JP2014502063A - Communication path verification system, path verification apparatus, communication path verification method, and path verification program - Google Patents

Abstract

The special packet detection means of the node includes a path verification flag that is information indicating whether or not the packet is for path verification from the received packets, and the header packet has the same configuration as the verification target flow. Is detected. The node detection information notification means generates detection information that is information including a flow identifier that is information for identifying a flow and a node identifier that is information for identifying the own node, based on the detected special packet. The detection information is notified to the path verification device. The path verification unit of the path verification apparatus verifies the flow path based on the node identifier included in the detection information received from the node.
[Selection] Figure 8

Description

  The present invention relates to a communication path verification system, a path verification apparatus, a communication path verification method, and a path verification program for verifying a communication path of a network in which communication path control is performed for each flow.

  In operation management of a communication network, it is necessary to grasp the status of the entire network system and confirm whether or not the service can be provided correctly. In particular, a communication path setting error is a problem that has a large influence range of a failure and must be promptly restored. Therefore, it is important to correctly grasp the communication route that flows through the network.

  Patent Document 1 describes a route verification method using a route search packet. In the technique described in Patent Document 1, identification information for identifying a route search packet is stored in a header portion corresponding to a data link layer of an OSI (Open Systems Interconnection) reference model. The relay node detects the passage of the route search packet and transmits the detection result to the network monitoring device, so that the network monitoring device can verify the flow route based on the notification packet.

  Non-Patent Document 1 describes a communication path verification method using a traceroute command. In the method described in Non-Patent Document 1, first, a transmission source node transmits an IP packet with TTL (Time To Live) set to 1, and receives a response from the first hop node. Next, the transmission source node increments the TTL, and sequentially obtains responses from the second hop, the third hop, and the nodes on the route. In this way, the communication path can be confirmed by incrementing the TTL until the transmission source node reaches the target host and transmitting the IP packet.

  Non-Patent Document 2 describes EtherOAM (Ethernet (registered trademark) operations, administration, maintenance) Link-Trace (LT). In the method described in Non-Patent Document 2, when an OAM frame is transmitted from a transmission source node, the node that has received the frame decrements TTL and transmits it to the next node. The node that has received the frame transmits a response LT OAM to the transmission source. In this way, the source node can confirm the route by receiving the response LT OAM.

  Patent Document 2 describes a multicast tree monitoring method in an IP network. In the monitoring method described in Patent Document 2, when a router receives a test packet from a transmitting terminal, it generates passing state information in which the number of packets is accumulated, and transmits the passing state information to a network monitoring device.

JP 2004-208068 A Table WO 2006/098024

G. Kessler etc., "A Primer On Internet and TCP / IP Tools and Utilities", June 1997, RFC2151 (http://www.ietf.org/rfc/rfc2151.txt) ITU-T, "SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS", Y.1731, February 2008

  On the other hand, a method for controlling a communication path for each communication flow (hereinafter, sometimes simply referred to as a flow) is known. Here, the flow is communication defined using information indicating a transmission source and information indicating a transmission destination. The flow is defined using, for example, a source and destination IP address, a source and destination Port, a source and destination MAC address, EtherType, and an IP protocol number.

  The general path verification method described above does not assume a network in which path control is performed for each communication flow. That is, in such a network, routing is performed with reference to a pair of MAC address and IP address. Therefore, since the route is uniquely determined once the address pair is determined, the route can be verified based on the information.

  However, in a network in which a path can be controlled for each communication flow, the path is controlled by identifying not only the MAC address and IP address but also the flow. Therefore, even if it is determined that the route matches because the address pair matches in a general route verification method, it is guaranteed that the flow of the inspection target and the flow of the inspection flow match. There is no. Hereinafter, description will be given with reference to the drawings.

  FIG. 11 is an explanatory diagram showing a general network system. FIG. 11 shows an example of a communication flow in a network in which a path can be controlled for each communication flow. The network system illustrated in FIG. 11 includes terminals T1 and T2 and routers R1 to R3, and the respective devices are connected to each other via a communication network. In the following description, a route passing through each device may be indicated by a symbol of the device passing through. Moreover, although there are a plurality of flows on the network, FIG. 11 shows two flows F1 and F2.

  The flow F1 is communication from the terminal T1 of the transmission source to the terminal T2 of the transmission destination, and the path is assumed to be “T1 → R1 → R2 → R3 → T2”. The flow F2 is also communication from the transmission source terminal T1 to the transmission destination terminal T2, and the route is assumed to be “T1 → R1 → R3 → T2”.

  FIG. 12 is an explanatory diagram illustrating an example of flow header information. In the header information illustrated in FIG. 12, the flow with Flow_ID = F1 indicates the flow F1, and the flow with Flow_ID = F2 indicates the flow F2. Here, it is assumed that the flow F1 illustrated in FIG. 12 flows on the network system illustrated in FIG. 11, and a case where the route of the flow F1 is verified using the route verification method described in Patent Document 1 will be described.

  In the route verification method described in Patent Document 1, the MAC address of the transmission source and the transmission destination are matched, and the inspection flow TF1 in which a unique type is defined in EtherType is created. FIG. 13 is an explanatory diagram illustrating an example of the inspection flow TF1 created using the path verification method described in Patent Document 1. If the network does not control the path for each flow, the path can be verified by flowing the inspection flow TF1 over the network.

  However, the route verification method described in Patent Document 1 has a problem that the route cannot be verified in a network in which the route is controlled for each flow. In the route verification method described in Patent Document 1, an independently defined EtherType is set in the inspection flow TF1. For this reason, in the network that controls the path for each flow, the EtherType of the inspection flow TF1 and the EtherType of the flow F1 are different, so that both are recognized as different flows. Therefore, there is no guarantee that the inspection flow TF1 and the flow F1 pass the same route.

  FIG. 14 is an explanatory diagram showing an example of a transfer policy defined for each flow. In a network in which path control is performed for each flow, two types of transfer policies as illustrated in FIG. 14 can be defined. The policy illustrated in FIG. 14 is a flow that matches the items in the items of “source MAC, destination MAC, EtherType, source IP, destination IP, Protocol_ID, source Port, destination Port”. Is a rule stipulating that transmission to the route defined in For example, the flow that matches policy 1 is transmitted through the route “R1 → R3”, and the flow that matches policy 2 is transmitted through the route “R1 → R2 → R3”.

  When the inspection flow TF1 described above is transmitted by the transfer policy illustrated in FIG. 14, the inspection flow TF1 is transferred by the route “R1 → R2 → R3” defined by the transfer policy 2, and thus the route “T1 → R1 → R2 → A verification result “R3 → T2” is returned. However, there is a possibility that the flow T1 is transferred through a route “T1 → R1 → R3 → T2” based on the transfer policy defined as the policy 1.

  As described above, in a network in which the inspection target flow and the inspection flow policy can be separately defined as the transfer policy on the network, the route verification method described in Patent Document 1 cannot verify the route. There is a problem that it is not done correctly.

  In the monitoring method described in Patent Document 2, the number of test packets that have passed through a router is measured, and the amount of inflow into the router is measured. Therefore, it is possible to grasp the overall communication flow. However, in the monitoring method described in Patent Document 2, the counter value measured as the number of test packets is common regardless of the type of test packet. Therefore, the monitoring method described in Patent Document 2 is effective for verifying a route when there is only one type of test packet flowing on the network, but when there are a plurality of types of test packets, There is a problem that route verification is difficult.

  Therefore, the present invention provides a communication path verification system capable of verifying a communication path for each type of flow even when there are a plurality of types of flows to be inspected in a network in which communication paths are controlled for each flow. It is an object of the present invention to provide a path verification device, a communication path verification method, and a path verification program.

  The communication path verification system according to the present invention is configured for each flow in which a path is defined using a plurality of nodes that transfer received packets to other devices, information indicating a transmission source, and information indicating a transmission destination. A path verification device that performs path verification, the node includes a path verification flag that is information indicating whether the received packet is a path verification packet or not, and the header configuration is a target of verification. Information including special packet detecting means for detecting a special packet that is the same as the flow, and a flow identifier that is information for identifying the flow and a node identifier that is information for identifying the own node based on the detected special packet Detection information notifying means for generating the detection information, and notifying the path verification device of the detection information. The path verification device includes a node information included in the detection information received from the node. Based on de identifier, characterized by comprising a path verification means for verifying the path of flow.

  Another communication path verification system according to the present invention is a flow in which a path is defined using a plurality of nodes that transfer received packets to another apparatus, information indicating a transmission source, and information indicating a transmission destination. A path verification device that verifies each path, and the path verification device verifies a flow path, and a verification target transmission unit that transmits a flow identifier that is information for identifying a flow to be verified to the node. Path verification means, and the node detects a packet in which the header configuration of the received packet matches the flow identifier indicating the verification target flow, and based on the detected packet, Detection information notifying means for generating detection information that is information including a node identifier that is information for identifying a node, and notifying the path verification device of the detection information; Path verification means for verification apparatus, based on the node identifier included in the detection information received from the node, characterized by verifying the path of flow.

  A path verification apparatus according to the present invention is a path verification apparatus that performs path verification for each flow that is a communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination. Detection information that is information including a flow identifier that is information for identifying a flow whose path is to be verified and a node identifier that is information for identifying the node is received from a node that is a device to be transferred to another device. The apparatus further comprises a path verification unit that verifies the flow path based on the node identifier included in the received detection information.

  The communication path verification method according to the present invention is a communication path verification method for verifying a path for each flow that is a communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination. The node that forwards the packet to another device includes a path verification flag that is information indicating whether the received packet is a path verification packet or not, and the header configuration is the same as the verification target flow. Detects a special packet, and based on the detected special packet, the node generates detection information that is information including a flow identifier that is information for identifying a flow and a node identifier that is information for identifying the own node. Then, the node notifies the detection information to the route verification device that verifies the route for each flow, and the route verification device uses the node identifier included in the detection information received from the node. Characterized in that it validates the path of the over.

  Another communication path verification method according to the present invention is a communication path verification method that performs path verification for each flow that is communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination. A path verification device that performs path verification for each flow transmits information including a flow identifier, which is information for identifying a flow to be verified, to a node that forwards the received packet to another apparatus. Is information including a flow identifier and a node identifier which is information for identifying the own node based on the detected packet, when a packet whose header configuration matches the flow identifier is detected. Generate detection information, the node notifies the detection information to the path verification device, the path verification device based on the node identifier included in the detection information received from the node Characterized in that it verified.

  A path verification program according to the present invention is a path verification program applied to a computer that performs path verification for each flow that is communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination. The computer includes a flow identifier that is information for identifying a flow whose path is to be verified from a node that is a device that transfers a received packet to another device, and a node identifier that is information for identifying the node. Detection information that is information is received, and a path verification process for verifying a flow path is executed based on a node identifier included in the received detection information.

  According to the present invention, in a network where communication paths are controlled for each flow, even when there are a plurality of types of flows to be inspected, the communication paths can be verified for each type of flow.

It is explanatory drawing which shows the example of the communication path verification system in the 1st Embodiment of this invention. It is a block diagram which shows the example of the router and route verification apparatus which are used for this invention. It is explanatory drawing of the example of the special packet notification process which a router performs. It is explanatory drawing which shows the example of the flow path | route verification process which a path | route verification apparatus performs. It is explanatory drawing which shows an example of the path | route verification method of a flow. It is explanatory drawing which shows the example of detection information. It is explanatory drawing which shows the example of the communication path verification system in the 2nd Embodiment of this invention. It is a block diagram which shows the example of the minimum structure of the communication path verification system by this invention. It is a block diagram which shows the example of the other minimum structure of the communication path verification system by this invention. It is a block diagram which shows the example of the minimum structure of the path | route verification apparatus by this invention. It is explanatory drawing which shows a general network system. It is explanatory drawing which shows the example of the header information of a flow. It is explanatory drawing which shows the example of a test | inspection flow. It is explanatory drawing which shows the example of the transfer policy defined for every flow.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1. FIG.
FIG. 1 is an explanatory diagram illustrating an example of a communication path verification system according to the first embodiment of this invention. The communication path verification system in this embodiment includes terminals T1 and T2, routers R1 to R3, and a path verification apparatus 100. The routers R1 to R3 and the path verification device 100 are connected to each other via a communication network NET. In the following description, when describing one of the routers R1 to R3, a symbol indicating the router may be omitted.

  In the communication path verification system shown in the example of FIG. 1, there are two terminals and three routers, but the number of terminals and routers is not limited to the above number. There may be one or two routers, or four or more routers. Further, the number of terminals may be three or more.

  In the communication path verification system according to the present embodiment, other devices that transfer packets, such as switches, may be used instead of routers. A device that forwards a received packet to another device, such as a router or a switch, may be simply referred to as a “node” hereinafter. Further, the path verification device 100 may be implemented as one function of the terminals T1 to T2.

  There are a plurality of flows on the communication network NET. As described above, a flow is communication in which a route is defined using information indicating a transmission source and information indicating a transmission destination. Although there are a plurality of flows on the network NET, FIG. 1 shows two flows F1 and F2.

  The flow F1 is communication from the terminal T1 of the transmission source to the terminal T2 of the transmission destination, and the path is assumed to be “T1 → R1 → R2 → R3 → T2”. The flow F2 is also communication from the transmission source terminal T1 to the transmission destination terminal T2, and the route is assumed to be “T1 → R1 → R3 → T2”.

  Terminals T1 and T2 have a communication function using a special packet for route verification. A special packet is a packet having a path verification flag with the header configuration of the packet being the same as the verification target flow. The route verification flag means information used for determining whether or not the packet is a special packet, and this flag is realized by various methods. For example, a route verification field is prepared in the payload portion of the packet, and a predetermined bit in the field is used as a route verification flag, and the presence or absence of a message embedded in the field is used as a route verification flag. The method etc. are mentioned. In addition, the size of the special packet itself may be used as a route verification flag.

  The routers R1 to R3 transfer packets received from the terminal and other routers to the other routers and terminals. More specifically, the routers R1 to R3 have a function of detecting a special packet for path verification, a function of notifying the path verification apparatus 100 of the detection of the special packet, and a function of transferring a packet to another apparatus. Yes. When the routers R1 to R3 detect the special packet by the special packet detection function, the routers R1 to R3 notify the path verification device 100 of the detection information and transfer the special packet to another device. The detection information is information including information for identifying a flow (hereinafter referred to as a flow identifier) and information for identifying a router that has detected a special packet (hereinafter referred to as a node identifier).

  The detection information may include a route entry in the route table corresponding to the received packet, a time that the packet has passed, a list of router IDs that have passed so far, a counter that indicates the number of routers that have passed.

  Examples of the flow identifier in the detection information include information on the transmission source and the transmission destination such as an IP address and a MAC address, and header information such as a port number and a sequence number. The router identifier (ie, node identifier) includes, for example, the router IP address, MAC address, router ID assigned by the network administrator, and the like.

  Then, the path verification device 100 receives detection information from each router. Hereinafter, the contents of each router and route verification device 100 will be described in detail.

  FIG. 2 is a block diagram showing an example of the router and route verification device 100 used in the present invention. The router illustrated in FIG. 2 includes a packet receiver 10, a special packet detector 20, a detection information notification unit 30, a route table storage unit 40, and a packet transfer unit 50.

  The route table storage unit 40 stores a route table including route entries. The routing table has the same configuration as the routing table, for example. The route entry is route information necessary for transferring a received packet to another device, and includes, for example, an interface for outputting the packet, a gateway for transferring, and a metric to the transferring device. The path table storage unit 40 is realized by a magnetic disk or the like.

  The packet receiving unit 10 receives a packet addressed to its own device, and inputs the received packet to the special packet detection unit 20.

  The special packet detection unit 20 sequentially receives packets from the packet reception unit 10. Then, the special packet detection unit 20 detects a special packet from the received packet. Specifically, the special packet detection unit 20 detects a special packet from the received packets by checking a route verification flag set in the terminal. For example, the special packet detection unit 20 determines whether or not the received packet has a path verification flag, and determines that the packet is a special packet when determining that the packet has the path verification flag. Good. When the special packet is detected, the special packet detection unit 20 inputs the packet to the detection information notification unit 30. On the other hand, when the special packet is not detected, the special packet detection unit 20 inputs the packet to the packet transfer unit 50.

  The detection information notification unit 30 creates detection information based on the special packet received from the special packet detection unit 20 and notifies the path verification device 100 of the created detection information. For example, the detection information notification unit 30 extracts the flow identifier from the received packet, and creates the detection information by adding the identifier of its own router. Further, the detection information notification unit 30 refers to the route table stored in the route table storage unit 40 in addition to the flow identifier indicating the flow of the detected packet, the identifier of the detected router, and the route table corresponding to the packet. May be added to the detection information. By adding the route entry, it becomes possible to investigate the routing policy of the detected packet, the normality of the route entry, and the like.

  The packet transfer unit 50 refers to the route table stored in the route table storage unit 40 and transfers the received packet to the next router. Note that packets to be transferred include both normal packets and special packets.

  Special packet detection unit 20, detection information notification unit 30, and packet transfer unit 50 are realized by a CPU of a computer that operates according to a program (path extraction program). For example, the program is stored in a storage unit (not shown) of each router, and the CPU reads the program and operates as the special packet detection unit 20, the detection information notification unit 30, and the packet transfer unit 50 according to the program. May be. In addition, each of the special packet detection unit 20, the detection information notification unit 30, and the packet transfer unit 50 may be realized by dedicated hardware.

  The path verification device 100 illustrated in FIG. 2 includes a detection information receiving unit 110, a path verification unit 120, a detection information storage unit 130, and a path verification information storage unit 140.

  The detection information storage unit 130 stores detection information. The route verification information storage unit 140 stores the route verification result obtained by the route verification unit 120. The detection information storage unit 130 and the path verification information storage unit 140 are realized by, for example, a magnetic disk.

  The detection information receiving unit 110 stores the detection information received from each router R1 to R3 in the detection information storage unit 130.

  The route verification unit 120 reads the detection information stored in the detection information storage unit 130 and performs flow route verification. Specifically, the path verification unit 120 checks the flow identifier included in the detection information, and extracts only detection information representing the same flow as the verification target flow identifier.

  Next, the path verification unit 120 extracts all the identifiers of the routers through which the flow to be verified has passed from the extracted detection information. Specifically, the path verification unit 120 extracts a node identifier from the extracted detection information. Then, the path verification unit 120 determines that the extracted router identifier (that is, the node identifier) is the path of the flow to be verified, and stores the path of the flow in the path verification information storage unit 140 as the path verification result. The route verification unit 120 performs the above-described route verification on all the route information stored in the route verification information storage unit 140, so that the routes of all flows to be verified are route verification information as route verification results. It can be stored in the storage unit 140.

  The route of the flow can be confirmed by referring to the route verification information storage unit 140 storing the route verification result, for example, directly or using a program.

  The detection information receiving unit 110 and the path verification unit 120 are realized by a CPU of a computer that operates according to a program (path verification program). Further, each of the detection information receiving unit 110 and the path verification unit 120 may be realized by dedicated hardware.

  Next, the operation of the communication path verification system of this embodiment will be described. FIG. 3 is an explanatory diagram illustrating an example of the special packet notification process performed by the routers R1 to R3, and FIG. 4 is an explanatory diagram illustrating an example of the flow path verification process performed by the path verification device 100.

  FIG. 5 is an explanatory diagram showing an example of a flow path verification method. In the following description, a method for verifying the flows F1 and F2 will be described. In the example shown in FIG. 5, inspection flows TF1 and TF2 for verifying the flows F1 and F2 and the flow path are shown. The flow is indicated by a solid line and the inspection flow is indicated by a broken line.

  A special packet having the same header as the flow F1 is used as the inspection flow TF1, and a special packet having the same header as the flow F2 is used as the inspection flow TF2. That is, the path of the flow F1 is verified using the inspection flow TF1, and the path of the flow F2 is verified using the inspection flow TF2.

  First, the operation on the router R1 side will be described. First, the packet receiver 10 of the router R1 receives a packet from the terminal T1, and inputs the received packet to the special packet detector 20 (step S10 in FIG. 3). The special packet detector 20 sequentially receives packets from the packet receiver 10. Then, the special packet detector 20 detects a special packet from the received packets (step S20).

  Here, it is assumed that the special packet detection unit 20 uses a method of detecting a special packet by checking a route verification flag set by the terminal T1. When the special packet detection unit 20 detects the special packet (Yes in step S20), the special packet detection unit 20 inputs the special packet to the detection information notification unit 30. On the other hand, if the special packet detection unit 20 does not detect the special packet (No in step S20), the special packet detection unit 20 inputs the received packet to the packet transfer unit 50.

  When receiving the special packet, the detection information notification unit 30 creates detection information and notifies the created verification information to the path verification device 100 (step S30). Hereinafter, the process in step S30 will be described in detail.

  The detection information notification unit 30 creates detection information based on the special packet received from the special packet detection unit 20, and stores the detection information in a detection information storage unit (not shown in FIG. 2) (step S31). This detection information includes a flow identifier indicating the flow of the detected packet and an identifier of the detected router. In addition, the detection information notification unit 30 notifies the created verification information to the path verification device 100 (step S32). Then, the detection information notification unit 30 inputs the special packet to the packet transfer unit 50.

  When creating the detection information, the detection information notification unit 30 may refer to the route table stored in the route table storage unit 40 and attach the route entry of the route table corresponding to the packet to the detection information. . Then, the packet transfer unit 50 refers to the route table stored in the route table storage unit 40 and transfers the received packet to the next router R2 (step S40). Thereafter, the same applies to the operations of the routers R2 and R3.

  Next, the operation on the path verification device 100 side will be described. The detection information receiving unit 110 receives the detection information transmitted from each of the routers R1 to R3, and stores the received detection information in the detection information storage unit 130 (step S110 in FIG. 4).

  The route verification unit 120 reads the detection information stored in the detection information storage unit 130 and performs flow route verification. Specifically, the path verification unit 120 checks the flow identifier of the detection information and extracts only the detection information of the same flow. Then, the route verification unit 120 extracts all the identifiers of the routers through which the flow has passed, and stores the route verification result using this as the route of the flow in the route verification information storage unit 140 (step S120). The route verification unit 120 performs the same processing as step S120 on all the detection information stored in the detection information storage unit 130.

  FIG. 6 is an explanatory diagram illustrating an example of detection information received from the routers R1 to R3. The detection information illustrated in FIG. 6 includes a detection information item for identifying each detection information, a flow identifier item, a router identifier item, and a routing table item indicating a route entry in the route table. Further, the routing table items illustrated in FIG. 6 include a “Dst” portion indicating a transmission destination, a “NextHOP” portion indicating a transfer destination, and an “Interface” portion indicating an interface for outputting a packet.

  First, a method for verifying the path of the flow TF1 based on the detection information of the inspection flow TF1 illustrated in FIG. 6 will be described. First, the path verification unit 120 extracts detection information D1 to D3 having a flow identifier “TF1” from the detection information illustrated in FIG. Next, the route verification unit 120 confirms the router identifier included in the detection information D1 to D3, and stores the router identifier “R1, R2, R3” in the route verification information storage unit 140 as the route of the flow TF1. By referring to the stored route verification result, it can be verified that the flow TF1 has passed through the routers R1, R2, and R3.

  Further, the route verification unit 120 may confirm the router identifier included in the detection information D1 to D3 and confirm the routing table item. Specifically, the route verification unit 120 can verify the route “R1 → R2 → R3” of the flow TF1 including the passing order by referring to the NextHOP of the routing table item.

  Next, a method for verifying the path of the flow TF2 based on the detection information of the inspection flow TF2 illustrated in FIG. 6 will be described. First, the path verification unit 120 extracts detection information D4 to D5 having a flow identifier “TF2” from the detection information illustrated in FIG. Next, the route verification unit 120 checks the router identifier included in the detection information D4 to D5, and stores the router identifier “R1, R3” in the route verification information storage unit 140 as the route of the flow TF2. By referring to the stored route verification result, it is possible to verify that the flow TF2 has passed through the routers R1 and R3 (that is, that it has not passed through the router R2).

  As shown in the example of FIG. 6, in the case of a network in which the communication path is controlled for each flow, even if the transmission source (terminal T1) and the transmission destination (terminal T2) are the same, the flow path is different. There is. According to this embodiment, since the path is verified for each flow identifier, the communication path of each flow can be verified for each type even when there are a plurality of types of flows to be inspected.

  As described above, according to the present embodiment, the special packet detection unit 20 of the router detects a special packet from the received packets. Then, the detection information notification unit 30 of the router generates detection information including a flow identifier and a node identifier based on the detected special packet, and notifies the path verification device 100 of the detection information. Then, the path verification unit 120 of the path verification device 100 verifies the flow path based on the node identifier included in the detection information received from the router. Specifically, the route verification unit 120 of the route verification device 100 verifies the route for each flow using the flow identifier included in the received detection information. Therefore, even if there are a plurality of types of flows to be inspected in a network in which the communication path is controlled for each flow, the communication path can be verified for each type of flow.

  That is, according to this embodiment, it is possible to verify the flow path in the communication network. This is because a router that has received a special packet routed in the same way as a normal flow returns a response, and the route is verified based on the response.

Embodiment 2. FIG.
FIG. 7 is an explanatory diagram illustrating an example of a communication path verification system according to the second embodiment of this invention. In addition, about the structure similar to 1st Embodiment, the code | symbol same as FIG. 1 is attached | subjected and description is abbreviate | omitted. The communication path verification system in the second embodiment includes terminals T1 and T2, routers R1 to R3, conversion apparatuses P1 and P2, and a path verification apparatus 100. The conversion device is connected between the terminal and the router. Specifically, the conversion device P1 is connected between the terminal T1 and the router R1, and the conversion device P2 is connected between the terminal T2 and the router R3. Further, the routers R1 to R3 and the path verification device 100 are connected to each other via a communication network NET.

  Although there are a plurality of flows on the network NET, FIG. 7 shows two flows F1 and F2. Of the flows F1 and F2 illustrated in FIG. 7, communication is performed using a normal packet in a portion indicated by a solid line, and communication is performed using a special packet in a portion indicated by a broken line. As described above, the communication path verification system according to the second embodiment is different from the communication path verification system according to the first embodiment in that the devices that transmit special packets are the conversion devices P1 and P2. The rest is the same as in the first embodiment.

  In the present embodiment, when a packet transmitted by the terminal T1 is transmitted to the router R1, the packet passes through the conversion device P1 on the path. At this time, the control unit (not shown) of the conversion device P1 converts the received normal packet into a special packet. For example, the control unit (not shown) of the conversion device P1 may set a predetermined bit in a path verification field prepared in advance in a payload portion of a normal packet as a path verification flag. In addition, the control unit (not shown) of the conversion device P1 may embed a message in the field as a path verification flag. However, the conversion method to the special packet is not limited to these methods. Other conversion methods may be used as long as the routers R1 to R3 can detect the path verification flag.

  On the other hand, when the special packet transmitted by the router R3 is transmitted to the terminal T2, the special packet passes through the conversion device P2 on the path. At this time, the control unit (not shown) of the conversion device P2 converts the received special packet into a normal packet. As a method for the control unit (not shown) of the conversion device P2 to convert the packet into a normal packet, for example, a method of canceling a bit set as a route verification flag may be used. A method may be used to delete the received message. That is, other methods may be used as long as the control unit (not shown) of the conversion device P1 returns the normal packet before conversion to the special packet.

  Note that the operations of the routers R1 to R3 and the path verification device 100 are the same as those in the first embodiment, and thus the description thereof is omitted.

  As described above, the communication path verification system according to this embodiment includes a conversion device that converts a normal packet into a special packet. Therefore, in addition to the effects of the first embodiment, it is possible to verify the flow path without providing a function for transmitting a special packet to the terminal T1.

Embodiment 3. FIG.
Next, a communication path verification system according to the third embodiment of the present invention will be described. The configuration of the communication path verification system in the present embodiment may be the same as the configuration of the communication path verification system in the first embodiment, and is the same as the configuration of the communication path verification system in the second embodiment. It may be configured as follows.

  In the communication path verification system according to the third embodiment, the routers R1 to R3 perform a packet counter operation, add the count result of the counter operation to the detection information, and transmit it to the path verification apparatus 100. Is different from the communication path verification system in the first embodiment and the second embodiment in that the path verification unit 120 in the first embodiment verifies the path with reference to the count result. The rest is the same as in the first embodiment and the second embodiment.

  The router detection information notification unit 30 operates a counter included in the special packet when the router receives the special packet. Specifically, the detection information notification unit 30 counts the number of times it has passed through the router, and records the counted number in the packet. Here, the counter operated by the detection information notification unit 30 is information included in a predetermined field of the special packet. This field may be a field such as TTL or may be prepared as a unique field. Further, the detection information notification unit 30 performs addition or subtraction on the counter. As long as the operations are unified in all routers on the communication path verification system, the operation performed on the counter may be either addition or subtraction.

  When the detection information notification unit 30 notifies the path verification device 100 of the detection information of the special packet, the detection information notification unit 30 also notifies the counter value of the field for which the counter operation has been performed.

  The path verification unit 120 of the path verification apparatus 100 sorts the verification information based on the counter value information when performing path verification. For example, when a counter is added at each router, the route of the router can be verified in the order in which the packets have passed by arranging the verification information from the smallest counter value (that is, arranging the verification information in ascending order of the counter value).

  As described above, according to the present embodiment, when the detection information notifying unit 30 of the router receives the special packet, it counts the number of times that the special packet has passed through the router, and the counted number of times is converted into the special packet. Record. Then, the detection information notification unit 30 notifies the path verification device 100 of the counted number of times together with the detection information. The path verification unit 120 of the path verification apparatus 100 verifies the path of the flow indicating the order of passing through the router based on the received number of times.

  Thus, according to the present embodiment, in addition to the effects of the first embodiment, the order in which packets pass through the router is ensured when performing route verification, so that the flow passes without referring to the route table. It is possible to reliably verify the route that has been performed.

Embodiment 4 FIG.
Next, a communication path verification system according to the fourth embodiment of the present invention will be described. The configuration of the communication path verification system in the present embodiment may be the same as the configuration of the communication path verification system in the first embodiment, and is the same as the configuration of the communication path verification system in the second embodiment. It may be configured as follows.

  In the communication path verification system according to the fourth embodiment, the path verification apparatus 100 issues a detection information notification instruction, and the communication path verification according to the first to third embodiments is that the terminal or the conversion apparatus does not transmit a special packet. Different from the system. The rest is the same as the first to third embodiments.

  The route verification unit 120 of the route verification device 100 notifies the router of one or more route entries as detection target entry information. This route entry includes a flow identifier representing the flow to be verified.

  When the router receives the detection target entry information, the packet receiving unit 10 stores the route entry represented by the detection target entry information in the route table storage unit 40. Hereinafter, a case where the packet receiving unit 10 stores the route entry in the route table storage unit 40 will be described. A detection entry information storage unit (not shown) for storing the detection target entry information is separately provided, and the packet receiving unit 10 stores the received detection target entry information in the detection entry information storage unit (not shown). May be.

  Then, when each router receives a packet, the special packet detection unit 20 detects a packet corresponding to the detection target entry information. Specifically, the special packet detection unit 20 detects a packet in which the header configuration of the received packet matches the flow identifier indicating the verification target flow.

  When a packet including a flow identifier that matches the flow identifier included in the detection target entry information is detected, the special packet detection unit 20 inputs the packet to the detection information notification unit 30. On the other hand, when the flow identifiers do not match, the special packet detection unit 20 inputs the packet to the packet transfer unit 50. Other operations are the same as those in the first to third embodiments. That is, the detection information notification unit 30 creates detection information and notifies the path verification device 100 of the created detection information. Then, the path verification unit 120 of the path verification apparatus 100 verifies the flow path in the same manner as in the first to third embodiments.

  In order to reduce the load on the router for the process of detecting a target packet, the special packet detection unit 20 performs the above process on a packet extracted by sampling, not on all packets. May be.

  As described above, according to this embodiment, first, the path verification unit 120 of the path verification apparatus 100 transmits a flow identifier for identifying a flow to be verified to the router. The special packet detector 20 of the router detects a packet in which the header configuration of the received packet matches the flow identifier. The detection information notification unit 30 generates detection information including a flow identifier and a node identifier based on the detected packet, and notifies the path verification device 100 of the detection information. Then, the path verification unit 120 of the path verification apparatus 100 verifies the flow path based on the node identifier included in the detection information received from the router. Therefore, it is possible to verify the route through which the flow has passed without implementing a function of creating a special packet in the terminals T1 and T2 or a device on the network (for example, a conversion device).

  Next, the minimum configuration of the present invention will be described. FIG. 8 is a block diagram showing an example of the minimum configuration of the communication path verification system according to the present invention. The communication path verification system according to the present invention uses a plurality of nodes 80 (for example, routers R1 to R3, switches) that transfer received packets to other devices, information indicating a transmission source, and information indicating a transmission destination. A path verification device 90 (for example, the path verification device 100) that performs path verification for each flow that is communication in which a path is defined is provided.

  The node 80 includes a path verification flag that is information indicating whether or not the packet is a path verification packet, and detects a special packet having the same header configuration as the verification target flow from the received packet. Information including packet detection means 81 (for example, special packet detection unit 20) and a flow identifier that is information for identifying a flow and a node identifier that is information for identifying the own node based on the detected special packet. Detection information notification means 82 (for example, the detection information notification unit 30) that generates certain detection information and notifies the path verification device 90 of the detection information is provided.

  The route verification device 90 includes route verification means 91 (for example, a route verification unit 120) for verifying the flow route based on the node identifier included in the detection information received from the node 80.

  With such a configuration, even if there are a plurality of types of flows to be inspected in a network in which the communication path is controlled for each flow, the communication path can be verified for each type of flow.

  Further, the node 80 may include a route table storage unit (for example, the route table storage unit 40) that stores a route table including a route entry that is information indicating a transfer destination of a packet. Then, the detection information notifying unit 82 of the node 80 may notify the path verification device 90 of the detection information provided with the path entry corresponding to the detected special packet.

  In addition, a conversion device (for example, a packet that is converted into a special packet) between a terminal (for example, terminal T1) that transmits a packet used for communication and a node 80 (for example, router R1) to which the terminal transmits the packet. A conversion device P1) may be provided. With such a configuration, it is possible to verify the flow path without providing a function for transmitting a special packet to the terminal.

  Further, when receiving a special packet, the node 80 counts (for example, adds or subtracts) the number of times that the special packet has passed through the node, and records the number of times in the special packet (for example, detection information notification). Part 30). Then, the detection information notification unit 82 of the node 80 notifies the route verification device 90 of the number of times together with the detection information, and the route verification unit 91 of the route verification device 90 indicates the order of passing through the nodes based on the received number of times. The route of the flow shown may be verified. With such a configuration, it is possible to confirm the order in which packets have passed through the router when performing route verification. Therefore, it is possible to reliably verify the route through which the flow has passed without referring to the route table.

  FIG. 9 is a block diagram showing an example of another minimum configuration of the communication path verification system according to the present invention. Another communication path verification system according to the present invention uses a plurality of nodes 60 (for example, routers R1 to R3, switches) that transfer received packets to other devices, information indicating the transmission source, and information indicating the transmission destination. And a path verification device 70 (for example, the path verification device 100) that performs path verification for each flow that is communication in which the path is defined.

  The path verification device 70 verifies a flow path with verification target transmission means 71 (for example, a path verification unit 120) that transmits information including a flow identifier, which is information for identifying a flow to be verified, to the node 60. A route verification unit 72 (for example, a route verification unit 120) is provided.

  Based on the detected packet, the node 60 detects a packet in which the header configuration of the received packet matches the flow identifier indicating the flow to be verified, and the detected packet. Detection information notifying means 62 that generates detection information that is information including a flow identifier and a node identifier that is information for identifying the own node and notifies the path verification device 70 of the detection information.

  Then, the path verification unit 72 of the path verification apparatus 70 verifies the flow path based on the node identifier included in the detection information received from the node.

  With the configuration as described above, even in the case where a plurality of flows to be inspected exist in a network in which the communication path is controlled for each flow, the communication path can be verified for each type of flow. Then, it is possible to verify the path through which the flow has passed without implementing a function of creating a special packet in a device (for example, a terminal or a conversion device) on the network.

  FIG. 10 is a block diagram showing an example of the minimum configuration of the path verification apparatus according to the present invention. A path verification apparatus according to the present invention is a path verification apparatus that performs path verification for each flow that is a communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination. Detection information that is information including a flow identifier that is information for identifying a flow whose path is to be verified and a node identifier that is information for identifying the node is received from a node that is a device to be transferred to another device. , A path verification unit 51 (for example, path verification unit 120) for verifying the path of the flow based on the node identifier included in the received detection information is provided. Therefore, even if there are a plurality of types of flows to be inspected in a network in which communication paths are controlled for each flow, the communication paths can be verified for each type of flow.

  Although the present invention has been described with reference to the embodiments and examples, the present invention is not limited to the above embodiments and examples. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

  This application claims the priority on the basis of the JP Patent application 2010-271561 for which it applied on December 6, 2010, and takes in those the indications of all here.

  The present invention is suitably applied to a communication path verification system that verifies a communication path of a network in which the communication path is controlled for each flow.

T1, T2 terminal R1-R3 router F1, F2 flow TF1, TF2 inspection flow 10 packet receiving unit 20 special packet detection unit 30 detection information notification unit 40 route table storage unit 50 packet transfer unit 100 route verification device 110 detection information reception unit 120 Route verification unit 130 Detection information storage unit 140 Route verification information storage unit

Claims (10)

Multiple nodes that forward received packets to other devices;
A path verification device that performs path verification for each flow that is communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination;
The node is
Special packet detection means for detecting a special packet that includes a path verification flag indicating whether or not the packet is for path verification from the received packets and whose header configuration is the same as the verification target flow;
Based on the detected special packet, detection information that is information including a flow identifier that is information for identifying the flow and a node identifier that is information for identifying the own node is generated, and the path verification is performed on the detection information. A detection information notification means for notifying the device,
The route verification device includes:
A communication path verification system comprising path verification means for verifying the path of the flow based on a node identifier included in detection information received from the node. The node includes route table storage means for storing a route table including a route entry that is information indicating a transfer destination of a packet,
The communication path verification system according to claim 1, wherein the detection information notification means of the node notifies the path verification apparatus of detection information provided with a path entry corresponding to the detected special packet. The communication path verification according to claim 1, further comprising: a conversion device that converts the packet into a special packet between a terminal that transmits a packet used for communication and a node to which the terminal transmits the packet. system. When the node receives the special packet, the node includes a counting unit that counts the number of times that the special packet has passed through the node, and records the number of times in the special packet.
The node detection information notification means notifies the path verification device of the number of times together with the detection information,
4. The communication path verification according to claim 1, wherein path verification means of the path verification device verifies a flow path indicating the order of passing through the nodes based on the number of times of reception. 5. system. Multiple nodes that forward received packets to other devices;
A path verification device that performs path verification for each flow that is communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination;
The route verification device includes:
Verification target transmission means for transmitting a flow identifier, which is information for identifying a flow to be verified, to the node;
Path verification means for verifying the path of the flow,
The node is
A packet detection means for detecting a packet whose header configuration matches the flow identifier indicating the flow to be verified;
Detection information notifying means for generating detection information that is information including the flow identifier and a node identifier that is information for identifying the own node based on the detected packet and notifying the path verification device of the detection information And
The path verification unit of the path verification apparatus verifies the path of the flow based on a node identifier included in detection information received from the node. A path verification device that performs path verification for each flow that is communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination,
Detection of information including a flow identifier, which is information for identifying a flow whose path is to be verified, and a node identifier, which is information for identifying the node, from a node that is a device that transfers a received packet to another device A path verification device comprising: path verification means for receiving information and verifying the path of the flow based on a node identifier included in the received detection information. A communication path verification method that performs path verification for each flow that is communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination,
A node that forwards a received packet to another device includes a path verification flag that is information indicating whether or not the received packet is a path verification packet from among the received packets. Detect special packets that are identical,
Based on the detected special packet, the node generates detection information that is information including a flow identifier that is information for identifying the flow and a node identifier that is information for identifying the own node;
The node notifies the detection information to a path verification device that performs path verification for each flow,
The communication path verification method, wherein the path verification device verifies the path of the flow based on a node identifier included in detection information received from the node. The communication path verification method according to claim 7, wherein the node notifies the path verification apparatus of detection information to which a path entry corresponding to the detected special packet is added. A communication path verification method that performs path verification for each flow that is communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination,
A path verification device that performs path verification for each flow transmits information including a flow identifier that is information for identifying a flow to be verified, to a node that forwards the received packet to another apparatus.
The node detects a packet in which the header configuration of the received packet matches the flow identifier;
Based on the detected packet, the node generates detection information that is information including the flow identifier and a node identifier that is information for identifying the own node;
The node notifies the path verification device of the detection information;
The communication path verification method, wherein the path verification device verifies the path of the flow based on a node identifier included in detection information received from the node. A path verification program applied to a computer that performs path verification for each flow that is communication in which a path is defined using information indicating a transmission source and information indicating a transmission destination,
In the computer,
Detection of information including a flow identifier, which is information for identifying a flow whose path is to be verified, and a node identifier, which is information for identifying the node, from a node that is a device that transfers a received packet to another device A path verification program for receiving information and executing a path verification process for verifying a path of the flow based on a node identifier included in the received detection information.

Images