network. To do. In step 707, the bridge 51 outputs the packet to the packet transfer unit. The extended function execution processor 52 discards the output destination information 910 added to the packet when executing Step 706 or Step 707.

  When the function expansion board 50 is not set to execute the proxy response, the bridge 51 outputs the packet input from the signal line L503 to L3, and outputs the packet input from the signal line L3 to L503.

  Through the above processing, the packet input from the line interface 60-2 is transferred to the processor 52, and the packet returned by executing the extended function by the processor 52 is transferred to the line interface 60-2.

3-3. Proxy Response Processing Based on the above, the proxy response by the extended function execution processor 52 will be described below as the extended function processing of the node.
In the function expansion board 50 of the node device 10-1, when the line interface 60-2 receives the ARP request packet transmitted from the terminal belonging to the internal network, the line interface 60-2 outputs the ARP request packet to the signal line L503. As described above, the ARP request packet includes the broadcast address as the destination address, the IP address of the node device 10, and a code indicating the ARP request.

  The bridge 51 that has received the ARP request packet from the signal line L503 outputs the ARP request packet to the signal line L501 in accordance with the flowchart of FIG. The extended function execution processor 52 to which the ARP request packet is input from the signal line L501 executes proxy response processing for the ARP request.

  For example, the extended function execution processor 52 determines the subsequent processing to be applied to the ARP request packet, and the L2 header 820 (for example, the destination address) of the ARP request packet and the IP address of the node device 10 included in the payload 850. And a search key (post-processing search key) necessary for obtaining the post-processing, and the above-described post-processing information table 5303 is searched. For example, when the extended function execution processor 52 searches the post-processing information table 5303, it sends a post-processing search key and a search command (post-processing search command) necessary for searching the post-processing to be applied to the ARP request packet. Output to line L502.

  If the device MAC address of the node device 10 is obtained as a search result from the post-processing information table 5303 because there is an entry that matches the post-processing search key, the extended function execution processor 52 sends an ARP response as a response to the ARP request packet. Generate a packet. Here, the device MAC address obtained as a search result is stored in the payload 850. In type 821, a code indicating an ARP response is described. At this time, the extended function execution processor 52 discards the ARP request packet. Further, the extended function execution processor 52 generates output destination information 910 to be added to the ARP response packet. For example, the output destination information 910 describes that the ARP response packet should be transmitted to the internal network. For example, the source address (terminal address) included in the ARP request may be described. Thereafter, the extended function execution processor 52 outputs the ARP response packet to which the output destination information 910 is added to the signal line L501. The bridge 51 to which the ARP response packet to which the output destination information is added is input from the signal line L501 outputs the ARP response packet to the signal line L503 based on the description in the output destination information 910 (corresponding to step 706 described above). . At this time, the bridge 51 discards the output destination information 910 as described above. The proxy response process may use an appropriate means other than the above example.

  On the other hand, if the device MAC address of the node device 10 cannot be obtained as a search result from the post-processing information table 5303 because there is no entry that matches the post-processing search key, the extended function execution processor 52 adds it to the ARP request packet. Output destination information 910 to be generated is generated. Here, the output destination information 910 describes that the ARP request packet should be transmitted to the packet transfer unit 30. Thereafter, the extended function execution processor 52 outputs the ARP request packet with the output destination information 910 added to the signal line L501. The bridge 51 that has received the ARP request packet with the output destination information added from the signal line L501 outputs the ARP request packet to the signal line L3 based on the description in the output destination information 910 (corresponding to step 706 described above). . At this time, the bridge 51 discards the output destination information 910 as described above. The packet transfer processor 31 to which the ARP request packet is input from the signal line L3 may output the ARP request packet to the device control processor 21 via the signal line L5.

  According to the present embodiment, control packets such as ARP request packets can be handled in the function expansion board, and a rapid load factor fluctuation of the device control unit 20 can be suppressed. That is, stable operation of the node device 10 is expected, and high reliability of the network can be expected.

  Although not particularly mentioned in the present embodiment, a response to an input packet may be applied to a response (session response) to a user's packet (session request) requesting authentication or the like, regardless of only the ARP response. As an example of the session response, a global IP address is issued to the user terminal.

4). Supplementary Notes As is clear from the above description, according to the present invention, it is possible to provide a function expansion board capable of reconfiguring the function of the bridge processor memory by the function realized as the expansion function of the network node.

  According to the node configuration as described above, for example, desired extended functions such as NAT, packet filter update based on statistics, and proxy response can be realized with the same configuration. Further, the device control unit can set necessary information, processing programs, and bridge operations in the function expansion board according to the expansion function. Further, necessary information, processing programs, and bridge operations are set in advance in the function expansion board according to the expansion function, and a network node having a desired expansion function can be configured by detaching these boards.

  The present invention is applicable to a network node that uses a circuit board that can execute an extended function.

1 is a configuration diagram of a node device 10. The block diagram of the function expansion board 50. FIG. The block diagram of the apparatus control part 20. FIG. 1 is a configuration diagram of a packet transfer unit 30. FIG. FIG. 3 is a configuration diagram of a line accommodation board 40. The flowchart which shows operation | movement of the bridge | bridging 51 with respect to the packet which needs a process / processed packet. Explanatory drawing which shows the example of the format of the variable length packet which transmits a network. Explanatory drawing which shows the state in which the function expansion board 50 accommodates the line connected to an external network, and the line accommodation board 40 accommodates the line connected to an internal network. The flowchart which shows the operation | movement of the bridge | bridging 51 with respect to the necessity of producing | generating the packet input origin / packet replication. The flowchart which shows operation | movement of the bridge | bridging 51 with respect to the packet / response packet which needs a response. Explanatory drawing which shows the state in which the function expansion board 50 accommodates the line connected to an internal network, and the line accommodation board 40 accommodates the line connected to an external network. The block diagram of the database 32 for packet transfer. The block diagram of the packet filter 33. FIG. FIG. 6 is a configuration diagram of an address conversion table 5301. The block diagram of the flow statistics table 5302. FIG. The block diagram of the back | latter stage process information table 5303. FIG. The flowchart of collection of statistical information. 10 is a flowchart of packet filter update processing. Explanatory drawing (1) of the resource suppression of a transfer database. Explanatory drawing (2) of the resource suppression of a transfer database.

Explanation of symbols

10 node device 15 management terminal 20 device control unit 21 device control processor 22 device control memory 30 packet transfer unit 31 packet transfer processor 32 packet transfer database 33 packet filter 40 line accommodation board 50 function expansion board 51 bridge 52 execution of extended function Processor 53 extended function memory 5301 address conversion table 5302 flow statistics table 5303 post-processing information table 60 line interface 800 packet 900 packet with output destination information

Claims (22)

  1. In a network node having a packet transfer function for transferring a received packet to another device, a network node for executing an extended function other than the packet transfer,
    A first line accommodating unit for connecting to the first network;
    A second line accommodating unit for connecting to a second network;
    A forwarding database in which the destination address of the packet and the output destination information for outputting the packet are stored corresponding to each other, and the corresponding output is referred to by referring to the forwarding database based on the destination address of the input packet A packet transfer unit that transfers the packet to the first and second line accommodating units according to the destination information,
    The first and / or second line accommodating portion is:
    A line interface for accommodating a line connected to the first or second network;
    A storage unit in which information for executing the predetermined extended function is stored in advance;
    A processor that executes the extended function based on information included in the input packet and information stored in the storage unit;
    For each packet input source, an output destination of the packet is set in advance, and the packet transfer unit, the line interface, and a packet input from the processor are set according to the setting, the packet transfer unit, the line interface, and A bridge that outputs to any of the processors,
    The packet received from the line interface is transferred to the processor by the bridge, and the processor executes the extension function based on the packet, so that the packet received from the line interface is input to the packet transfer unit. And / or the extension is executed before
    The packet received from the packet transfer unit is transferred to the processor by the bridge, and the processor executes the extended function based on the packet, so that the packet transferred by the packet transfer unit is output from the line interface. The network node on which the extended function is executed before being executed.
  2. A controller connected to the bridge and the processor;
    The control unit sets the predetermined extended function in the processor at a desired timing,
    Storing information for executing the extended function in the storage unit;
    The network node according to claim 1, wherein an output destination for each input source of a packet is set in the bridge according to the extended function.
  3. The extension function is
    Address translation function that translates private and global addresses,
    Collecting statistical information indicating the number of received packets within a predetermined time for each packet flow information, and a filter update function for changing a packet filtering policy according to the statistical information; and
    The network node according to claim 1, wherein the network node is one of proxy response functions in which the processor responds to a packet received from a terminal via the line interface.
  4. The bridge further includes a control unit that sets an output destination for each input source of the packet. The extended function is an address conversion function in which the processor converts a private address and a global address.
    The bridge is controlled by the control unit.
    A first packet input from the line interface is transferred to the processor, and an extended function is executed by the processor and the returned first packet is set to be transferred to the packet transfer unit; and
    The second packet input from the packet transfer unit is transferred to the processor, and the second packet returned by execution of an extended function by the processor is set to be transferred to the line interface. Item 4. The network node according to Item 1.
  5. The first line accommodation unit is connected to an external network;
    The second line accommodation unit is connected to an internal network;
    The storage unit has an address conversion table in which a private address in the internal network and a global address in the external network corresponding to the private address are stored,
    The forwarding database uses a global address of an external network as a destination address to be stored, an identifier of the first circuit accommodating unit as corresponding output destination information, and a private address of the internal network as a destination address to be stored. The address and the identifier of the second line accommodating unit are used for the corresponding output destination information,
    The processor is
    When a packet addressed to the internal network using a global address as a destination address is input via the line interface,
    The address conversion table is referenced based on the destination address of the input packet, the corresponding private address is acquired, the destination address of the input packet is rewritten to the acquired private address, and output to the packet transfer unit And
    The packet forwarding unit refers to the forwarding database based on the destination address of the input packet whose destination address is rewritten to a private address, and outputs the input packet to the second line accommodation unit according to corresponding output destination information And
    The network node according to claim 4, wherein the second line accommodation unit outputs the packet to an internal network.
  6. The bridge further includes a control unit that sets an output destination for each input source of the packet,
    The extended function is a filter update function in which the processor collects statistical information indicating the number of received packets within a predetermined time for each packet flow information, and formulates a packet filtering policy according to the statistical information,
    The bridge is controlled by the control unit.
    A first packet input from the line interface is transferred to the processor, and an extended function is executed by the processor and the returned first packet is set to be transferred to the packet transfer unit; and
    The network node according to claim 1, wherein the network node is configured to transfer the second packet input from the packet transfer unit to the line interface.
  7. The bridge further includes a control unit that sets an output destination for each input source of the packet,
    The extended function is a filter update function in which the processor collects statistical information indicating the number of received packets within a predetermined time for each packet flow information, and formulates a packet filtering policy according to the statistical information,
    The bridge is controlled by the control unit.
    A first packet input from the line interface is copied, the copy is transferred to the processor, and the input first packet is set to be transferred to the packet transfer unit; and
    The network node according to claim 1, wherein the network node is set to transfer the second packet input from the packet transfer unit to the line interface.
  8. The packet transfer unit further includes a packet filter database in which policy information including a packet discard instruction or a priority change instruction is stored corresponding to the flow information of the packet, and the packet based on the flow information of the packet Refer to the filter database to obtain the corresponding policy information, and according to the output destination information of the forwarding database and the obtained policy information, transfer the packet to the first and second line accommodating units or discard the packet,
    The storage unit includes a flow statistics table in which statistical information indicating the number of received packets within a predetermined time is stored for each flow information of packets.
    The processor is
    When a packet is input via the line interface, based on the flow information of the input packet, the statistical information corresponding to the flow information corresponding to the flow statistical table is increased,
    Identifying the flow information in which the statistical information exceeds a predetermined threshold, generating filter information including the flow information and predetermined policy information, and outputting the filter information to the control unit;
    The network node according to claim 6 or 7, wherein when the filter information is input from the processor, the control unit updates the flow information and policy information of the packet filter database according to the filter information.
  9. The bridge further includes a control unit that sets an output destination for each input source of the packet,
    The extended function is a proxy response process in which the processor responds to a predetermined packet received from the terminal via the line interface by the processor;
    The bridge is controlled by the control unit.
    The predetermined packet input from the line interface is output to the processor, and the response packet for the terminal returned by the extended function executed by the processor is set to be output to the line interface. The network node according to claim 1.
  10. The storage unit has a table in which an IP address of a node serving as a gateway and a MAC address of the node are stored correspondingly;
    The processor is
    Receiving a MAC address acquisition request including an IP address of a node serving as a gateway from a terminal in the first network via the line interface;
    Refer to the table based on the IP address of the node responsible for the gateway included in the received MAC address acquisition request, and acquire the corresponding MAC address;
    The network node according to claim 9, wherein a MAC address acquisition response including the acquired MAC address is transmitted toward the terminal via the line interface.
  11. The packet forwarding unit
    A packet filter database storing packet header information and policy information indicating whether or not the packet corresponding to the header information can be transferred;
    The network node according to claim 1, wherein the policy information corresponding to the packet filter database is acquired based on header information of the input packet, and the packet is discarded or output based on the policy information.
  12. The packet forwarding unit
    According to an instruction from the control unit, a packet transfer processor is provided for setting information in the transfer database and the packet filter database, and for searching the transfer database and the packet filter database. The network node according to claim 2.
  13.   The extended function executed in the first line accommodating unit and the information for executing the extended function are arbitrarily set by a management terminal connected to the control unit and operated by an administrator of the network node. The network node according to claim 2, wherein the network node is input to the control unit at the timing of and set in the first line accommodating unit.
  14. The bridge
    Duplicate the packet input from the line interface,
    The network node according to claim 1, wherein the copied packet is output to the processor, and the input packet is output to the packet transfer unit.
  15. The processor is
    Based on the set extension function, process the packet or a copy of the packet,
    The network node according to claim 1, wherein the processed packet or the duplicate is output to the bridge.
  16. The storage unit
    The network node according to claim 1, wherein header information of a packet or header information of a duplicate of the packet and the information for executing an extended function corresponding to the header information are stored.
  17. The processor is
    In the storage unit, in accordance with an instruction from the control unit, set the information for executing an extended function,
    Search the storage unit using the header information of the packet or the header information of the duplicate of the packet as a search key,
    The network node according to claim 16, wherein the extended function is executed based on information obtained as a search result.
  18. In a network node having a packet transfer function for transferring a received packet to another device, a network node for executing an extended function other than the packet transfer,
    A first line accommodating unit for connecting to an external network;
    A second line accommodating unit for connecting to the internal network;
    A forwarding database in which the destination address of the packet and the output destination information for outputting the packet are stored corresponding to each other, and the corresponding output is referred to by referring to the forwarding database based on the destination address of the input packet A packet transfer unit that transfers the packet to the first and second line accommodating units according to the destination information,
    The first line accommodating portion is
    A line interface for accommodating a line connected to an external network;
    An address conversion table storing a private address in the internal network and a global address in the external network corresponding to the private address;
    The extended function includes a processor that converts a private address and a global address with reference to the address conversion table,
    The forwarding database uses a global address of an external network as a destination address to be stored, an identifier of the first circuit accommodating unit as corresponding output destination information, and a private address of the internal network as a destination address to be stored. The address and the identifier of the second line accommodating unit are used for the corresponding output destination information,
    The processor is
    When a packet addressed to the internal network using a global address as a destination address is input via the line interface,
    The address conversion table is referenced based on the destination address of the input packet, the corresponding private address is acquired, the destination address of the input packet is rewritten with the acquired private address, and output to the packet transfer unit ,
    The packet forwarding unit refers to the forwarding database based on the destination address of the input packet whose destination address is rewritten to a private address, and outputs the input packet to the second line accommodation unit according to corresponding output destination information And
    The second line accommodation unit is the network node that outputs the packet to an internal network.
  19. The second line accommodation unit outputs the packet to the packet transfer unit when a packet addressed to an external network using a global address as a destination address and a private address as a source address is input,
    The packet forwarding unit obtains corresponding output destination information by referring to the forwarding database based on the destination address of an input packet whose destination address is a global address, and the packet is transferred to the first packet according to the obtained output destination information. Output to the line accommodating part of
    The processor of the first circuit accommodating unit refers to the address translation table based on the source address of the input packet, acquires the corresponding global address, and acquires the source address of the input packet Rewrite to global address,
    The network node according to claim 18, wherein the network node outputs the packet to an external network.
  20. In a network node having a packet transfer function for transferring a received packet to another device, a network node for executing an extended function other than the packet transfer,
    A first line accommodating unit for connecting to the first network;
    A second line accommodating unit for connecting to a second network;
    A transfer database in which a destination address of a packet and output destination information for outputting the packet are stored correspondingly, and a policy including a packet discard instruction or a priority change instruction corresponding to the packet flow information A packet filter database storing information, obtaining the corresponding output destination information by referring to the forwarding database based on the destination address of the input packet, and the packet filter based on the flow information of the packet A packet transfer unit that acquires corresponding policy information with reference to a database, and transfers packets to the first and second line accommodating units or discards packets according to the acquired output destination information and policy information ,
    The first line accommodating portion is
    A line interface for accommodating a line connected to the first network;
    For each packet flow information, a flow statistics table storing statistical information indicating the number of received packets within a predetermined time; and
    A processor that collects the statistical information for each flow information of the packet as the extended function and changes a filtering policy of the packet according to the statistical information;
    The processor is
    When a packet is input via the line interface, based on the flow information of the input packet, the statistical information corresponding to the flow information corresponding to the flow statistical table is increased,
    The network for identifying the flow information for which the statistical information exceeds a predetermined threshold, and generating and outputting filter information for updating the packet filter database, including the flow information and predetermined policy information node.
  21. A controller for updating the packet filter database;
    21. The network node according to claim 20, wherein when the filter information is input from the processor, the control unit updates the flow information and policy information of the packet filter database according to the filter information.
  22. In a network node having a packet transfer function for transferring a received packet to another device, a network node for executing an extended function other than the packet transfer,
    A first line accommodating unit for connecting to the first network;
    A second line accommodating unit for connecting to a second network;
    A forwarding database in which the destination address of the packet and the output destination information for outputting the packet are stored corresponding to each other, and the corresponding output is referred to by referring to the forwarding database based on the destination address of the input packet A packet transfer unit that transfers the packet to the first and second line accommodating units according to the destination information,
    The first line accommodating portion is
    A line interface for accommodating a line connected to the first network;
    A table in which the IP address of the node responsible for the gateway and the MAC address of the node are stored correspondingly;
    A processor for executing the extended function,
    The processor is
    Receiving a MAC address acquisition request including an IP address of a node serving as a gateway from a terminal in the first network via the line interface;
    Refer to the table based on the IP address of the node responsible for the gateway included in the received MAC address acquisition request, and acquire the corresponding MAC address;
    The network node that transmits a MAC address acquisition response including the acquired MAC address to the terminal via the line interface.
JP2006233196A 2006-08-30 2006-08-30 Network node Active JP4758302B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2006233196A JP4758302B2 (en) 2006-08-30 2006-08-30 Network node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2006233196A JP4758302B2 (en) 2006-08-30 2006-08-30 Network node

Publications (2)

Publication Number Publication Date
JP2008060763A true JP2008060763A (en) 2008-03-13
JP4758302B2 JP4758302B2 (en) 2011-08-24

Family

ID=39243039

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2006233196A Active JP4758302B2 (en) 2006-08-30 2006-08-30 Network node

Country Status (1)

Country Link
JP (1) JP4758302B2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010146960A1 (en) * 2009-06-15 2010-12-23 Canon Kabushiki Kaisha Information processing apparatus, control method thereof and computer program
JP2011526135A (en) * 2008-06-23 2011-09-29 クゥアルコム・インコーポレイテッドQualcomm Incorporated Method and apparatus for managing data services in a multiprocessor computing environment
WO2012011290A1 (en) * 2010-07-23 2012-01-26 Nec Corporation Communication system, node, statistical information collection device, statistical information collection method and program
JP2012161027A (en) * 2011-02-02 2012-08-23 Hitachi Cable Ltd Edge relay device, redundant system for edge relay device, wide area network system, and frame transfer method for edge relay device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000270004A (en) * 1999-01-12 2000-09-29 Yamaha Corp Router
JP2004135106A (en) * 2002-10-11 2004-04-30 Hitachi Ltd Packet communication equipment
JP2004289223A (en) * 2003-03-19 2004-10-14 Hitachi Ltd Packet communication apparatus
JP2006020034A (en) * 2004-07-01 2006-01-19 Hitachi Ltd Module type packet communication node device
JP2006157537A (en) * 2004-11-30 2006-06-15 Hitachi Ltd Packet transfer device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000270004A (en) * 1999-01-12 2000-09-29 Yamaha Corp Router
JP2004135106A (en) * 2002-10-11 2004-04-30 Hitachi Ltd Packet communication equipment
JP2004289223A (en) * 2003-03-19 2004-10-14 Hitachi Ltd Packet communication apparatus
JP2006020034A (en) * 2004-07-01 2006-01-19 Hitachi Ltd Module type packet communication node device
JP2006157537A (en) * 2004-11-30 2006-06-15 Hitachi Ltd Packet transfer device

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8638790B2 (en) 2008-06-23 2014-01-28 Qualcomm Incorporated Method and apparatus for managing data services in a multi-processor computing environment
JP2011526135A (en) * 2008-06-23 2011-09-29 クゥアルコム・インコーポレイテッドQualcomm Incorporated Method and apparatus for managing data services in a multiprocessor computing environment
JP2013153486A (en) * 2008-06-23 2013-08-08 Qualcomm Inc Method and apparatus for managing data services in multi-processor computing environment
WO2010146960A1 (en) * 2009-06-15 2010-12-23 Canon Kabushiki Kaisha Information processing apparatus, control method thereof and computer program
WO2012011290A1 (en) * 2010-07-23 2012-01-26 Nec Corporation Communication system, node, statistical information collection device, statistical information collection method and program
CN103026662A (en) * 2010-07-23 2013-04-03 日本电气株式会社 Communication system, node, statistical information collection device, statistical information collection method and program
US9461893B2 (en) 2010-07-23 2016-10-04 Nec Corporation Communication system, node, statistical information collection device, statistical information collection method and program
JP2012161027A (en) * 2011-02-02 2012-08-23 Hitachi Cable Ltd Edge relay device, redundant system for edge relay device, wide area network system, and frame transfer method for edge relay device

Also Published As

Publication number Publication date
JP4758302B2 (en) 2011-08-24

Similar Documents

Publication Publication Date Title
US9083609B2 (en) Network operating system for managing and securing networks
US7610330B1 (en) Multi-dimensional computation distribution in a packet processing device having multiple processing architecture
JP4902635B2 (en) Connection forwarding
JP4392294B2 (en) Communication statistics collection device
ES2706416T3 (en) Network system and routing method
US8175096B2 (en) Device for protection against illegal communications and network system thereof
US20120106560A1 (en) Inter-domain routing in an n-ary-tree and source-routing based communication framework
US7831822B2 (en) Real-time stateful packet inspection method and apparatus
US20040225725A1 (en) Network system, learning bridge node, learning method and its program
JP4343760B2 (en) Network protocol processor
US6262983B1 (en) Programmable network
CN1307564C (en) Network switch and components and method of operation
JPWO2012032864A1 (en) Switch system, switch control method, and storage medium
JP5717057B2 (en) Network system, controller, switch, and traffic monitoring method
JP4774357B2 (en) Statistical information collection system and statistical information collection device
JP4053967B2 (en) VLAN server
EP2544417B1 (en) Communication system, path control apparatus, packet forwarding apparatus and path control method
CN1783847B (en) Packet forwarding apparatus
JP4341413B2 (en) Packet transfer apparatus having statistics collection apparatus and statistics collection method
US7626990B2 (en) Packet counters and packet adders for traffic profiling in a multiprocessor router
EP2696537B1 (en) Network system, switch, and connection terminal detection method
CN102577275B (en) Relay control equipment, relay and control system, relay and control method
CN1292566C (en) Router and address identification information management server
US7769873B1 (en) Dynamically inserting filters into forwarding paths of a network device
US9608908B2 (en) Network system and VLAN tag data acquiring method

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20090709

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20110218

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20110322

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20110510

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20110531

A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20110602

R150 Certificate of patent or registration of utility model

Free format text: JAPANESE INTERMEDIATE CODE: R150

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20140610

Year of fee payment: 3

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250