JP2014158242A - Carrier network virtualization system and method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow for transfer of a packet even if the network service function is virtualized and its position is changed, by making a carrier applicable to a wide-area network that has been difficult in the past.SOLUTION: In an edge router, information of a flow table is acquired from a flow controller and stored in a flow cache, and when a packet is transferred, it is capsulated or decapsulated depending on the action with reference to the flow cache, before being transferred to a destination indicated by a rule while tunneling. In a flow control controller, when the service function is moved to other physical resource, the resource table and the service function table are updated on the basis of the movement information, the information of the resource table and service function table is acquired, and entry of the flow table corresponding to the updated part is updated.

Description

  The present invention relates to a carrier network virtualization system and method, and more particularly to a carrier network virtualization system and method for realizing carrier network virtualization.

  In current carrier networks, especially fixed networks, functions for providing network services such as Internet access, IPTV, and VPN (Virtual Private Network) (hereinafter referred to as “network service functions”) are provided by edge routers and dedicated networks. It is implemented in the form of an appliance. On the other hand, the current carrier network is configured as an IP network, and routing protocols such as OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol) are used for path control to the edge routers and appliances described above. .

  Generally, in the IP routing protocol, path control is performed on a flow (aggregate flow) in which traffic of a plurality of users is collected. In the case of providing the same service uniformly to all users as in the conventional triple play service, there is no problem with such a route control method.

  However, the increase in Internet users has broadened the user base, diversifying the needs of individual users, and the need to provide services customized for each user is increasing. For example, a security service using a DPI (Deep Packet Inspection) function is provided to a certain user A, and a content cache function is provided to another user B. When an attempt is made to provide a service customized for each user, the user A packet is drawn into the DPI device, but the user B packet is drawn into the content cache device instead of the DPI device. Control is required. A nationwide network needs to accommodate millions of users and is considered difficult to control with existing IP routing protocols.

  Under such circumstances, studies are being made to apply OpenFlow technology (for example, see Non-Patent Document 1), which has begun to be used in data centers, to carrier networks. Since OpenFlow can realize path control in units of predefined flows, defining the traffic for each user as a flow can flexibly change the path control for each user as described above. However, the current OpenFlow is a technology that was first developed for the data center. If it is applied to the number of users on the carrier network scale (million to tens of millions), it is a hardware that holds the flow information. Due to wear restrictions, it is not practical to replace all current carrier IP networks with OpenFlow.

  By the way, server virtualization technology has progressed in data centers, and commercial development is progressing as a cloud service. The network service function described above is also implemented with the same computing resources as existing servers, such as general-purpose CPU, memory, storage, and network processor, and it can be expected to be virtualized in the future. When the network service function is virtualized, as with server virtual machines (VMs), the location of appropriate computing resources is not affected by physical device placement restrictions. It is also possible to move. When this is seen from the network, the network service function identified by the same ID such as an IP address or a MAC address is nothing but a geographical movement. In order to deliver a packet addressed to the same ID to a moved network service function, a mobility management technique as applied in a mobile body is required. However, the aforementioned OpenFlow does not have a mobility management function.

"Software-Defined Networking: The New Norm for Networks," ONF White Paper, Open Network Foundation, April 13, 2012, URL: http://www.opennetworking.org/images/stories/downloads/white-papers/wp- sdn-newnorm.pdf

  As mentioned above, in a carrier network, in order to flexibly change the services provided according to the needs of individual users, a technology such as OpenFlow that can control the flow for each individual user is required. However, current OpenFlow is a technology targeted at the data center scale, and it is difficult to apply it to a wide area network of carriers. Also, if the network service function is virtualized in the future, a mobility management function that manages the location and appropriately delivers the packet is required, but the current OpenFlow does not have a mobility management function.

  The present invention has been made in view of the above points, and is a case where it is possible to apply a carrier to a wide area network, which has been difficult in the past, and a network service function is virtualized and its position is changed. However, it is an object of the present invention to provide a carrier network virtualization system and method capable of transferring packets.

In order to solve the above problems, the present invention (Claim 1) is a carrier network virtualization system for virtualizing a carrier network having a tunnel capable of connecting between edge routers in a full mesh in a core network,
A plurality of edge routers connected to the core network;
Physical resources that are located in the data center base and realize network service functions;
A flow control controller that creates a flow table having an action indicating a destination to which the edge router forwards a packet and a processing method of the packet, and notifies the edge router;
Have
The edge router is
A flow cache for acquiring and storing information of the flow table from the flow control controller;
When a packet is forwarded, the packet is encapsulated or decapsulated according to the action with reference to the flow cache, and forwarded to a destination indicated by the rule via a tunnel established between edge routers. And a transfer means.

Moreover, this invention (Claim 2) is the flow control controller,
The resource table that indicates which edge router is under the physical resource, the user processing table that indicates which service is processed based on the user contract information, and which network service function is assigned to which physical resource A table generation means for generating a service function table, and generating the flow table based on information of the resource table, the user processing table, and the service function table;
Means for updating the resource table and the service function table based on movement information when the service function has moved from a first physical resource to a second physical resource;
Table updating means for acquiring information of the updated resource table and the service function table and updating an entry of a flow table corresponding to the updated part.

  As described above, according to the present invention, it is possible to apply to a wide area network of carriers, which is difficult with the conventional OpenFlow, and the network service function is virtualized and its position is changed. The packet can be transferred through the network service function contracted for each user.

It is a figure for demonstrating the network structure to which this invention is applied. It is a block diagram of the service function table in one embodiment of this invention. It is a block diagram of the resource table in one embodiment of this invention. It is a block diagram of the user process table in one embodiment of this invention. It is a block diagram of the flow control controller in one embodiment of this invention. It is a block diagram of the flow table in one embodiment of this invention. It is a block diagram of the edge router in one embodiment of this invention. It is a sequence chart of the production | generation procedure of the flow table in one embodiment of this invention. It is a sequence chart of the packet transfer procedure in one embodiment of the present invention. It is a sequence chart of the update procedure of the flow table in one embodiment of this invention. It is a figure for demonstrating the update of the service function table and resource table in one embodiment of this invention. It is a figure for demonstrating the update of the flow table in one embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  First, the outline of the present invention will be described.

  The present invention transfers a flow defined in a user unit or a service unit to a tunnel established between edge routers according to the destination in an edge router which is an entrance to a carrier wide area network, thereby enabling the wide area network to It realizes route control without being aware of individual flows. Thereby, at the edge part of the network (outside the edge router), it is possible to secure scalability even through a wide area network while realizing fine control in units of users and flows.

  Also, when mapping each flow to a tunnel, the location of the network service function that is the destination of that flow is considered. Specifically, the network side holds information on which edge router is connected to the network service function, and when the network service function moves, the above information is updated and the flow By making it possible to change the tunnel that forwards the network, even if the location where the network service function is deployed changes, communication can be performed normally.

  In this embodiment, an IP tunnel (GRE (Generic Routing Encapsulation tunnel, etc.) is assumed as a tunnel technology in the core network 1, but MPLS (Multi Protocol) is applicable if the tunnel technology can connect edge routers to a full mesh. Other technologies such as Label Switching may be used.

  FIG. 1 is a diagram for explaining a network configuration to which the present invention is applied.

  An ISP (Internet Services Provider) 2, a CSP (Contents Service Provider) 3, and data center bases 4a, 4b, and 4c are connected to the core network 1 of the carrier. ISP 2 and CSP 3 are connected to the Internet 5. In the core network 1, core routers 7 are connected to each other and perform communication between the edge routers 6.

  User terminals 8 a and 8 b are connected to the core network 1 via the edge router 6. The user terminal 8 may be anything such as a smartphone, a PC, a mobile router, or a home gateway. Further, in the data center base 4, there is a physical resource 9 which is a resource for realizing a network service function. These are so-called computing resources such as a CPU, memory, storage, and network processor. Further, there are a service function table 10, a resource table 11, a user processing table 12, and a flow control controller 13 as databases (tables) and devices for controlling the network. Details of these will be described later.

  Next, the configuration of each table and apparatus will be described with reference to FIGS.

  FIG. 2 shows the structure of the service function table according to the embodiment of the present invention.

  The service function table 10 is a table that holds a correspondence relationship as to which physical service 9 is assigned to which network service function. The service function table 10 includes a service function type 101 (for example, DPI and packet counter), a service function ID 102, and a resource ID 103. The service function ID 102 is an ID for uniquely identifying the network service function. The resource ID 103 is an ID uniquely assigned to the physical resource 9 and indicates to which physical resource 9 the corresponding network service function is associated. As the resource ID 103, an IP address of a server or the like can be used. However, when a single physical server is virtualized and shared by multiple network service functions, individual virtual machines (VM: Virtual Machine) Give the ID. As the virtual machine ID, for example, the IP address of the physical server that contains the virtual machine + the VM ID (IP address, MAC address, VLAN-ID, etc. ID that uniquely identifies the VM from the network side) can be used can do.

  FIG. 3 shows the configuration of the resource table in one embodiment of the present invention.

  The resource table 11 is a table indicating to which edge router 6 each physical resource 9 is connected. The resource table 11 includes a resource ID 201 that is an ID assigned to each physical resource and an edge router ID 202.

  FIG. 4 shows the configuration of the user processing table according to the embodiment of the present invention.

  The user processing table 12 stores information indicating in what order and to which network service function the user packets are transferred according to which service each user subscribes to. The user processing table 12 includes a user ID 301 uniquely assigned to each user, a service 302 (for example, the Internet or IPTV) indicating the processing of which service, a processing 303 indicating the processing sequence of the user and the packet of the service. Consists of Note that the creation procedure of the process 303 is out of the scope of the present invention, but generally, the network service function necessary for each service is required from information in a customer database (not shown) held by the carrier. Create it so that it passes in order.

  FIG. 5 shows a configuration of the flow control controller in one embodiment of the present invention.

  The flow control controller 13 is responsible for acquiring the contents of the service function table 10, the resource table 11, and the user processing table 12, creating a flow table from these information, and notifying the edge router 6. The flow table generation unit 401 has a function of generating the flow table 402 from the above three tables. The flow table 402 is a database that holds the flow table generated by the flow table generation unit 401. The flow information notification unit 403 has a function of notifying the edge router 6 of the information in the flow table 402.

  FIG. 6 shows the configuration of the flow table in one embodiment of the present invention.

  The flow table 402 holds the processing contents of one flow processed by one edge router 6 with one entry (corresponding to one row in FIG. 6). The edge router ID 501 indicates to which edge router the corresponding entry belongs. The rule 502 indicates a rule for specifying a packet to be recognized as a flow. Information on the packet header of the transferred packet, the port number (input port number) to which the packet has been transferred, and the like are described as rules. A plurality of rules can also be described. In that case, matching is performed using an AND condition. Action 503 indicates how to process a packet that matches rule 502. The main actions include forwarding from a specific port number, encapsulating, and forwarding to a specific destination. However, any action can be used as long as a general switch or router can be realized.

  FIG. 7 shows the configuration of the edge router in one embodiment of the present invention.

  The edge router 6 is basically assumed to be a general edge router or switch, but only functions characteristic of the present invention are shown here. The flow table receiving unit 601 receives information on the flow table 402 notified from the flow control controller 13 and stores the information in the flow cache 602. The flow cache 602 is a table for retaining the information of the flow table 402 notified from the flow control controller 13 as it is. Information in the flow cache 602 is transferred to a high-speed memory in the network interface 603, and when a packet is actually transferred, rules are matched and information for determining a processing method (action) of the packet is determined. Become. A packet whose processing method has been determined on the network interface 603 is transferred to another network interface via the switch fabric 604, and is output from there to the network.

  Next, the operation of the present invention will be described with reference to FIGS.

  FIG. 8 is a sequence chart of a flow table generation procedure according to an embodiment of the present invention, and shows an operation from generation of the flow table 402 to notification to the edge router 6. This operation is performed in advance on the network side before the user performs communication.

  First, the user processing table 12 is generated from the user contract information (step 1). Similarly, a resource table is generated from information such as network design (step 2). As described above, the resource table 11 is a table indicating which base (under which edge router 6 is located) the physical resource 9 such as a server, and can be easily generated from physical network design information or the like. . Similarly, the service function table 10 is generated from the network design or the like (step 3). The service function table 10 holds which network service function is allocated to which physical resource, and the allocation is determined in consideration of the type of service, the number of users contracting each service, and the like. Is.

  When the user processing table 12, the resource table 11, and the service function table 10 are generated, the flow control controller 13 collects these pieces of information (steps 4 to 6). The flow controller 13 generates a flow table 402 from these pieces of information (step 7). An example of generating a flow table is shown below.

  It is assumed that the service function table 10 and the resource table 11 are as shown in FIGS. 2 and 3, respectively. As described above, these are generated from information such as network design. Here, a user processing table for user A is given as shown in FIG. 4, and a procedure for generating a flow table for controlling packets of user A's Internet service is as follows.

  First, looking at the user processing table 12 of FIG. 4, it can be seen that the packet transferred from the ISP (resource ID = S11) should be transferred to the DPI (Deep Packet Inspection) function assigned to the physical resource S2a. . Looking at the resource table 11 of FIG. 3, since ISP 2 knows that the edge router 6 of E11 and resource S2a are connected to the edge router 6 of E13, the packet received by the edge router of E11 is sent to the edge router E13. Must be transferred to. Therefore, in the edge router E11, a flow entry (for one line of the flow table 402) is set such that the packet addressed to the user A (the destination IP address is #a of the user A) is transferred to the edge router E13. (First line in FIG. 6). Here, in the present invention, the core router 7 in the core network 1 does not care about individual flows, so that it is encapsulated by GRE and then transferred to the edge router E13. Therefore, it is described that the action in the first line in FIG. 6 is encapsulated and then transferred to the destination edge router E13. In the edge router E13, the destination of the forwarded packet (the address of the encapsulated outer IP header) is itself (E13), and the inner original packet is destined for the user A (the destination IP address is the user A). #A), the data is transferred to the physical resource S2a (second line in FIG. 6). After that, it is necessary to transfer the packet subjected to the DPI processing in the physical resource S2a to the packet counter counter function in the physical resource having the resource ID S1b. Since the physical resource S1b is found at the base of the edge router E14 according to the resource table 11 (FIG. 3), the edge router E13 transmits the packet to the edge router E14 after encapsulating the same as before. Is added (third line in FIG. 6). Hereinafter, similarly, a flow entry is generated so as to be transferred to the edge router E1 in which the user A is accommodated.

  In FIG. 6, only the flow entry for the Internet service of user A is shown, but in reality, a flow entry for controlling packets of all services for all users is shown.

  When the flow entry is generated in this way, the flow controller 13 notifies each edge router 6 of the flow entry (step 8). The edge router 6 that has received the flow entry stores the flow entry in the flow cache 602 and simultaneously writes the flow entry in a high-speed memory existing in the network interface.

  The actual flow of packets will be described with reference to FIG.

  FIG. 9 is a sequence chart of a packet transfer procedure according to the embodiment of the present invention.

  Here, the flow until the user A's Internet service packet reaches the user A from the Internet (ISP) is shown, but the same applies to other reverse packets and packets of another service. In FIG. 9, the oval marks indicate the locations where the processing in each edge router 6 is performed.

  First, when a packet is transferred from the ISP, the edge router E11 that has received the packet compares the header of the received packet with its own flow cache 602. The flow cache 602 describes an entry whose edge router ID in FIG. 6 is “E11”. Since the destination of the packet is addressed to user A (addressed to #a) according to the rule 502, this entry (first line in FIG. 6) matches and is encapsulated as an action 503, and then transmitted to the edge router E13. It is described. Therefore, the edge router E11 newly assigns an IP header, sets the destination address to the address “E13” of the edge router, and transmits it to the core network 1 (step 11).

  Similarly, referring to the flow cache 602, the edge router E13 that has received the packet corresponds to the entry (destination IP = E13 (encapsulation), destination IP = # a) in the second row in FIG. As 503, the encapsulation is removed (decapsulation) and transferred to the physical resource S2a (step 12).

  The DPI function is assigned to the physical resource S2a, and DPI processing is performed on the packet addressed to the user A. Examples of DPI processing include security check and bandwidth control for applications. Here, even if some control is received, the transfer of the packet itself is continued. That is, it is assumed that a process for discarding a packet is not performed.

  The packet processed by the physical resource S2a is returned to the edge router E13, and the edge router E13 refers to its own flow cache 602 again. Here, the third line in FIG. 6 (destination IP = # a) corresponds. Since it is described that the action 503 of the entry is encapsulated and transmitted to the edge router E14, the edge router E13 adds the packet IP header and sets the destination address to “E14”, and then sets the core network. 1 (step 13).

  Similarly, the edge router E14 that has received the packet refers to the flow cache 602, and decapsulation is designated in the action 503 designated in the fourth line in FIG. Transmit to S1b (step 14). After the packet counting process (the number of packets and the amount of data) is performed on the physical resource S1b, when the packet is returned to the edge router E14 again, refer to the row of FIG. 6 in the flow table 402 based on the packet. Then, based on the action 503, it is encapsulated and transmitted to the edge router E1 (step 15).

  Finally, the edge router E1 that has received the packet refers to the flow cache 602, decapsulates it based on the action 503 specified in the fifth line of FIG. 6, and transmits the packet to the user A (step 16). ).

  In this way, it is determined according to the flow table 402 generated by the flow controller 13 (actually, the flow cache 602 held by the edge router that has received the information of the flow table 402, but the content is the same). By performing the action, the packet received from ISP 2 can be transferred to user A after performing DPI and packet count processing. In the packet transfer procedure of FIG. 9, the details of the transfer between the edge routers are omitted, but as described above, when transferring the core network 1, it is encapsulated by another IP header and then transferred. Since the address of the edge router to be set is set as the destination, the core router 7 in the core network 1 only has to refer to only the encapsulated outer IP header and transfer the packet. The routing table (not shown) of the core router 7 may be generated by an existing routing protocol such as OSPF (Open Shortest Path First) or BGP (Border Gateway Protocol) as in the case of a normal IP network. In this embodiment, as the encapsulation technique, IP encapsulation (GRE, IP in IP, etc.) to which another IP header is added is assumed, but MPLS or the like may be used. In this case as well, there is almost no change in the present embodiment, and the object of encapsulation or decapsulation is not an IP header but only another header such as MPLS.

  Finally, an example of a processing procedure when the network service function assigned to the physical resource is moved to another physical resource will be described with reference to FIGS.

  Here, it is assumed that the DPI function assigned to the physical resource S2a has been moved to the new physical resource S1c, and the processing procedure until the flow table is changed by the movement is shown.

  FIG. 10 is a sequence chart of a flow table update procedure according to the embodiment of the present invention.

  First, a change in network design information or the like is notified to the resource table 11 and the service function table 10, and the resource table 11 and the service function table 10 are updated accordingly. Here, as shown in FIG. 11A, first, the EPI function with the resource ID (physical resource) S2a in the service function table 10 (second line in FIG. 11A) is updated, and the resource ID is newly set. Change to the physical resource S1c assigned to (step 101). Further, information indicating that the new physical resource S1c is connected to the edge router E11 is added to the resource table 11 as shown in the fifth line of FIG. 11B (step 102).

  Next, the flow control controller 13 receives the updated resource table information and service function table information (steps 103 to 104), and updates the flow table 402. FIG. 12 shows the updated flow table. In this embodiment, since the DIP function assigned to the resource S2a is moved to S1c, the flow entry related to the transfer to the DPI function with the resource ID S2a is searched and updated in the original flow table. Specifically, the portion that describes the transfer of the packet received by the edge router E11 to the physical resource S2a connected to the edge router E13 is changed to the transfer to the physical resource S1c instead. Since the physical resource S1c is connected to the edge router E11, that is, the edge router itself that has received a packet from the ISP, the physical resource S1c is changed to be transferred to the physical resource S1c as it is (first line in FIG. 12). Similarly, the edge router E11 receives a packet that has been subjected to DPI processing in the physical resource S1c, and adds a line to be transferred to the edge router E14 (second line in FIG. 12).

  As described above, when the network service function is moved to another physical resource, the physical resource is moved by updating the resource table and the service function table and updating the flow entry corresponding to the changed part. In addition, the packet transfer path can be automatically changed accordingly.

  In this embodiment, DPI, packet counter, and cache are given as examples of service function types, but other service functions such as BRAS (Broadband Remote Access Server) function, firewall, NAT (Network Address Translation) The same applies to functions and the like.

  The present invention is not limited to the above-described embodiment, and various modifications and applications can be made within the scope of the claims.

1 Core network 2 ISP
3 CSP
4, 4a, 4b Data center base 5 Internet 6 Edge router 7 Core router 8, 8a, 8b User terminal 9 Physical resource 10 Service function table 11 Resource table 12 User processing table 13 Flow control controller 101 Service function type 102 Service function ID
103 Resource ID
201 Resource ID
202 Edge router ID
301 User ID
302 Service 303 Processing 401 Flow table generation unit 402 Flow table 403 Flow information notification unit 501 Edge router ID
502 rule 503 action 601 flow table receiving unit 602 flow cache 603 network interface 604 switch fabric

Claims (4)

A carrier network virtualization system for virtualizing a carrier network having a tunnel that can be connected to a full mesh between edge routers in a core network,
A plurality of edge routers connected to the core network;
Physical resources that are located in the data center base and realize network service functions;
A flow control controller that creates a flow table having an action indicating a destination to which the edge router forwards a packet and a processing method of the packet, and notifies the edge router;
Have
The edge router is
A flow cache for acquiring and storing information of the flow table from the flow control controller;
When a packet is forwarded, the packet is encapsulated or decapsulated according to the action with reference to the flow cache, and forwarded to a destination indicated by the rule via a tunnel established between edge routers. Transfer means;
A carrier network virtualization system characterized by comprising: The flow controller is
The resource table that indicates which edge router is under the physical resource, the user processing table that indicates which service is processed based on the user contract information, and which network service function is assigned to which physical resource A table generation means for acquiring the service function table shown, and generating the flow table based on the information of the resource table, the user processing table, and the service function table;
Means for updating the resource table and the service function table based on movement information when the service function has moved from a first physical resource to a second physical resource;
Table updating means for acquiring information of the updated resource table and the service function table, and updating an entry of a flow table corresponding to the updated portion;
The virtualization system for a carrier network according to claim 1. A carrier network virtualization method for virtualizing a carrier network having a tunnel that can be connected to a full mesh between edge routers in a core network,
A plurality of edge routers connected to the core network;
Physical resources that are located in the data center base and realize network service functions;
A flow control controller that creates a flow table having an action indicating a destination to which the edge router forwards a packet and a processing method of the packet, and notifies the edge router;
In a system having
The edge router is
A flow table storing step of acquiring information of the flow table from the flow controller and storing the information in a flow cache;
When a packet is forwarded, the packet is encapsulated or decapsulated according to the action with reference to the flow cache, and forwarded to a destination indicated by the rule via a tunnel established between edge routers. A transfer step;
A method for virtualizing a carrier network. In the flow control controller,
The resource table that indicates which edge router is under the physical resource, the user processing table that indicates which service is processed based on the user contract information, and which network service function is assigned to which physical resource A table generation step of acquiring a service function table, and generating the flow table based on the resource table, the user processing table, and the information of the service function table;
Means for updating the resource table and the service function table based on movement information when the service function has moved from a first physical resource to a second physical resource;
A table update step of acquiring information of the updated resource table and the service function table and updating an entry of a flow table corresponding to the updated portion;
The method of virtualizing a carrier network according to claim 3.

Images