JP2009200984A - Network control method and network control apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide such a network control technique as to suppress increase in a control time to the irreducibly minimum while avoiding occurrence of congestion. <P>SOLUTION: A network control apparatus 9 specifies a relay path between a destination subscriber user accommodation device 3 described in reported control information and a packet processing device 7, collects from respective devices transfer capacitance of transfer interfaces being present on the relay path and current transfer data amount information, specifies a free band on each transfer interface from a differential between the transfer capacitance and the transfer data amount, and compares the transfer data amount described in the notification with the free band. When the former is greater, a notification for rewriting path information is transmitted to devices inside a network so that a transfer destination of a packet holding a destination address described in the notification may become the packet processing device 7. When the latter is greater, a logical port is set between the destination subscriber user accommodation device 3 and the packet processing device 7. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  In the wide area network, the present invention monitors traffic fluctuations on a network wide basis and transfers traffic to a dedicated packet processing apparatus only when analysis is necessary, and performs detailed analysis to monitor unauthorized access in the network. This is a technology for efficiently implementing attack traffic defense and improving security at a low cost.

  With the spread of the Internet, illegal eavesdropping of data and the like due to unauthorized access via a network, system attacks such as DDoS (Distributed Denial of Services) attacks, etc. are frequently occurring.

  Conventionally, in order to cope with these threats, an access control technique is used in which a firewall function is installed in a packet transfer device such as a router to control communication according to data contents flowing through a network and packet header contents. By installing this packet transfer device at the boundary of the network, it is possible to pass only the minimum necessary communication in accordance with the security policy set by the user.

  However, since the firewall function allows communication according to the security policy to pass through the network, it is difficult to completely prevent unauthorized access such as unauthorized intrusion or DDoS attack using this allowed communication service. It is.

  In order to solve this problem, a method of using an abnormal traffic detection device such as Anomaly Detector and an abnormal traffic analysis / control device such as Anomaly Guard is used [Patent Document 1]. In this method, when the possibility of abnormal traffic is detected by the Anomaly Detector, a warning is sent to the Anomaly Guard, and the target traffic is rerouted to the Anomaly Guard for analysis. After the detailed analysis, Anomaly Guard classifies the received traffic into illegal traffic and normal traffic, forwards normal traffic to the original destination, and deletes illegal traffic.

  In this method, the abnormal traffic analysis / control device changes the routing information in the network to set the next hop of the destination address of the flow with the possibility of abnormal traffic as its own, thereby guiding the flow to itself. A method [Non-patent Document 2] and a method of setting a logical tunnel between an edge router in a network and an abnormal traffic analysis / control device and transferring a flow having a possibility of abnormal traffic to the abnormal traffic analysis / control device. [Non-Patent Document 1]. In the latter method, a two-way logical tunnel is set between a specific router and anomaly traffic analysis / control device, and an access control list for preventing a loop is set for the router. Loops are avoided at the same time that traffic is directed to the abnormal traffic analysis and control device.

JP 2005-5927 A “Network System and Unauthorized Access Control Method and Program” Yagi, et al., "Evaluation of network control method for sharing DDoS attack mitigation device scrubbing box", IEICE Technical Report, IN2006-131, pp103-108, Dec. 2006. Cisco Systems, Inc., "Cisco Anomaly Guard Module", [online], [Search February 5, 2007], Internet <http://www.cisco.com/japanese/warp/public/3/jp/ product / hs / ifmodule / csm / prodlit / agm_ds.shtml>

  In the former method, the abnormal traffic analysis / control apparatus reroutes the traffic to be analyzed to itself, so it is necessary to change the routing information of the entire network every time the traffic control is performed. In this case, since all the routers to be controlled are all routers, a certain amount of control time is required as the network becomes larger. On the other hand, in the latter method, a traffic load corresponding to the transfer flow is additionally generated between the specific router and the abnormal traffic analysis / control device. In this case, congestion due to the increased traffic load may occur, which may cause deterioration in communication quality of normal flows on the route.

  The present invention has been made to solve such a problem, and an object of the present invention is to provide a technique capable of suppressing an increase in control time to a necessary minimum while avoiding the occurrence of congestion.

  The present invention specifies a packet transfer device arranged between a specific router and an abnormal traffic analysis / control device when the amount of transfer data of a flow with a possibility of abnormality increases while suppressing an increase in control time. In addition, after specifying the free transfer bandwidth on the device, the transfer data amount of the flow is compared with the free transfer bandwidth, and when the former is larger than the latter, the routing information is changed. When the value is smaller than the latter, a network control device that performs control for setting a logical port is employed.

  As a result, when a logical port is set between the specific router and the abnormal traffic analysis / control device to transfer a flow with a possibility of abnormality, it is determined whether or not congestion is expected on the relay path. When it is determined that there is a possibility of congestion, the routing information in the network can be changed to transfer a flow that may be abnormally distributed from all routers.

In order to solve the above-described problems, the present invention provides:
According to the first aspect of the present invention, the network control device identifies the relay path between the destination subscriber user accommodation device and the packet processing device described in the notified control information, and determines the transfer capacity and current capacity of each transfer interface existing on the relay path. The transfer data amount is specified, the free bandwidth on each transfer interface is specified from the difference between the transfer capacity and the transfer data amount, the transfer data 1 described in the notification is compared with the free bandwidth, and the former is large When the latter is large, the destination subscriber is sent a notification for rewriting the route information so that the packet processing apparatus uses the packet transfer destination having the destination address described in the notification as the packet processing apparatus. A network control method for setting a logical port between the user accommodation device and the packet processing device is adopted.

  Further, in claim 2, the network control device specifies a relay path between the destination subscriber user accommodation device and the packet processing device described in the notified control information, and transfers capacity of each transfer interface existing on the relay path. Identify the transfer data amount on each transfer interface, specify the free bandwidth on each transfer interface from the difference between the transfer capacity and the transfer data amount, and the transfer data amount described in the notification Compare the available bandwidth, and when the former is large, send a notification to rewrite the route information to the packet processing device to transfer the packet having the destination address described in the notification to the device in the network, When the latter is large, a network control method for setting a logical port between the destination subscriber user accommodation device and the packet processing device is adopted. .

  Further, in claim 3, the topology table in which the packet transfer device and the relay path existing between the subscriber user accommodation device and the packet processing device are recorded, and the transfer capacity and current transfer data amount information of the transfer interface of each device are stored in each device. A function to collect data, a function to specify a relay path between the destination subscriber user accommodation apparatus and the packet processing apparatus described in the notified control information, a transfer capacity of each transfer interface existing on the relay path, and a current transfer A function for specifying a data amount, a function for specifying a free bandwidth on each transfer interface from the difference between the transfer capacity and the transfer data amount, and comparing the transfer data amount and the free bandwidth described in the notification, When the former is large, the route information is set so that the packet processing device is the forwarding destination of the packet having the destination address described in the notification. Send a notification for rewriting the device in the network, when the latter is large, employing a functional network controller for setting a logical port between said destination subscriber user accommodation apparatus and packet processing device.

  Further, in claim 4, a topology table that records the packet transfer device and the relay path existing between the subscriber user accommodation device and the packet processing device, a bandwidth management table that records the transfer capacity of the transfer interface of each device, A function of collecting transfer data amount information on a transfer interface on the apparatus, a function of specifying a relay path between the destination subscriber user accommodation apparatus and the packet processing apparatus described in the notified control information, and A function for specifying the transfer capacity of each existing transfer interface, a function for specifying the transfer data amount on each transfer interface, and a free bandwidth on each transfer interface from the difference between the transfer capacity and the transfer data amount Compare the function and the amount of transfer data described in the notification with the free bandwidth, and if the former is large, record it in the notification. A notification for rewriting the route information is transmitted to the device in the network so that the packet processing device having the destination address as the packet forwarding destination is the packet processing device. When the latter is large, the destination subscriber user accommodating device and the packet processing are transmitted. A functional network control device that sets logical ports between devices is adopted.

  According to the present invention, when a logical port is set between a specific router and an abnormal traffic analysis / control device and a flow having a possibility of abnormality is transferred, whether or not congestion is expected on the relay path is determined. When it is determined that there is a possibility that congestion will occur, the routing information in the network is changed and a flow that may be abnormally distributed is transferred from all routers.

  Therefore, even in a large-scale network, an increase in control time can be suppressed to the minimum necessary while avoiding the occurrence of congestion.

Next, embodiments of the present invention will be described with reference to the drawings.
[Description of configuration]
FIG. 1 shows an example of a network model of a network to which the present invention is applied. The network includes subscriber user accommodation devices 1 to 4, packet transfer devices 5 to 6, packet processing devices 7 to 8, and a network control device 9 that controls them, and user terminals 10 to 17 are connected to each access network 18 to 21, the subscriber user accommodation devices 1 to 4 are accommodated. In general, the subscriber user accommodation devices 1 to 4 are called edge nodes or edge routers, and the packet transfer devices 5 to 6 are called core nodes or core routers. The subscriber user accommodation devices 1 to 4 are connected by packet transfer devices 5 to 6. A network composed of the subscriber user accommodation devices 1 to 4, the packet transfer devices 5 to 6 and the packet processing devices 7 to 8 is a core network 22, and a network composed of user terminals is a user network 23.

  The subscriber user accommodation device 1 is assigned core # 1 as an address for identifying the device, and the subscriber user accommodation device 2 is assigned core # 2 as an address for identifying the device. The subscriber user accommodation device 3 is assigned a core # 3 as an address for identifying the device, and the subscriber user accommodation device 4 is assigned a core # 4 as an address for identifying the device. The packet transfer apparatus 5 is assigned a core # 5 as an address for identifying the apparatus, and the packet transfer apparatus 6 is assigned a core # 6 as an address for identifying the apparatus. The packet processing device 7 is assigned a core # 7 as an address for identifying the device, and the packet processing device 8 has a core as an address for identifying the device. 8 are applied, the route to reach each of which is managed by the routing protocol.

  The core # 1 to core # 8 are IPv4 addresses if the core network 22 is an IPv4 network, and OSPF (Open Shortest Path First: RFC2328) or the like is used as a routing protocol at that time. If the core network 22 is an IPv6 network, it becomes an IPv6 address, and a routing protocol at that time includes OSPFv6 (Open Shortest Path First version 6: RFC2740) and the like. Further, when the core network 22 is an MPLS (Multi-Protocol Label Switching) network (: RFC3031), a route is specified by a routing protocol, and then RSVP-TE (ReSerVation Protocol with Traffic Engineering: RFC3209) or CR-LDP (Constrain). A path called LSP (Label Switched Path) is set between the source and destination packet transfer apparatuses using a signaling protocol such as -based Label Distribution Protocol (RFC 3212).

  Similarly, user terminal 10 is identified by address IP # 1, user terminal 11 is identified by address IP # 2, user terminal 12 is identified by address IP # 3, and user terminal 13 is identified by address IP # 2. 4, user terminal 14 is identified by address IP # 5, user terminal 15 is identified by address IP # 6, user terminal 16 is identified by address IP # 7, and user terminal 17 is addressed by address IP # 6. It is identified by IP # 8.

  FIG. 2 shows an example of a physical model of a network to which the present invention is applied. The network control device 9 is connected to each device in the network. In this embodiment, the links 108 to 115 ensure connectivity with each device. The subscriber user accommodation device 1 and the packet transfer device 5 are connected by a link 101, the subscriber user accommodation device 2 and the packet transfer device 5 are connected by a link 102, and the subscriber user accommodation device 3 and the packet transfer device 6 are a link 103. The subscriber user accommodation device 4 and the packet transfer device 6 are connected by a link 104, the packet transfer device 5 and the packet transfer device 6 are connected by a link 105, and the packet transfer device 5 and the packet processing device 7 are connected by a link 106. The packet transfer device 6 and the packet processing device 8 are connected by a link 107. As the link, an optical path such as an optical fiber or an optical wavelength, or a physical cable such as an Ethernet cable is shown.

  FIG. 3 shows a configuration example of the network control apparatus 9 installed in a communication network that implements the network control method of the present invention. The network control device has a control flow management function 24 and an external device control unit 25.

  The control flow management function 24 has a topology table 26, a transfer interface management function 27, a control selection function 28, and a control type management function 29.

  As shown in FIG. 9, the topology table 26 includes a plurality of packet processing devices that are traffic guidance destinations for each subscriber user accommodation device, and a packet transfer device that is used when a logical port is set between the devices. It has a function of managing transfer interface candidates. This table assumes that the operator sets statically based on the positional relationship between the subscriber user accommodation device and each packet processing device, the number of hops on the relay path between both devices, etc. You may set dynamically from the traffic load condition of the apparatus on the relay path between both apparatuses.

  The transfer interface management function 27 has a function of collecting and managing the transfer capacity and current transfer data amount information of the transfer interface possessed by each packet processing device. The network control device has a function of collecting the traffic counter, MIB information and configuration held by the packet processing devices 7 and 8 by using a command line interface or SNMP (Simple Network Management Protocol), or the traffic is controlled by the function. While collecting only volume information, it has a bandwidth management table that records the transfer capacity of each device's transfer interface, so that it has the function to perform the same processing as the above function, or at least one of the functions Will do. Note that this processing is assumed to be started by operator operation, but a timer is associated with this function, and the network control device starts up so that it holds the latest information by referring to each device at a predetermined time interval. You may set an opportunity.

The control selection function 28 is
The control flow management function 24, which will be described later, calculates the difference between the transfer capacity and the current transfer data amount for the free bandwidth on each transfer interface for a plurality of transfer interfaces specified from the topology table 26 and the transfer interface management function 27. Functions that are identified by
A function in which the control flow management function 24, which will be described later, compares the amount of free bandwidth of each of the identified transfer interfaces with respect to the traffic amount notified from the external device control unit 25, which will be described later;
When the former is large, the control flow management function 24 described later holds the destination address notified from the external device control unit 25 by using the route setting instruction function for the external device control unit 25 described later. At the same time, the routing information change instruction is notified so that the packet transfer destination is the packet processing apparatus, and at the same time, the destination notified together with the destination address to the external apparatus control unit 25 described later using the logical port setting instruction function 30 A logical port is set between the subscriber user accommodation node and the packet processing device, and the packet having the destination address is transferred from the packet processing device to the output transfer interface of the destination subscriber user accommodation node using the logical port. A function to instruct route setting,
When the former is small, the logical port setting instruction function 30 is used for the external device control unit 25 described later, and the logical port from the destination subscriber user accommodation device to the packet processing device and the destination subscription from the packet processing device. The logical port setting instruction function 30 is used for the external device control unit 25 to be described later, while preventing the loop, while instructing to set the logical port to the output transfer interface of the user user accommodating device. Has a function of instructing the destination subscriber user accommodation device to set the route for outputting the packet flow.

  The control type management function 29 has a function of managing the control content selected by the control selection function 28 for each destination address.

The control flow management function 24
When the notification of the control information composed of the packet flow information including the address of the destination subscriber user accommodating device and the destination address and the transfer data amount of the packet flow is received from the external device control unit 25 described later, the topology table Referring to FIG. 26, a function for specifying each device existing between the packet processing devices assigned to the destination subscriber user accommodation device and a forwarding interface for setting a logical port;
A function for specifying the transfer capacity and current transfer data amount information of each of the specified transfer interfaces using the transfer interface management function 27;
When the control selection function 28 is used to identify the free bandwidth on each transfer interface, compare the traffic amount notified from the external device control unit 25 described later with the free bandwidth, and the former transfer interface is confirmed to be large The path information is set so that the transfer destination of the packet having the destination address notified from the external apparatus control unit 25 becomes the packet processing apparatus using the path setting instruction function 32 to the external apparatus control unit 25 described later. Simultaneously with the notification of the change instruction, a logical port is set between the destination subscriber user accommodation node notified together with the destination address and the packet processing device using the logical port setting instruction function 30 to the external device control unit 25. Set the packet having the destination address from the packet processing device to the output transfer interface of the destination subscriber user accommodation node. In the case where the path setting is instructed to transfer using the logical port up to the case, if the former transfer interface is not confirmed to be large, the logical port setting instructing function 30 is set to the external device control unit 25 described later. And instructing to set a logical port from the destination subscriber user accommodation device to the packet processing device and a logical port from the packet processing device to the output transfer interface of the destination subscriber user accommodation device, and an external device to be described later A function of instructing the control unit 25 to use the logical port setting instruction function 30 to set the destination subscriber user accommodation device to set the route for outputting the packet flow to the logical port while preventing a loop;
When the route setting is performed using the control selection function 28, a function is stored in the control type management function 29 as a pair of the destination address and the route setting contents when the route is set.

In addition to the above, the control flow management function 24
When the external device control unit 25 described later is notified of guidance cancellation constituted by packet flow information, the destination address described in the notification is referred to and stored in the control type management function 29 using the address as a key. If the control type corresponding to the address is identified by searching the information stored and the route setting is used for the control, the destination address is set between the destination subscriber user accommodation device and the packet processing device. Instruct the logical port setting instruction function 30 of the external device control unit 25 to delete the existing logical port, and at the same time, issue a route information change instruction so that the transfer destination of the packet having the destination address becomes the destination subscriber user accommodation device A function of notifying the route setting instruction function 32 of the control unit 25;
When only the logical port setting is used for the control, the logical port setting instruction of the external device control unit 25 is deleted so as to delete the logical port set between the destination subscriber user accommodation device and the packet processing device with respect to the destination address. A function for instructing the function 30 and a function for instructing the route setting instruction function 32 to delete the packet flow information after the instruction is transmitted are provided.

  When route setting is used for control, it is assumed that this information is used when the destination subscriber user accommodation device is described in the notification, but the control type is assumed when a network not described in the notification is assumed. In the management function 29, a destination subscriber user accommodation device before control may be recorded, and a means using this information may be applied. Further, a means for issuing an instruction to delete the transfer entry generated on each device at the time of control may be applied.

  The external device control unit 25 has a logical port setting instruction function 30, an output transfer interface management function 31, and a path setting instruction function 32.

The logical port setting instruction function 30
For each device between the subscriber user accommodation device and the packet processing device instructed to set the logical port by the control flow management function 24, for the devices on the relay path from the subscriber user accommodation device to the packet processing device, A logical port is set, and a transfer entry for transferring a packet having a destination address notified from the control flow management function 24 to the same logical port is set in the subscriber user accommodation device, and at the same time, the packet processing device joins the packet. A logical port is set for the device on the relay path to the user user accommodation device, and the packet having the destination address notified from the control flow management function 24 is also output to the packet processing device. Set up a forwarding entry for forwarding from the interface to the same logical port, in addition to the destination subscriber user The header information of the packet to be output to the logical port between the accommodating device and the packet processing device is specified from the notification information or the control flow management function 24, and the packet having the packet header information is set to the logic set between the devices. A function for instructing to add an entry to an ACL (Access Control List) to output to the logical port when received from other than the port;
For each device between the subscriber user accommodation device and the packet processing device instructed to delete the logical port from the control flow management function 24, for the devices on the relay path from the subscriber user accommodation device to the packet processing device, Similarly, a transfer entry for transferring a packet having a destination address notified from the control flow management function 24 to the same logical port is deleted from the subscriber user accommodation device, and at the same time, the logical port is deleted from the packet processing device. For the device on the relay path to the subscriber user accommodation device, packet processing is performed on the transfer entry for transferring the packet having the destination address notified from the control flow management function 24 from the output transfer interface to the same logical port. Delete from the device, delete the logical port, and also add the same destination address. The ACL entry has the ability to remove from the subscriber user accommodation apparatus.

  The output transfer interface management function 31 has a function of managing the subscriber user accommodating device accommodating each destination address and the output transfer interface. The management information may be set statically by the operator, but can be collected dynamically by a routing protocol. For example, if this function establishes a BGP route reflector and a BGP peer, this information is dynamically transmitted from the BGP route reflector, so the received information may be stored and managed.

  The route setting instruction function 32 has a function of transmitting a route information change instruction to each device so as to change the transfer destination of the packet having the destination address notified from the control flow management function 24 to the address specified in the notification. Have. As described in the control flow management function 24, it is assumed that this information is used when the destination subscriber user accommodation device is described in the notification. However, when a network not described in the notification is assumed, control type management is performed. In the function 29, a destination subscriber user accommodation apparatus before control may be recorded, and a means using this information may be applied. Further, a means for issuing an instruction to delete the transfer entry generated on each device at the time of control may be applied. This control basically assumes a light path change instruction by a routing protocol typified by BGP. However, after the server remotely logs in to each device, a means for controlling the transfer path by the device control CLI is applied. May be.

The external device control unit 25
Controls this information when receiving notification of packet flow information including the address of the destination subscriber user accommodation device and the destination address from the external device, and control information and control release information composed of the transfer data amount of the packet flow. A function to transfer to the flow management function 24;
From the control flow management function 24, a light path information change instruction that makes the transfer destination of a packet having a certain destination address become an address of a certain packet processing device, a destination subscriber user accommodation node notified together with the destination address, Notification for setting a logical port between packet processing devices and instructing route setting to transfer the packet having the destination address from the packet processing device to the output transfer interface of the destination subscriber user accommodating node using the logical port. Is received, the route setting instruction function 32 is used to transmit a route information change instruction to each device so as to change the forwarding destination of the packet having the notified destination address to the address indicated in the notification. And the destination on the destination subscriber user accommodation device using the output transfer interface management function 31 After specifying the output transfer interface in which the address is accommodated, packet processing is performed for each device between the subscriber user accommodation device instructed to set the logical port and the packet processing device using the logical port setting instruction function 30. A logical port is set for the device on the relay path from the device to the output interface of the destination subscriber user accommodation device, and the destination address notified from the control flow management function 24 is also used for the packet processing device. A function for setting a transfer entry for transferring a packet having a packet from the output transfer interface to the same logical port;
A notification from the control flow management function 24 that instructs to set a logical port from the destination subscriber user accommodation device to the packet processing device and a logical port from the packet processing device to the output transfer interface of the destination subscriber user accommodation device; Logical port setting is performed using the logical port setting instruction function 30 when receiving a notification instructing the destination subscriber user accommodation device to set the route for outputting the packet flow to the logical port while preventing the loop. For each device between the subscriber user accommodation device and the packet processing device that is instructed to do so, a logical port is set for the device on the relay path from the subscriber user accommodation device to the packet processing device, and the same control is performed. A transfer error for transferring a packet having the destination address notified from the flow management function 24 to the same logical port. At the same time, the logical port is set for the device on the relay path from the packet processing device to the subscriber user accommodation device, and also notified from the control flow management function 24. A forwarding entry for forwarding a packet having a destination address from the output forwarding interface to the same logical port is set in the packet processing device, and in addition, a logical port provided between the destination subscriber user accommodation device and the packet processing device is set. The header information of the packet to be output is specified from the notification information or the output transfer interface management function 31 and is output to the logical port when a packet having the packet header information is received from other than the logical port set between the devices. A function to instruct the ACL (Access Control List) to add an entry,
From the control flow management function 24, an instruction to delete a logical port set between a destination subscriber user accommodation device and the packet processing device with respect to a certain destination address, and a transfer destination of a packet having the destination address is a destination subscriber user After receiving the instruction to change the route information to become the accommodation device, after specifying the output transfer interface in which the destination address is accommodated on the destination subscriber user accommodation device using the output transfer interface management function 31, Relay from the packet processing device to the output interface of the destination subscriber user accommodation device for each device between the subscriber user accommodation device and the packet processing device instructed to release the logical port using the logical port setting instruction function 30 Release the logical port set for the device on the road, and Similarly, the transfer entry set for transferring the packet having the destination address notified from the control flow management function 24 to the same logical port from the output transfer interface is deleted, and the route setting instruction function 32 is used to A function of transmitting a route information change instruction so as to change the forwarding destination of the packet having the address to the address of the subscriber user accommodation device instructed by the notification;
When receiving an instruction from the control flow management function 24 to delete a logical port set between the destination subscriber user accommodation apparatus and the packet processing apparatus for a certain destination address, the logical port setting instruction function 30 is used. For a device on the relay path from the subscriber user accommodation device to the packet processing device, a transfer entry for transferring a packet having a destination address notified from the control flow management function 24 to the same logical port is also given to the subscriber user. At the same time as deleting from the accommodation device and further deleting the logical port, the device on the relay path from the packet processing device to the subscriber user accommodation device also has the destination address notified from the control flow management function 24 Transfer entry for transferring packet from output transfer interface to same logical port. Remove from processor further deletes the logical port, and in addition, the ability to remove the ACL entry for the destination address from the subscriber user accommodation apparatus,
Manage whether each control completion notification has been received from the device, and when the reception of notification for a certain period of time cannot be confirmed, the function to try the setting again, and when each control completion notification is received from the device, It has a function of notifying the control flow management function 24 of the completion of control.

  As a result, when the control information is notified, the network control device 9 identifies the relay path between the destination subscriber user accommodation apparatus and the packet processing apparatus described in the notification, and each transfer interface existing on the relay path is identified. The transfer capacity and the current transfer data amount are specified, the free bandwidth on each transfer interface is specified from the difference between the transfer capacity and the transfer data amount, and the transfer data amount described in the notification is compared with the free bandwidth. When the former is large, a notification for rewriting route information is sent to the device in the network so that the transfer destination of the packet having the destination address described in the notification is the packet processing device, and when the latter is large, A logical port can be set between the destination subscriber user accommodation device and the packet processing device.

  As a result, when a logical port is set between the specific router and the abnormal traffic analysis / control device to transfer a flow with a possibility of abnormality, it is determined whether or not congestion is expected on the relay path. When it is determined that there is a possibility of congestion, the routing information in the network can be changed, and flows that may be abnormally distributed can be transferred from all routers. The increase in control time can be suppressed to the minimum necessary while avoiding the occurrence of.

  FIG. 4 shows a configuration example of subscriber user accommodation apparatuses 1 to 4 installed in a communication network that implements the network control method of the present invention. The subscriber user accommodation device includes a packet transfer unit 33 and a server connection unit 34. The packet transfer unit 33 has a transfer table 35, an access control list 36, and a logical port setting function 37. The forwarding table 35 has a function of deriving an output label value and an output link from header information of the input packet. Compared to the claims, the label value indicates the logical port.

  In this embodiment, a label value and a destination address are described as header information examples. Here, the default input label value indicates that no label is given. Conventionally, a network without a label is a connectionless network such as an IP network, and a network with a label is a connection-oriented network such as an MPLS network. In an IP network, an output destination is specified by a routing protocol, and in an MPLS network, an output destination is specified by a routing protocol and a signaling protocol.

  For this reason, the transfer table may be divided and managed based on the presence or absence of a label value. Furthermore, a transmission source address may be described as header information, and the operator may be set to output only a specific inter-user flow to another route.

  In this embodiment, the output logical port and the output physical port are described in the transfer table 35. However, these may be described as separate tables. In this case, the entry whose input label is default is described in a table for deriving the output physical port from the destination address. In addition, entries for which input label values are specified are described in a table for deriving output label values from input label values and a table for deriving output physical ports from output label values.

  The access control list 36 has a function of managing transfer information to be applied with priority over the transfer table 35 and a function of applying transfer information held by this function before referring to the transfer table.

  In the present embodiment, the header information of the input packet, the output label value, and the output link correspond to the transfer information. For example, when only a part of the header information of the input packet is described, only the described information becomes the application condition.

  The logical port setting function 37 has a function of setting a logical port for a destination having a specific address and a function of deleting a logical port for a destination having a specific address. . For example, when the core network is an MPLS network, the logical port setting instruction function 30 can set an LSP with a destination having a specific address using a signaling protocol.

  When the server connection unit 34 receives an instruction from the network control device 9 and completes the function of passing the instruction from the network control device 9 to each function and the control based on the instruction from the network control device 9, the server connection unit 34 Has a function of transmitting a completion notification to the network control device.

The packet transfer unit 33
A function of exchanging route information with each device by a routing protocol or the like, and when a change in route information is notified from another device, a function of changing the contents of the transfer table according to the notified content,
A function of notifying the server connection unit 34 of a result after adding / deleting an entry according to the instruction when receiving an instruction to add / delete an entry of the access control list 36 from the server connection unit 34;
When a logical port addition / deletion instruction is received from the server connection unit 34, an entry is added / deleted according to the instruction, and the result is notified to the server.

  As a result, the subscriber user accommodation devices 1 to 4 change the routing table routing information and set the logical port between the packet processing devices based on the instruction from the network control device 9, and also to the packet processing device. A packet to be transmitted is extracted and only the packet is transmitted to the logical port. Further, packets received from the packet processing device are not subject to packet extraction.

  Thus, only a specific packet is transmitted to the packet processing device, and a loop of a packet transmitted to the packet processing device is prevented.

  The packet transfer apparatuses 5 and 6 are apparatuses that have functions other than the access control list among the functions of the subscriber user accommodation apparatuses 1 to 4. However, the packet transfer apparatus may have an access control list.

  FIG. 5 shows a configuration example of the packet processing apparatuses 7 and 8 installed in the communication network that implements the network control method of the present invention. The packet processing apparatus includes a packet processing function 38, a packet return function 39, and a server connection unit 40.

  The packet processing function 38 has a function of performing packet passage control processing. As the packet passing control process, the cumulative value of the transfer data amount for each destination address of the transfer packet is measured at regular intervals, and when the cumulative value of the transfer data amount of a certain destination address is equal to or greater than a predetermined threshold, Regarding the packet having the destination address, in the next cycle, the control corresponding to the threshold excess amount is discarded, the total number of transfer packets and the transfer data amount for each header information of the received packet are observed at regular intervals, When the increase value of the number of transfer packets of certain header information and the cumulative value of the transfer data amount exceeds a predetermined threshold value, a control for discarding the packet holding the header information from the next period is given.

  In these controls, a transfer packet count table that counts the number of transfer packets with respect to the destination address, a transfer data amount count table that accumulates the transfer data amount with respect to the destination address, and an entry in each table at regular intervals. A function to save the count value and save the count value, a function to compare the stored value with the threshold value, a function to discard packets that exceed the threshold value at the time of comparison at a variable rate, It is necessary to have a function to be implemented. The packet passing process also includes a function for charging based on the amount of transmitted / received data and a function for collecting and managing a log of passing packets.

  The packet return function 39 has a return path setting function 41 and a packet return table 42.

  The return path setting function 41 has a function of setting a logical port for use with a destination having a specific address and a function for deleting a logical port set for use with a destination having a specific address. is doing. For example, when the core network is an MPLS network, the return path setting function 41 can set an LSP with a destination having a specific address by using a signaling protocol.

  The packet return table 42 has a function of deriving the output logical port and the output physical port set between the transmission source packet transfer apparatuses of the packet from the input logical port of the received packet. From the label value, it has a function of deriving a label and an output link assigned to the logical port set between the transmission source packet transfer apparatuses of the packet. The function for specifying the output logical port and the output physical port may be divided into two tables. In this case, a table for specifying the output logical port from the input logical port and a table for specifying the output physical port from the output logical port are held.

  When the packet return function 39 receives an instruction from the network control device 9 to set a bidirectional logical port between specific addresses, the return path setting function 41 sets the logical port for the designated address. In addition, when an external device sets a logical port for the specified address, it corresponds to the route determined when the logical port is set from the address specified when the logical port is set. A function is described in the packet return table 42 so as to guide the label, and an output destination of the route determined when the logical port is set by itself is described in the packet return table 42 so as to be paired with the label assigned to the route. Have. At this time, a label value set for the designated address may be employed instead of the address.

  On the other hand, when the packet return function 39 receives an instruction from the network control device 9 to set a one-way logical port for a specific address, the return path setting function 41 sets the logical port to the designated address. Is set, the packet return table 42 has a function of describing an entry for outputting a packet addressed to the address to the logical port. Further, when the packet return function 39 receives an instruction from the network control device 9 to release the logical port between specific addresses, the return path setting function 41 deletes the logical port between the designated addresses, It has a function of deleting an entry in the packet return table 42 relating to the label corresponding to the route.

  When the server connection unit 40 receives an instruction from the network control device 9 and completes the function of passing the instruction from the network control device to each function and the control based on the instruction from the network control device 9, the server connection unit 40 It has a function of transmitting a completion notification to the network control device 9.

  Thereby, the packet processing devices 7 and 8 set the logical port between the subscriber user accommodation devices based on the instruction from the network control device 9, and the packets received from the subscriber user accommodation devices are transmitted to the subscriber user accommodation devices. Return to

  As a result, the packet processing device can receive the traffic, analyze it, and send it back to the subscriber user accommodation device while controlling it.

[Description of operation]
An operation example of the embodiment of the present invention will be described using the network model of FIG. In the initial state, between the user # 1 and the user # 5, the link 116, the subscriber user accommodation device 1, the transfer interface 201, the link 101, the transfer interface 203, the packet transfer device 5, the transfer interface 205, the link 105, and the transfer interface 207. The packet is transferred via the packet transfer device 6, the transfer interface 209, the link 103, the transfer interface 211, the subscriber user accommodation device 3, and the link 120. The traffic amount of the flow is set to 200 Mbps.

  In this operation example, an operation when a flow group of 200 Mbps received by the user # 6 is bypassed to the packet processing device 7 will be described. At this time, the transfer capacity of each of the transfer interfaces 201 to 214 is set to 300 Mbps.

  FIG. 7 shows a flow before detour control to the packet processing device. Usually, the flow group addressed to the user # 6 is transmitted from each subscriber user accommodation device as indicated by a dotted line.

  FIG. 8 shows an operation example of the subscriber user accommodation device 3 before the detour control to the packet processing device. Reference numeral 211 denotes a transfer interface connected to the packet transfer apparatus 6, and reference numeral 300 denotes a packet. When the subscriber user accommodation device 3 receives the packet, the packet transfer unit 33 refers to the transfer table 35 and specifies the output link 121 from the search key whose input label value is default and whose destination address is user # 6. The packet is output to the link 121.

  FIG. 9 shows an operation example of the network control device 9 at the time of detour control to the packet processing device. When receiving control information including header information of a packet flow to be controlled, destination subscriber user accommodation device of the packet, and transfer data amount of the packet flow, the topology is set using the destination subscriber user accommodation device core # 3 as a search key. Referring to the table 26, the transfer interface existing between the core # 3 and the core # 7, which is the packet processing device, is specified, and the transfer capacity and the current data transfer on the transfer interface using the transfer interface management function 27 After specifying the amount, the control selection function 28 calculates the free bandwidth and compares it with the amount of transfer data of the packet flow described in the notification.

  In this operation example, since the amount of transfer data is currently larger than the free bandwidth, it is determined to perform route control using the route setting instruction function 32 and the logical port setting instruction function 30, and the network is set via the external device controller 25. Change the routing information and set the logical port for each device. At this time, the access control list 36 of the destination subscriber user accommodation apparatus 3 is set with reference to the information of the output transfer interface.

  FIG. 10 shows an operation example of the subscriber user accommodation apparatus 3 after the control of FIG. Since the forwarding table 35 has been changed, the subscriber user accommodating device 3 refers to the forwarding table 35 in the packet forwarding unit 33 when receiving a packet, the input label value is default, and the destination address is user # 6. The output transfer interface 211 is specified from the search key, and the packet is output to the link 103 via the transfer interface 211.

  Further, the network control device 9 assigns a logical port so that a label # 1 is given to a packet transmitted from the packet processing device via a logical port (a cylinder described in the transfer interface 211 portion indicates a logical port). Is set. Further, the access control list 36 is set by the network control device 9 so that the packet received from the label # 1 can be transferred from the destination address through the regular output transfer interface.

  FIG. 11 shows an operation example of the packet processing apparatus 7 after the control shown in FIG. When a packet is transmitted from the packet processing device 7 to the destination subscriber user accommodating device 3 via the logical port, the network control device 9 describes the logical port (described in the transfer interface 213 portion) so that the packet is given the label # 1. The cylinder is a logical port.) Is set. Further, an entry is added to the packet return table 42 so that the label # 1 is assigned to the destination address in this control and output. The received packet is output from the transfer interface 213 with label # 1 by referring to the packet return table 42 after packet processing by the packet processing function 38.

  FIG. 12 shows a flow transfer path after the control of FIG. The routing information has been changed so that the destination of the destination address is the packet processing device 7, and further, from the packet processing device 7 to the transfer interface of the original subscriber user accommodation device 3, the logical port and the access control list A static route is set.

  On the other hand, the operation when detouring the 50 Mbps flow group received by the user # 6 to the packet processing device 7 is different from the above.

  FIG. 13 shows an operation example of the network control device 9 at the time of detour control to the packet processing device. The operation is the same as that shown in FIG. 9 until the free bandwidth is calculated. However, since the transfer data amount is smaller than the free bandwidth this time, it is determined that the path control using only the logical port setting instruction function 30 is performed, and the external device control is performed. A logical port is set to each device in the network via the unit 25.

  FIG. 14 shows an operation example of the subscriber user accommodation apparatus 3 after the control of FIG. At the time of control, the network control device 9 sets a logical port from the packet processing device 7 to the subscriber user accommodating device 3 (this logical port is indicated by a cylinder described on the left side of the transfer interface 211) and is labeled. # 4 is assigned, and a logical port (this logical port is indicated by a cylinder described on the right side of the transfer interface 211) from the subscriber user accommodation device 3 to the packet processing device 7 is set and assigned label # 3. It is done. Further, the packet is written in the access control list 36 so that a packet other than the packet with the label # 4 is given the label # 3 to the packet having the destination address # 6 and is output to the link 103 via the transfer interface 211. The

  For this reason, the forwarding table 35 is not changed, but when the subscriber user accommodating device 3 receives the packet, the packet forwarding unit 33 uses the access control list 36 to set the input label value as the default and the destination address as the user. The label # 3 is assigned to the packet # 6 and the output transfer interface 211 is specified, and the packet is output to the link 103 via the transfer interface 211. The packet received from label # 4 passes through the access control list 36, and after the label is deleted, the forwarding table 35 is referred to and the link 121 is specified as the output interface.

  FIG. 15 shows an operation example of the packet processing apparatus 7 after the control shown in FIG. When a packet is transmitted from the packet processing device 7 to the destination subscriber user accommodation device 3 via the logical port, the network controller 9 assigns a logical port (described on the left side of the transfer interface 213) so that the packet is given a label # 4. This logical port is indicated by the cylinder). Further, when a packet is transmitted from the destination subscriber user accommodation device 3 to the packet processing device 7, the network controller 9 assigns a logical port (the cylinder described on the right side of the transfer interface 213) so that the packet is given the label # 3. Indicates this logical port). In addition, an entry is added to the packet return table 42 so that a label # 4 is assigned to the destination address in this control and output. The received packet is output from the transfer interface 213 with a label # 4 by referring to the packet return table 42 after the packet processing by the packet processing function 38.

  FIG. 16 shows a flow transfer path after the control of FIG. The packet having the destination address is transferred to the destination subscriber user accommodation device 3 and then transferred from the destination subscriber user accommodation device 3 to the packet processing device 7 through a static route set by a logical port and an access control list. Further, the packet is transferred again from the packet processing device 7 to the original subscriber user accommodation device 3 through a static route set by the logical port and the access control list.

  Each device described above has means for realizing each function, and they can be configured by a computer and a program. Further, a part or all of the program can be configured by hardware.

  As mentioned above, the invention made by the present inventor has been specifically described based on the above embodiments. However, the present invention is not limited to the above embodiments, and various modifications can be made without departing from the scope of the invention. Of course.

2 shows an example of a network model of a network to which the present invention is applied. 2 shows an example of a physical model of a network to which the present invention is applied. 1 shows a configuration example of a network control apparatus installed in a communication network that implements the network control method of the present invention. The example of a structure of the subscriber user accommodation apparatus installed in the communication network which implements the network control method of this invention is shown. 1 shows a configuration example of a packet processing apparatus installed in a communication network that implements the network control method of the present invention. The transfer path example before the detour control to the packet processing device is shown. The flow transfer path before detour control to the packet processing device is shown. The operation example of the subscriber user accommodation apparatus 3 before the detour control to a packet processing apparatus is shown. The operation example (1) of the network control device at the time of starting the detour control to the packet processing device is shown. 10 shows an operation example of the subscriber user accommodation apparatus 3 after the control shown in FIG. 10 illustrates an operation example of the packet processing apparatus 8 after the control illustrated in FIG. 9. 10 shows a flow transfer path after control in FIG. The operation example (2) of the network control device at the time of starting the detour control to the packet processing device is shown. The example of operation | movement of the subscriber user accommodation apparatus 3 after the control of FIG. 13 is shown. 14 shows an operation example of the packet processing apparatus 8 after the control shown in FIG. 14 shows a flow transfer path after control in FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1-4 ... Subscriber user accommodation apparatus, 5-6 ... Packet transfer apparatus, 7-8 ... Packet processing apparatus, 9 ... Network control apparatus, 10-17 ... User terminal, 18-21 ... Access network, 22 ... Core network , 23 ... User network, 24 ... Control flow management function, 25 ... External device control unit, 26 ... Topology table, 27 ... Transfer interface management function, 28 ... Control selection function, 29 ... Control type management function, 30 ... Logical port setting Instructing function, 31 ... Output transfer interface management function, 32 ... Path setting instruction function, 33 ... Packet transfer unit, 34 ... Server connection unit, 35 ... Transfer table, 36 ... Access control list, 37 ... Logical port setting function, 38 ... Packet processing function, 39 ... packet return function, 40 ... server connection unit, 41 ... return path setting function, 42 Packet back table, 101-123 ... link, 201-214 ... output transfer interface, 300 ... Packet

Claims (4)

Multiple subscriber user accommodation devices that can set logical ports, logical ports can be set, multiple packet processing devices equipped with packet passage control functions, logical ports can be set, and between each device A packet transfer device equipped with a function for counting the amount of transfer data per unit time on the transfer interface to be connected, the address of the destination subscriber user accommodation device, the packet flow information describing the destination address, and the packet flow A network control method in a packet transfer network in which a network control device having a function of receiving notification of control information composed of a transfer data amount is installed,
The network controller
Collects the topology table that records the packet transfer devices and relay paths existing between the subscriber user accommodation device and the packet processing device, the transfer capacity of the transfer interface of each device, and the amount of transfer data on the transfer interface on each device. With functionality,
Identify the relay path between the destination subscriber user accommodation device and the packet processing device described in the notified control information,
Collect the transfer capacity and current transfer data amount information of each transfer interface existing on the relay path from each device,
Identify the free bandwidth on each transfer interface from the difference between the transfer capacity and the transfer data amount,
Compare the amount of transfer data described in the notification with the free bandwidth,
When the former is large, a notification for rewriting the route information is sent to the device in the network so that the transfer destination of the packet having the destination address described in the notification is the packet processing device,
When the latter is large, a logical port is set between the destination subscriber user accommodation device and the packet processing device. Multiple subscriber user accommodation devices that can set logical ports, logical ports can be set, multiple packet processing devices equipped with packet passage control functions, logical ports can be set, and between each device A packet transfer device equipped with a function for counting the amount of transfer data per unit time on the transfer interface to be connected, the address of the destination subscriber user accommodation device, the packet flow information describing the destination address, and the packet flow A network control method in a packet transfer network in which a network control device having a function of receiving notification of control information composed of a transfer data amount is installed,
The network controller
A topology table that records the packet transfer devices and relay paths that exist between the subscriber user accommodation device and the packet processing device, a bandwidth management table that records the transfer capacity of the transfer interface of each device, and a transfer interface on each device It has a function to collect transfer data volume information,
Identify the relay path between the destination subscriber user accommodation device and the packet processing device described in the notified control information,
Identify the transfer capacity of each transfer interface that exists on the transit route,
Identify the amount of data transferred on each transfer interface;
Identify the free bandwidth on each transfer interface from the difference between the transfer capacity and the transfer data amount,
Compare the amount of transfer data described in the notification with the free bandwidth,
When the former is large, a notification for rewriting the route information is sent to the device in the network so that the transfer destination of the packet having the destination address described in the notification is the packet processing device,
When the latter is large, a logical port is set between the destination subscriber user accommodation device and the packet processing device. Multiple subscriber user accommodation devices that can set logical ports, logical ports can be set, multiple packet processing devices equipped with packet passage control functions, logical ports can be set, and between each device A packet flow that is installed in a packet transfer network having a packet transfer device equipped with a function for counting the amount of transfer data per unit time on the transfer interface to be connected, and describes the address of the destination subscriber user accommodation device and the destination address A network control device having a function of receiving notification of control information composed of information and transfer data amount of the packet flow,
A topology table in which packet transfer devices and relay paths existing between the subscriber user accommodation device and the packet processing device are recorded;
A function to collect the transfer capacity and current transfer data amount information on the transfer interface on each device from each device;
A function for specifying a relay path between the destination subscriber user accommodation device and the packet processing device described in the notified control information;
A function of collecting and specifying the transfer capacity and current transfer data amount of each transfer interface existing on the relay path from each device;
A function for identifying a free bandwidth on each transfer interface from the difference between the transfer capacity and the transfer data amount;
Compare the amount of transfer data described in the notification with the free bandwidth,
When the former is large, a notification for rewriting the route information is sent to the device in the network so that the transfer destination of the packet having the destination address described in the notification is the packet processing device,
A network control device comprising a function of setting a logical port between the destination subscriber user accommodation device and the packet processing device when the latter is large. Multiple subscriber user accommodation devices that can set logical ports, logical ports can be set, multiple packet processing devices equipped with packet passage control functions, logical ports can be set, and between each device A packet flow that is installed in a packet transfer network having a packet transfer device equipped with a function for counting the amount of transfer data per unit time on the transfer interface to be connected, and describes the address of the destination subscriber user accommodation device and the destination address A network control device having a function of receiving notification of control information composed of information and transfer data amount of the packet flow,
A topology table in which packet transfer devices and relay paths existing between the subscriber user accommodation device and the packet processing device are recorded;
A bandwidth management table for managing the transfer capacity of the transfer interface of each device;
A function to collect transfer data volume information on the transfer interface on each device;
A function for specifying a relay path between the destination subscriber user accommodation device and the packet processing device described in the notified control information;
A function for specifying the transfer capacity of each transfer interface existing on the relay path;
A function for specifying the amount of transfer data on each transfer interface;
A function for identifying a free bandwidth on each transfer interface from the difference between the transfer capacity and the transfer data amount;
Compare the amount of transfer data described in the notification with the free bandwidth,
When the former is large, a notification for rewriting the route information is sent to the device in the network so that the transfer destination of the packet having the destination address described in the notification is the packet processing device,
A network control device comprising a function of setting a logical port between the destination subscriber user accommodation device and the packet processing device when the latter is large.

Images