JP4220330B2 - VPN table search device - Google Patents

Description

  The present invention relates to a search technique for a table in which an output port corresponding to a destination address in a VPN (Virtual Private Network) is recorded.

  FIG. 4 shows the configuration of a conventional VPN network, and FIG. 5 shows the configuration of a conventional router. In a conventional network, a VPN is basically realized by using IP addresses without duplication. The router also performs routing based on this IP address.

When implementing a VPN, it is also monitored that it is a DA (destination address) allowed for a pre-registered SA (source address) and prevents packets from being mixed into the VPN from other VPNs. (For example, refer to Patent Document 1 or 2). As shown in FIG. 8, an input IP packet is distributed to a predetermined output port using a table in which an output port number corresponding to a destination address (DA) is recorded.
JP 2000-358064 A JP 2000-332786 A

  Conventionally, a plurality of VPNs are recorded in one table, and an FE (forwarding engine) determines an output port based on a destination address (DA). At this time, for example, the search is performed sequentially from the top of the recorded destination address, and the output port is determined when it matches the destination address of the input IP packet.

  Further, in the conventional VPN, as shown in FIG. 5, VPNs are classified by destination addresses. Therefore, as described above, it is necessary to use IP addresses without duplication. This means that one destination address is not allowed to belong to multiple VPNs.

  However, in recent years when a wide variety of VPN usage forms are required, a VPN usage form in which one destination address belongs to a plurality of VPNs may be required. For example, user # 3 belongs to both VPN # 1 and VPN # 2, and user # 3 receives both IP packets from user # 1 of VPN # 1 and IP packets from user # 2 of VPN # 2. Even if it is going to implement | achieve the VPN utilization form of receiving, it was difficult for the conventional VPN to respond to such a request.

  Also, in order not to allow duplication of IP addresses, one large table consisting of a list of IP addresses is inevitably used. When a search is performed using such a single large table, the amount of data in the table is enormous, and there is a problem that a long processing time is required for the search.

  The present invention is based on such a background, and by using an independent table corresponding to VPN and searching in parallel for each VPN, a usage form in which one destination address belongs to a plurality of VPNs is allowed. An object of the present invention is to provide a VPN table search device that can reduce the search time.

  The present invention is characterized in that an independent table is used for each VPN and a search is performed in parallel for each VPN. In this case, a binary tree is provided for each VPN as shown in FIG. The device may be configured to perform a search on the plurality of binary trees.

  As described above, in order to perform a search for a plurality of binary trees, a storage area for storing each binary tree is prepared, and the configuration of the binary tree is individually different. A search control means must be prepared.

  Thus, the main feature of the present invention is that one binary tree is aggregated and each node has information such as an output port number indicating the next hop for each VPN. Thereby, a single binary tree search control means is sufficient, and the processing load of the table search apparatus can be reduced.

  That is, the present invention is a table search apparatus in a VPN in which a plurality of VPN users configure a virtual independent network with a single network using an independent IP address system. However, a binary tree that branches based on bit values that are sequentially read from the least significant bit to the most significant bit of the IP header is provided, and each node constituting the binary tree includes a next output port number for each VPN and a next output port number. There is an identifier that indicates whether or not there is a connection to the node.

  Thereby, a table search for each of a plurality of VPNs can be realized with one binary tree. In addition, by providing an identifier indicating the presence or absence of connection to the next node, when the configuration of the binary tree differs for each VPN, the end position of the tree can be varied using this identifier. That is, if there is no connection to the next node, that node is the end position of the tree, and if there is a connection to the next node, the end position of the tree is lower than that node.

  The binary tree of the present invention can be realized simply and economically by a single memory, for example. That is, the storage area for recording the identification number of the node, the next output port number for each VPN, the identifier indicating the presence or absence of connection to the next node, and the identification number of the next node corresponding to the read bit value A memory including the number of nodes, and table search means for determining an output port corresponding to a destination address of an input IP packet by using the information of the node recorded in the storage area included in the memory as a search target. The table search means searches the information of one node recorded in the storage area as a search target, and when there is a connection to the next node, the least significant bit to the most significant bit of the IP header of the input IP packet The bit values read out sequentially toward the next node and the identification number of the next node Can be the information recorded in the storage area corresponding to the de comprises means to expand the search.

  Another aspect of the present invention is a program applied to a table search apparatus in a VPN in which a plurality of VPN users use a single IP address system to form a virtually independent network. A feature of the present invention is that, when installed in an information processing apparatus, the information processing apparatus has a binary tree that branches based on bit values read in order from the least significant bit to the most significant bit of the IP header. Corresponding functions are realized, and each node constituting this binary tree is provided with an identifier indicating the next output port number for each VPN and the presence or absence of connection to the next node.

  More specifically, the identification number of the node, the next output port number for each VPN, the identifier indicating the presence / absence of connection to the next node, and the identification number of the next node corresponding to the read bit value are recorded. A function corresponding to a memory including as many storage areas as the number of nodes to be processed and an output port corresponding to a destination address of an input IP packet are determined by using the node information recorded in the storage area included in the memory as a search target. A function corresponding to the table search means is realized, and as a function corresponding to the table search means, the information of one node recorded in the storage area is searched as a search target, and there is a connection to the next node. Sometimes, the bit value read sequentially from the least significant bit to the most significant bit of the IP header of the input IP packet and the next no. It can be the identification number and realizing matched functions to expand the search to information recorded in the storage area corresponding to the node identification number of the next node by comparing the.

  Still another aspect of the present invention is a recording medium readable by the information processing apparatus on which the program of the present invention is recorded. By recording the program of the present invention on the recording medium of the present invention, the information processing apparatus can install the program of the present invention using this recording medium. Alternatively, the program of the present invention can be directly installed in the information processing apparatus via a network from a server holding the program of the present invention.

  As a result, using a general-purpose information processing device and using an independent table corresponding to the VPN and searching in parallel for each VPN, it is possible to allow a usage mode in which one destination address belongs to a plurality of VPNs. Thus, a VPN table search apparatus that can shorten the search time can be realized.

  According to the present invention, by using an independent table corresponding to VPN and searching in parallel for each VPN, it is possible to allow a usage form in which one destination address belongs to a plurality of VPNs, and to shorten the search time. be able to.

  An embodiment of the present invention will be described with reference to FIGS. FIG. 1 is a diagram showing a binary tree of this embodiment. FIG. 2 is a diagram showing how to hold a table at a node constituting the binary tree of the present embodiment.

  The present embodiment is a table search apparatus in a VPN in which a plurality of VPN users use a single network to form a virtually independent network using an independent IP address system, which is a feature of the present invention. 1 includes a binary tree that branches based on the bit values that are sequentially read from the least significant bit to the most significant bit of the IP header, as shown in FIG. As shown, there is a next output port number for each VPN and an identifier indicating the presence / absence of connection to the next node.

  It is determined that the input packet is “0” or “1” bit by bit from the least significant bit of the IP address. In the example, in the case of “01”, the data for each VPN held in the corresponding node is shown in FIG.

  “01” describes the output port number of NH (next hop) when terminating at that node for each VPN. In addition, there is an end mark. In the example, when the end mark is “−”, there is a possibility that there is a next node. When the end mark is end, there is no next node in the VPN-ID. Therefore, it is not necessary to search from this node thereafter.

  For example, when VPN # is # 2, there is a possibility of Port # 17, but there is a possibility that the next node exists, and the next node is searched. However, if the next node is “010”, for example, but “011” is not present, and the IP address of the packet is “011...”, The output port is Port # 17.

  Next, an implementation example using the binary tree memory of this embodiment is shown in FIG. FIG. 3 is a diagram illustrating a configuration example of a binary tree on a memory. As shown in FIG. 3, the node identification number, the next output port number for each VPN, the end mark which is an identifier indicating the presence or absence of connection to the next node, and the next node identification number corresponding to the read bit value Includes a memory area including as many storage areas as the number of nodes.

  Further, the information processing apparatus includes a table search unit 10 that determines the output port corresponding to the destination address of the input IP packet by using the node information recorded in the storage area included in the memory as a search target. A search is performed using the information of one of the nodes recorded in the storage area as a search target, and when there is a connection to the next node, the information is sequentially read from the least significant bit to the most significant bit of the IP header of the input IP packet. And a means for expanding the search object to information recorded in the storage area corresponding to the node having the coincident identification number of the next node by comparing the bit value obtained and the identification number of the next node.

  That is, the binary tree stored in the memory stores tree nodes such as “010” and NH for each VPN as shown in FIG. Further, at the end of the table for each node, there is a chain of addresses stored in the next node when the next bit is “0” and “1”. In other words, if this chain is traced in the search unit, the binary tree can be searched in order.

  The present invention can be implemented as a program that, when installed in a general-purpose information processing apparatus, causes the information processing apparatus to realize a function corresponding to the VPN table search apparatus of the present invention. This program is recorded in a recording medium and installed in the information processing apparatus, or installed in the information processing apparatus via a communication line, so that the information processing apparatus can store the program in the memory and table search unit 10 of the present embodiment. The corresponding function can be realized.

  The table search apparatus according to the present invention can use a table in which one destination address belongs to a plurality of VPNs by searching in parallel for each VPN using an independent table corresponding to the VPN, and can reduce the search time. Since it can be shortened, it is possible to cope with a wide variety of VPN usage modes, and thus the convenience of the user can be improved. Further, by consolidating the binary trees into one, the search control can be simplified, and the binary tree can be realized by one memory, so that the apparatus can be configured economically.

The figure which shows the structural example of the binary tree of this embodiment. The figure which shows how to maintain the data in one node of the binary tree of this embodiment. The figure which shows the structural example of the binary tree on the memory of this embodiment. The figure which shows the conventional VPN network. The figure which shows the structure of the conventional router. The figure which shows the example of the binary tree branched for every VPN.

Explanation of symbols

  10 Table search part

Claims (5)

A plurality of VPN users use an independent IP address system to realize a VPN (Virtual Private Network) that constitutes a virtually independent network in one network, so that an output port number corresponding to a destination address is recorded. A table search device that determines an output port based on a destination address of an input IP packet using the generated table ,
A binary tree that branches based on bit values that are sequentially read from the least significant bit to the most significant bit of the IP address ;
Each node configuring this binary tree has a next output port number and an identifier indicating the presence or absence of connection to the next node.
In the VPN table search device,
The VPN table search device according to claim 1, wherein the identifier is provided for each VPN in each node . A storage area for recording the node identification number, the next output port number for each VPN, an identifier indicating the presence or absence of connection to the next node, and the identification number of the next node corresponding to the read bit value With a few minutes of memory,
Table search means for determining an output port corresponding to a destination address of an input IP packet by using the node information recorded in the storage area included in the memory as a search target; and
This table search means searches for the information of one of the nodes recorded in the storage area as a search target, and when there is a connection to the next node, the most significant bit from the least significant bit of the IP address of the input IP packet Means for comparing the bit value read in sequence toward the bit with the identification number of the next node and extending the search target to information recorded in the storage area corresponding to the node of the coincidence identification number of the next node The VPN table search device according to claim 1. A plurality of VPN users use a table in which output port numbers corresponding to destination addresses are recorded in order to realize a VPN that constitutes a virtually independent network in one network using an independent IP address system. In a program applied to a table search device that determines an output port based on a destination address of an input IP packet ,
By installing on an information processing device,
Realizing a function corresponding to a binary tree that branches based on the bit values read in order from the least significant bit to the most significant bit of the IP address ,
Each node constituting this binary tree has an identifier indicating the next output port number and the presence or absence of connection to the next node,
The program characterized in that the identifier is provided for each VPN in each node . A storage area for recording the node identification number, the next output port number for each VPN, an identifier indicating the presence or absence of connection to the next node, and the identification number of the next node corresponding to the read bit value A function corresponding to a memory containing several minutes,
Realizing a function corresponding to a table search means for determining an output port corresponding to a destination address of an input IP packet by using the node information recorded in the storage area included in the memory as a search target;
As a function corresponding to this table search means, a search is performed using information on one node recorded in the storage area as a search target, and when there is a connection to the next node, the lowest IP address of the input IP packet The bit value read in order from the bit to the most significant bit is compared with the identification number of the next node by comparing the bit value and the information to be searched is stored in the information recorded in the storage area corresponding to the node of the identification number of the next node. The program according to claim 3, which realizes a function to be expanded. The information processing apparatus-readable recording medium on which the program according to claim 3 or 4 is recorded.

Images