JP4279324B2 - Network control method - Google Patents

Description

  In the present invention, in a wide area network, traffic fluctuations are monitored over a wide area, and when a detailed analysis is performed by transferring traffic to a dedicated packet processing device only when analysis is necessary, a large-scale analysis target is generated. Even in such a case, it is a technique for improving security at a low cost by efficiently implementing illegal access monitoring and attack traffic defense in the network by implementing load balancing.

  With the spread of the Internet, illegal eavesdropping of data and the like due to unauthorized access via a network, system attacks such as DDoS (Distributed Denial of Services) attacks, etc. are frequently occurring.

  Conventionally, in order to cope with these threats, an access control technique is used in which a firewall function is installed in a packet transfer device such as a router to control communication according to data contents flowing through a network and packet header contents. By installing this packet transfer device at the boundary of the network, it is possible to pass only the minimum necessary communication in accordance with the security policy set by the user.

  However, since the firewall function allows communication according to the security policy to pass through the network, it is difficult to completely prevent unauthorized access such as unauthorized intrusion or DDoS attack using this allowed communication service. It is.

  In order to solve this problem, a method of using an abnormal traffic detection device such as Anomaly Detector and an abnormal traffic analysis / control device such as Anomaly Guard is used [Patent Document 1]. In this method, when Anomaly Detector detects the possibility of abnormal traffic, Anomaly Guard sends an alert to Anomaly Guard, reroutes the target traffic to Anomaly Guard, and analyzes it. The traffic is classified into illegal traffic and normal traffic, and the normal traffic is transferred to the original destination, and the illegal traffic is deleted.

  In this method, the abnormal traffic analysis / control device changes the routing information in the network to set the next hop of the destination address of the flow with the possibility of abnormal traffic as its own, thereby guiding the flow to itself. The system [Non-Patent Document 2] and a logical port called a tunnel are set between the edge router in the network and the abnormal traffic analysis / control device, and a flow having a possibility of abnormal traffic is transferred to the abnormal traffic analysis / control device. There is a method [Non-Patent Document 1]. In the latter method, a two-way logical tunnel is set between a specific router and anomaly traffic analysis / control device, and an access control list for preventing a loop is set for the router. Loops are avoided at the same time that traffic is directed to the abnormal traffic analysis and control device.

JP 2005-5927 A “Network System and Unauthorized Access Control Method and Program” Yagi, et al., "Evaluation of network control method for sharing DDoS attack mitigation device scrubbing box", IEICE Technical Report, IN2006-131, pp103-108, Dec. 2006. Cisco Systems, Inc., “Cisco Anomaly Guard Module”, [online], [Search February 5, 2007], Internet <http://www.cisco.com/japanese/warp/public/3/jp/ product / hs / ifmodule / csm / prodlit / agm_ds.shtml>

  However, in these systems, the abnormal traffic analysis / control apparatus to which the flow is induced is determined in advance for each destination address. For this reason, when a large amount of attacks against a destination address associated with a certain device occurs, there is a possibility that a large amount of traffic flows into the abnormal traffic analysis / control device and becomes congested. For this reason, each abnormal traffic analysis / control device must have processing performance that can be said to be excessive during normal times so that it can be reliably analyzed and controlled even when the attack traffic to the associated destination address becomes maximum. As a result, the cost of the apparatus increases.

  In addition, in a conventional load distribution method such as traffic engineering, load distribution can be performed only for each route. Therefore, in order to perform load distribution between devices such as an abnormal traffic analysis / control device, It is necessary for the load distribution control device to manage all devices installed on each route. For this reason, as the network scale increases, the total device management load on each path increases rapidly, resulting in an increase in cost of the load distribution control device. Further, when traffic engineering is used, traffic cannot be directed to a specific device if an attacker and an attacked person exist under the same edge router. For this reason, there are attack patterns that cannot be handled.

  An object of the present invention is to provide a network control technique capable of realizing anomaly traffic detection / analysis and control in a wide area network at a low cost.

  In order to analyze and control specific traffic, the present invention dynamically sets a transfer path between a subscriber user accommodation device equivalent to an edge router and a plurality of packet processing devices equivalent to abnormal traffic analysis and control devices. In the network where the network control device that instructs to transfer the target traffic is installed, by setting an access control list for preventing loops for the subscriber user accommodation device, the specific traffic is analyzed and controlled as abnormal traffic. In network control using the prior art that guides to a device and avoids the occurrence of a loop, a list for defining a plurality of detour destination packet processing devices ranked for each destination subscriber user accommodation device is created, and the packet processing device When detouring traffic, the current packet processing device with the highest priority The processing load such as the amount of transferred data is checked, and if the processing load is equal to or greater than a predetermined threshold, the current processing load of the next highest priority packet processing device is checked, and the packet processing device whose processing load is equal to or less than the threshold Is detected, a logical port is set between the packet processing device and the destination subscriber user accommodation device. Thereafter, the conventional technology is applied, and an access control list for preventing a loop is set for the subscriber user accommodation device. Also, when the amount of data transferred in the packet flow being guided to the packet processing device dynamically increases, the next candidate guidance destination packet processing device is specified for some packet flows on the packet processing device. Change the destination dynamically.

  As a result, it is possible to transmit traffic that wants to be controlled by passing through the packet processing function while distributing the load among a plurality of packet processing apparatuses and using the conventional technology together while preventing a loop. At this time, the packet processing device does not need to have excessive processing performance, and the network control device does not need to manage all devices installed on each path in the network. Furthermore, even when an attacker and an attacked person exist under the same edge router, it is possible to guide traffic to the packet processing device while distributing the load among the packet processing devices.

  This makes it possible to detect and analyze abnormal traffic and control in a wide area network at a low cost.

  Of the inventions disclosed in this specification, the outline of typical ones will be briefly described as follows.

  In order to solve the above-mentioned problems, according to the present invention, in claim 1, in the network control method, the network control apparatus manages a plurality of packet processing apparatus lists prioritized for each subscriber user accommodation apparatus. In addition, the amount of transfer data of the notified packet flow and the amount of transfer data of the first priority packet processing device for the destination subscriber user accommodation device described in the notification are added, and whether or not the predetermined fixed value is exceeded When a certain value is not exceeded, a logical port is set between the subscriber user accommodation device and the packet processing device. When a certain value is exceeded, the above processing is performed from a packet processing device having a high priority. A network control method is employed that attempts to set a logical port between a certain packet processing device and the subscriber user accommodation device.

  Further, according to claim 2, in the network control method according to claim 1, the packet processing device counts the amount of transfer data per fixed time of the passing packet flow, and the network control device is transferred to each packet processing device. The packet flow is managed as a flow management list together with the source subscriber user accommodation device and the destination subscriber user accommodation device, and the total amount of transfer data per fixed time of the packet processing device is referred to, and the transfer data amount is a predetermined constant. When a packet processing device that exceeds the value is detected, the packet processing device identifies one or a plurality of packet flows in which the excess transfer data is observed, and a flow management list for the identified packet flow To identify the destination subscriber user accommodation device of the packet flow, and the destination subscriber When the transfer data amount of the first priority packet processing device for the user accommodation device and the transfer data amount of the specified packet flow are added, and it is confirmed whether or not it exceeds a predetermined value, and when the specified value is not exceeded Uses the packet processing device as a new packet flow transfer destination, and when a certain value is exceeded, the above processing is tried from a packet processing device with a high priority, and a packet processing device is set as a new packet flow transfer destination. Adopt a network control method that attempts to identify.

  Furthermore, according to claim 3, in the network control method according to claim 1 or 2, the network control device has a function of identifying a subscriber user accommodation device that accommodates the address from the address, and includes a destination address and a transmission source address. When receiving the notification of the packet flow information to be configured and the control information consisting of the transfer data amount of the packet flow, the destination subscriber user accommodation device is identified from the destination address, and the source subscriber user from the source address A network control method is adopted in which the accommodating device is specified and the identified subscriber user accommodating device is used as the subscriber user accommodating device described in the notification.

  Further, according to claim 4, in the network control method according to any one of claims 1 to 3, a transfer load constituted by a transfer data amount, a transfer packet number, and a transfer packet flow number is used instead of the transfer data amount. The network control method to be used is adopted.

  Further, according to claim 5, in the network control method according to any one of claims 1 to 4, in the packet passage control function of the packet processing device, the accumulated value of the transfer data amount for each destination address of the transfer packet is set to a predetermined period. A network that measures each time, and when the cumulative value of the transfer data amount of a certain destination address exceeds a predetermined threshold value, discards the packet corresponding to the threshold excess amount in the next period for the packet that holds the destination address Adopt control method.

  Furthermore, according to claim 6, in the network control method according to any one of claims 1 to 4, in the packet passage control function of the packet processing device, the total number of transfer packets and transfer data amount for each header information of the received packet. Observe the value at regular intervals, and discard the packet that holds the header information from the next period when the increase value of the total number of transfer packets and transfer data of the header information exceeds a predetermined threshold Adopt network control method.

  According to the present invention, in order to realize load distribution among packet processing devices, a list that defines a plurality of detour destination packet processing devices ranked for each destination subscriber user accommodation device is created, and packet processing is performed. When bypassing device traffic, check the processing load such as the current transfer data amount of the packet processing device with the highest priority, and if the processing load is equal to or greater than a predetermined threshold, the next highest priority packet The current processing load of the processing device is checked, and when a packet processing device having a processing load equal to or less than a threshold is detected, a logical port is set between the packet processing device and the destination subscriber user accommodation device. Thereafter, the conventional technology is applied, and an access control list for preventing a loop is set for the subscriber user accommodation device. Also, when the amount of data transferred in the packet flow being guided to the packet processing device dynamically increases, the next candidate guidance destination packet processing device is specified for some packet flows on the packet processing device. Change the destination dynamically.

  As a result, it is possible to transmit the traffic to be controlled by passing the packet processing function while distributing the load among a plurality of packet processing apparatuses and preventing the loop by using the conventional technique together. At this time, the packet processing device does not need to have excessive processing performance, and the network control device does not need to manage all devices installed on each path in the network. Furthermore, even when an attacker and an attacked person exist under the same edge router, it is possible to guide traffic to the packet processing device while distributing the load among the packet processing devices.

  This makes it possible to detect and analyze abnormal traffic and control in a wide area network at a low cost.

Next, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 shows an example of a network model of a network to which the present invention is applied. The network includes subscriber user accommodation devices 1 to 4, packet transfer devices 5 to 6, packet processing devices 7 to 8, and a network control device 9 that controls them, and user terminals 10 to 17 are connected to each access network 18 to 21, the subscriber user accommodation devices 1 to 4 are accommodated. In general, the subscriber user accommodation devices 1 to 4 are called edge nodes or edge routers, and the packet transfer devices 5 to 6 are called core nodes or core routers. The subscriber user accommodation devices 1 to 4 are connected by packet transfer devices 5 to 6. A network composed of the subscriber user accommodation devices 1 to 4, the packet transfer devices 5 to 6 and the packet processing devices 7 to 8 is a core network 22, and a network composed of user terminals is a user network 23.

  The subscriber user accommodation device 1 is assigned core # 1 as an address for identifying the device, and the subscriber user accommodation device 2 is assigned core # 2 as an address for identifying the device. The subscriber user accommodation device 3 is assigned a core # 3 as an address for identifying the device, and the subscriber user accommodation device 4 is assigned a core # 4 as an address for identifying the device. The packet transfer apparatus 5 is assigned a core # 5 as an address for identifying the apparatus, and the packet transfer apparatus 6 is assigned a core # 6 as an address for identifying the apparatus. The packet processing device 7 is assigned a core # 7 as an address for identifying the device, and the packet processing device 8 has a core as an address for identifying the device. 8 are applied, the route to reach each of which is managed by the routing protocol.

  Core # 1 to core # 8 are IPv4 addresses if the core network is an IPv4 network, and OSPF (Open Shortest Path First: RFC2328) or the like is used as a routing protocol at that time. If the core network is an IPv6 network, it becomes an IPv6 address. As a routing protocol at that time, OSPFv6 (Open Shortest Path First version 6: RFC2740) or the like can be mentioned. Further, when the core network is an MPLS (Multi-Protocol Label Switching) network (RFC3031), after specifying a route by a routing protocol, RSVP-TE (Reservation Protocol with Traffic Engineering: RFC3209) or CR-LDP (Constrain-based). A path called LSP (Label Switched Path) is set between the source and destination packet transfer apparatuses using a signaling protocol such as Label Distribution Protocol (RFC 3212).

  Similarly, user terminal 10 is identified by address IP # 1, user terminal 11 is identified by address IP # 2, user terminal 12 is identified by address IP # 3, and user terminal 13 is identified by address IP # 2. 4, user terminal 14 is identified by address IP # 5, user terminal 15 is identified by address IP # 6, user terminal 16 is identified by address IP # 7, and user terminal 17 is addressed by address IP # 6. It is identified by IP # 8.

  FIG. 2 shows an example of a physical model of a network to which the present invention is applied. The network control device 9 is connected to each device in the network. In this embodiment, the links 108 to 115 ensure connectivity with each device. The subscriber user accommodation device 1 and the packet transfer device 5 are connected by a link 101, the subscriber user accommodation device 2 and the packet transfer device 5 are connected by a link 102, and the subscriber user accommodation device 3 and the packet transfer device 6 are a link 103. The subscriber user accommodation device 4 and the packet transfer device 6 are connected by a link 104, the packet transfer device 5 and the packet transfer device 6 are connected by a link 105, and the packet transfer device 5 and the packet processing device 7 are connected by a link 106. The packet transfer device 6 and the packet processing device 8 are connected by a link 107. As the link, an optical path such as an optical fiber or an optical wavelength, or a physical cable such as an Ethernet cable is shown.

  FIG. 3 shows a configuration example of a network control apparatus installed in a communication network that implements the network control method of the present invention. The network control device has a control flow management function 24 and an external device control unit 25.

  The control flow management function 24 has a guide destination management list 26, a guide destination traffic management function 27, and a flow guide destination management function 28.

  The guide destination management list 26 has a function of prioritizing and managing a plurality of packet processing device candidates as traffic guide destinations for each subscriber user accommodation device. This list assumes that the operator sets statically based on the positional relationship between the subscriber user accommodation device and each packet processing device, the number of hops on the relay path between both devices, etc. You may set dynamically from the traffic load condition of the apparatus on the relay path between both apparatuses.

  The destination traffic management function 27 collects and manages current transfer data amount information of each packet processing device, and sets and manages a threshold value indicating an allowable upper limit value of the transfer data amount of each packet processing device. Is held. The network control device collects traffic counters and MIB information held by the packet processing device using a command line interface or SNMP (Simple Network Management Protocol). The threshold is set by the operator according to the performance of each packet processing device. The guide destination traffic management function 27 collects and manages the transfer load information including the transfer data amount, the transfer packet number, and the transfer packet flow number instead of the transfer data amount information, and uses this information. Also good.

  The flow guide destination management function 28 includes a destination address and a source address, a destination subscriber user accommodation device address, a source subscriber user accommodation device address, and a packet flow currently guided to each packet processing device. The destination packet processing device and the flow management list for managing the amount of transfer data. Further, when the packet processing device can collect the transfer data amount for each packet flow, the transfer data amount of each packet flow managed by this function is the same as that when the guide destination traffic management function 27 collects the transfer data amount. The packet flow transfer data amount on the apparatus is also periodically updated by collecting the data.

  The control flow management function 24 includes the address of the destination subscriber user accommodation device, the address of the transmission source subscriber user accommodation device, the packet flow information composed of the destination address and the transmission source address, and the transfer data amount of the packet flow. A function for identifying a packet processing device that is a first guide destination candidate for the destination subscriber user accommodation device from the guide destination management list when receiving a control information notification comprising: From the management function 27, when adding the transfer data amount of the packet flow to the current transfer data amount of the specified packet processing device, a function for designating whether or not the threshold value in the packet processing device is exceeded; If there is not, it is decided to detour the traffic guide destination to the packet processing device that is the first guide destination candidate, and the external device control described later. A function to instruct the unit 25 to set a logical port between the destination subscriber user accommodation device and the packet processing device, and when the threshold value is exceeded, from the guidance destination management list 26 to the destination subscriber user accommodation device When the packet processing device that is the second guide destination candidate is specified and the transfer data amount of the packet flow is added to the current transfer data amount of the specified packet processing device from the guide destination traffic management function 27 Specify whether to exceed the threshold in the packet processing device, give up to the user that control is not possible when it exceeds, and notify the user that control is impossible, and if the threshold is not exceeded, A function for requesting the external device control unit 25 to set a logical port between the packet processing devices, and outputting the packet flow to the logical port while preventing a loop. The routing to have a function of requesting the external apparatus controller 25 so as to instruct the destination subscriber user accommodation apparatus.

  Also, with this function, before instructing logical port setting, the flow guidance destination management function 28 is referred to to check whether or not a packet flow is induced between the devices, and there is a guided packet flow. When doing this, the logical port setting instruction is not issued because the logical port has already been set. In addition, this function tries to guide the packet processing device to the second destination candidate, but it is possible to limit the number of trial destinations, but basically all guide destination candidates listed in the destination management list Attempt control on.

  Note that the destination subscriber user accommodation device address, the transmission source subscriber user accommodation device address, the packet flow information composed of the destination address and the transmission source address, and the control composed of the transfer data amount of the packet flow. Instead of receiving notification of information, it has the function of identifying the subscriber user accommodation device that accommodates the address from the address, and the packet flow information composed of the destination address and the source address and the amount of transfer data of the packet flow When the control information notification is configured, the destination subscriber user accommodation device may be identified from the destination address, and the transmission source subscriber user accommodation device may be identified from the transmission source address.

  In addition to the above, when the control flow management function 24 is notified of the guidance release configured by the packet flow information, the control flow management function 24 specifies the traffic processing destination packet processing device from the flow guidance destination management function 28 and logically processes the packet flow. A function for requesting the external device control unit 25 to delete the route output to the port, and the external device control unit 25 to delete the logical port set between the destination subscriber user accommodation device and the packet processing device. And a function of deleting the packet flow information from the flow guide destination management function 28.

  Also, with this function, before instructing the logical port deletion, the flow guidance destination management function 28 is referenced to check whether a packet flow is induced between the devices, and there is a guided packet flow. When doing so, the logical port deletion instruction is omitted.

  In addition to the above, when the transfer data amount of each packet processing device periodically collected by the guidance destination traffic management function 27 exceeds the threshold, the control flow management function 24 The packet flow guided to the packet processing device is identified, and one or a plurality of packet flows as redirection candidates are extracted so as to suppress the transfer data amount to a threshold value or less, and the destination subscriber user accommodation device of the extracted packet flow From the destination management list and specifying the other packet processing device as the redirection destination, and the packet data when the transfer data amount of the packet flow is added to the current transfer data amount of the specified packet processing device A function for specifying whether or not the threshold value in the processing device is exceeded, and when the threshold value is not exceeded, the traffic guide destination is a re-direct destination candidate A function to instruct the external device controller 25 to set a logical port between the destination subscriber user accommodation device and the packet processing device by deciding to make a detour to a certain packet processing device, and when a threshold value is exceeded Then, another redirection destination candidate packet processing device is identified for the destination subscriber user accommodation device from the guidance destination management list, and the current transfer data amount of the identified packet processing device is determined from the guidance destination traffic management function 27. Identifies whether or not the packet processing device threshold is exceeded when the amount of data transferred for the packet flow is added. If it exceeds, the control is abandoned. If the threshold is not exceeded, the destination subscriber user is accommodated. A function for requesting the external device control unit 25 to set a logical port between the device and the packet processing device, and the logical port while preventing a loop. The route setting for outputting Ttofuro has a function of requesting the external apparatus controller 25 so as to instruct the destination subscriber user accommodation apparatus. In addition, in these functions, a packet processing device other than the current guidance destination and a packet processing device with a higher priority is tried as a candidate packet processing device as a redirecting destination packet processing device.

  The external device control function 25 has a logical port setting instruction function 29 and a path setting instruction function 30.

  The logical port setting instruction function 29 indicates a packet processing apparatus for the subscriber user accommodation apparatus, for the subscriber user accommodation apparatus and the packet processing apparatus instructed by the control flow management function 24 to set a logical port. Instruct the packet processing device to set the logical port to the address and generate the transfer route, and instruct the packet processing device to set the logical port to the address indicating the subscriber user accommodation device and set the transfer route. For the subscriber user accommodation device and the packet processing device instructed to delete the logical port from the function and the control flow management function 24, the subscriber user accommodation device is set to the address indicating the packet processing device. The packet processing device is instructed to delete the transferred logical port and the transfer route is deleted. It has a function to instruct to delete the transfer path to remove the logical port that has been set in the addressed less.

  The route setting instruction function 30 designates the header information of the packet to be output to the logical port set between the destination subscriber user accommodation device and the packet processing device from the notification information or the flow guide destination management function 28, and the packet header information When a packet having a packet is received from a device other than the logical port set between the devices, a function to instruct to add an entry to an ACL (Access Control List) to output to the logical port, and an instruction to delete the ACL entry It has a function.

  The external device control function 25 manages whether or not the notification of completion of each control has been received from the device. When the reception of the notification for a certain time cannot be confirmed, the external device control function 25 It has a function of notifying the control flow management function 24 of the completion of control when it is received from the apparatus.

  Thereby, the destination of the packet flow can be dynamically set according to the amount of transfer data of each packet processing device, and a specific transfer packet can be transmitted to the packet processing device based on the packet header condition.

  As a result, abnormal traffic detection / analysis and control in a wide area network can be carried out by distributing the load among a plurality of packet processing devices, and abnormal traffic protection can be realized at low cost.

  FIG. 4 shows a configuration example of a subscriber user accommodation device installed in a communication network that implements the network control method of the present invention. The subscriber user accommodation device includes a packet transfer unit 31 and a server connection unit 32.

  The packet transfer unit 31 has a transfer table 33, an access control list 34, and a logical port setting function 35.

  The forwarding table 33 has a function of deriving an output label value and an output link from header information of the input packet. Compared to the claims, the label value indicates the logical port. In the present embodiment, a label value and a destination address are described as header information examples (see FIGS. 7 and 9 for specific examples of the transfer table 33). Here, the default input label value indicates that no label is given. Conventionally, a network without a label is a connectionless network such as an IP network, and a network with a label is a connection-oriented network such as an MPLS network. In an IP network, an output destination is specified by a routing protocol, and in an MPLS network, an output destination is specified by a routing protocol and a signaling protocol. For this reason, the transfer table may be divided and managed based on the presence or absence of a label value. Furthermore, a transmission source address may be described as header information, and the operator may be set to output only a specific inter-user flow to another route.

  In this embodiment, the output logical port and the output physical port are described in the transfer table 33. However, these may be described as separate tables. In this case, the entry whose input label is default is described in a table for deriving the output physical port from the destination address. In addition, entries for which input label values are specified are described in a table for deriving output label values from input label values and a table for deriving output physical ports from output label values.

  The access control list 34 has a function of managing transfer information to be applied with priority over the transfer table 33 and a function of applying transfer information held by this function before referring to the transfer table 33. In the present embodiment, the header information of the input packet, the output label value, and the output link correspond to the transfer information. For example, when only a part of the header information of the input packet is described, only the described information becomes the application condition.

  The logical port setting function 35 has a function of setting a logical port between a destination having a specific address and a function of deleting a logical port between the destination having a specific address. For example, when the core network is an MPLS network, the logical port setting function 35 uses a signaling protocol to set an LSP with a destination having a specific address.

  When the server connection unit 32 receives an instruction from the network control device, passes the instruction from the network control device to each function, and completes the control based on the instruction from the network control device, the server connection unit 32 notifies the completion of the processing. Is transmitted to the network control device.

  Thereby, the subscriber user accommodation device sets a logical port between the packet processing devices based on an instruction from the network control device, extracts a packet to be transmitted to the packet processing device, and transmits only the packet to the logical port. To do. Furthermore, packets received from the packet processing device are not subject to packet extraction.

  Thus, only a specific packet is transmitted to the packet processing device, and a loop of a packet transmitted to the packet processing device is prevented.

  FIG. 5 shows a configuration example of a packet processing apparatus installed in a communication network that implements the network control method of the present invention. The packet processing apparatus includes a transfer data amount observation function 39, a packet processing function 40, a packet return function 41, and a server connection unit.

  The transfer data amount observation function 39 includes a function for counting the transfer data amount and the total transfer data amount per fixed time for the packet flow header information such as the destination address and the source address, and a transfer data amount reference request from the network control device. Has a function of notifying the current transfer data amount.

  The packet processing function 40 has a function of performing a single packet passage control process. As the packet passing control process, the cumulative value of the transfer data amount for each destination address of the transfer packet is measured at regular intervals, and when the cumulative value of the transfer data amount of a certain destination address is equal to or greater than a predetermined threshold, Regarding the packet having the destination address, in the next cycle, the control corresponding to the threshold excess amount is discarded, the total number of transfer packets and the transfer data amount for each header information of the received packet are observed at regular intervals, When the increase value of the number of transfer packets of certain header information and the cumulative value of the transfer data amount exceeds a predetermined threshold value, a control for discarding the packet holding the header information from the next period is given. In these controls, a transfer packet count table that counts the number of transfer packets with respect to the destination address, a transfer data amount count table that accumulates the transfer data amount with respect to the destination address, and an entry in each table at regular intervals. A function to save the count value and save the count value, a function to compare the stored value with the threshold value, a function to discard packets that exceed the threshold value at the time of comparison at a variable rate, It is necessary to have a function to be implemented. The packet passing process also includes a function for charging based on the amount of transmitted / received data and a function for collecting and managing a log of passing packets.

  The packet return function 41 has a return path setting function 43 and a packet return table 44.

  The return path setting function 43 has a function of setting a logical port between a destination having a specific address and a function of deleting a logical port set between the destination having a specific address. Yes. For example, when the core network is an MPLS network, the return path setting function 43 uses a signaling protocol to set an LSP with a destination having a specific address.

  The packet return table 44 has a function of deriving an output logical port and an output physical port set between the receiving subscriber user accommodation devices of the packet from the input logical port of the received packet. From the label value of the packet, it has the function of deriving the label and output link assigned to the logical port set between the guide subscriber user accommodation devices of the packet. The function for specifying the output logical port and the output physical port may be divided into two tables. In this case, a table for specifying the output logical port from the input logical port and a table for specifying the output physical port from the output logical port are held.

  When the packet return function 41 receives an instruction to set a logical port between specific addresses from the above-mentioned network control device, the return path setting function 43 sets a logical port between designated addresses, When a logical port is set from the specified address, the label corresponding to the route determined when the logical port is set is derived from the label corresponding to the route determined when the logical port is set. The packet return table 44 has a function of describing in the packet return table 44 such that the output destination of the route determined when the logical port is set by itself is paired with the label assigned to the route. .

  Further, the packet return function 41 deletes the logical port between the designated addresses by the return path setting function 43 when receiving an instruction to release the logical port between specific addresses from the network control device. The function of deleting the entry of the packet return table 44 relating to the label corresponding to the route.

  When the server connection unit 42 receives an instruction from the network control device, passes the instruction from the network control device to each function, and completes the control based on the instruction from the network control device, the server connection unit 42 notifies the completion of the processing. Is transmitted to the network control device.

  As a result, the packet processing device observes the transfer data amount of the transfer packet flow, sets the logical port between the subscriber user accommodation devices based on the instruction from the network control device, and receives the packet received from the subscriber user accommodation device. Is returned to the subscriber user accommodation device.

  As a result, the packet processing apparatus can receive the traffic, analyze it, and return it to the subscriber user accommodation apparatus while controlling it, and observe the transfer data amount of the packet processing apparatus and refer to the network control apparatus.

(Description of operation)
An operation example of the present invention will be described using the network model of FIG. In an initial state, a packet is transmitted between the user # 1 and the user # 5 via the subscriber user accommodation device 1, the link 101, the packet transfer device 5, the link 105, the packet transfer device 6, the link 103, and the subscriber user accommodation device 3. Forwarding. Assume that control is performed to bypass the flow to the packet processing device.

  FIG. 7 shows an operation example of the subscriber user accommodation device 3 before the detour control to the packet processing device. As described above, the forwarding table 33 has a function of deriving the output label value and the output link from the header information of the input packet. In this embodiment, as shown in FIG. Label value and destination address are described. The default input label value indicates that no label is assigned.

  FIG. 7 shows a case where the subscriber user accommodating device 3 receives a packet having a source address of user # 1 and a destination address of user # 5 from the link 103. When the subscriber user accommodation device 3 receives the packet, the packet transfer unit 31 refers to the transfer table 33 and specifies the output link 116 from the search key whose input label value is default and whose destination address is user # 5. The packet is output to the link 116.

  FIG. 8 shows an operation example of the network control device 9 at the start of detouring to the packet processing device. As described above, the guide destination management list 26 has a function of prioritizing and managing a plurality of packet processing device candidates as traffic guide destinations for each subscriber user accommodation device. In the example, for example, in the third row, traffic guide candidate 1 of core # 3 (subscriber user accommodation accommodation device 3) is core # 8 (packet processing device 8), and candidate 2 is core # 7 (packet processing device). 7). As described above, the guide destination traffic management function 27 collects and manages the current transfer data amount information of each packet processing device and sets a threshold value indicating an allowable upper limit value of the transfer data amount of each packet processing device. In the example of FIG. 8, for example, as shown in the second line, the current transfer data amount of the core # 8 (packet processing device 8) is 100 Mb / s (byte per second). The threshold value indicating the allowable upper limit value of the transfer data amount is 500 Mb / s.

  The network control device 9 controls the packet flow header information to be controlled, the source subscriber user accommodation device of the packet, the destination subscriber user accommodation device, and the control information including the transfer data amount of the packet flow (example in FIG. 8). Then, when receiving destination address: user # 5, destination subscriber user accommodation device: core # 3, transmission source subscriber user accommodation device: core # 1, transfer data amount: 200 Mb / s), destination subscriber user accommodation The guidance destination management list 26 is searched using the device core # 3 as a search key, the core # 8 that is the guidance destination candidate 1 is specified, and the current transfer data amount of the core # 8 is 100 Mb / s using the guidance destination traffic management function 27. After confirming that the transfer data amount 200 Mb / s of the packet flow is added to (byte per second), the packet flow is below the threshold value 500 Mb / s. Determining the induction destination packet processor core # 8, as well as adds the packet flow information to guide destination traffic management function 27 performs the following control.

(A) The logical port setting instruction function 29 is used to instruct the address core # 3 indicating the destination subscriber user accommodation apparatus to set the logical port to the address core # 8 indicating the detour packet processing apparatus.
(B) The logical port setting instruction function 29 is used to instruct the address core # 8 indicating the packet processing apparatus to set the logical port to the address core # 3 indicating the bypassing subscriber user accommodating apparatus.
(C) Using the route setting instruction function 30, for the address core # 3 indicating the subscriber user accommodation device, the label assigned to the logical port to the address core # 8 indicating the detour packet processing device is An instruction is given to a packet whose address is user # 5.
At this time, when the destination traffic management function 27 manages a plurality of flows and there is another entry having the subscriber user accommodation device core # 3 and the packet processing device core # 8, (a) and (b) ) Is omitted.

  FIG. 9 shows an operation example of the subscriber user accommodation device 3 at the start of detouring to the packet processing device. In response to the instruction (a) from the network control device 9, the subscriber user accommodation device 3 uses the logical port setting function 35 to set a logical port for the packet processing device core # 8. At this time, the logical port corresponding to (b) is also set from the packet processing device core # 8. The subscriber user accommodation device 3 specifies the label # 1 assigned to the logical port and the label # 2 assigned to the logical port described later. Further, in response to the instruction (c) from the network control device 9, the label # 1 and the label # 1 assigned to the logical port with respect to “the packet whose destination address is the user # 5” which is the designated header condition An entry for specifying the output link 103 corresponding to is added to the access control list 34. Here, the input label value is an arbitrary value other than the label # 2 assigned to the logical port installed between the packet processing device core # 8, and the entry is valid for all the input label values including the default. .

  At this time, when the same packet as in FIG. 7 is received, the access control list 34 is hit, the output label # 1 and the output link 103 are specified from the search key whose input label value is default and destination address is user # 5, and the packet Is output to the link 103.

  As described above, when the header information to be controlled, the destination subscriber user accommodation device of the packet, and the packet processing device that transmits the packet are input to the network control device, the packet is transmitted to the packet processing device. Is possible.

FIG. 10 shows an operation example of the packet processing device 8 at the start of detouring to the packet processing device.
In response to the instruction (b) from the network control device 9, the packet processing device 8 uses the return path setting function 43 to set a logical port for the packet transfer device core # 3. At this time, the logical port corresponding to (a) is also set from the subscriber user accommodating apparatus core # 3.

  The packet processing device 8 specifies the label # 2 assigned to the logical port and the label # 1 assigned to the logical port described later, and sets the output link 107 from the label # 1 to the return label # 2 and the label # 2. An entry for specifying is set in the packet return table 44. The packet return table 44 is a table for deriving the output logical port and the output physical port set between the receiving subscriber user accommodating devices of the packet from the input logical port of the received packet.

  At this time, when the packet transferred from the subscriber user accommodation apparatus 3 in FIG. 9 is received, the packet processing function 40 is relayed, and the controlled packet is transferred to the packet return function 41. The packet return function 41 refers to the packet return table 44, specifies the label # 2 and the output link 107 for outputting to the return path from the label # 1 of the packet, deletes the label # 1, and labels # 2 Then, the packet is re-encapsulated and the packet is transmitted to the link 107.

  Further, the packet processing device 8 counts the transfer data amount for the transmission source address and the destination address of the received packet by the transfer data amount observation function 39. The count data is totaled at regular intervals, and the network control device 9 refers to the count data of each packet processing device with an SNMP reference request, or each packet processing device notifies the network control device 9 with an SNMP trap notification.

  As described above, when the header information to be controlled, the destination subscriber user accommodation device of the packet, and the packet processing device that transmits the packet are input to the network control device, the packet is transmitted to the packet processing device. After the transfer data amount for each header information is aggregated by the packet processing device, it is analyzed, and the packet related to normal traffic is returned to the subscriber user accommodation device from which the packet is extracted.

  This makes it possible to set a detour path to the packet processing device and to analyze and control abnormal traffic while observing the amount of data transferred by the packet processing device.

  FIG. 11 shows a transfer path after detour control to the packet processing apparatus. Between user # 1 and user # 5, subscriber user accommodation device 1, link 101, packet transfer device 5, link 105, packet transfer device 6, link 103, subscriber user accommodation device 3, link 103, packet transfer device 6 Packet 107 is transferred via link 107, packet processing device 8, link 107, packet transfer device 6, link 103, and subscriber user accommodation device 3.

  As described above, according to the present invention, when a control target packet flow occurs, a packet flow guidance destination packet processing device is determined from a plurality of prioritized packet processing devices determined for each subscriber user accommodation device. It is possible to identify and bypass a specific packet to the packet processing device 8 while preventing a loop between the subscriber user processing device 3 and the packet processing device 8.

FIG. 12 shows an operation example of the network control device 9 at the start of detouring to a packet processing device that requires load distribution among a plurality of packet processing devices.
The network control device 9 controls the packet flow header information to be controlled, the source subscriber user accommodation device of the packet, the destination subscriber user accommodation device, and the control information including the transfer data amount of the packet flow (example in FIG. 12). Then, when receiving destination address: user # 5, destination subscriber user accommodation device: core # 3, transmission source subscriber user accommodation device: core # 1, transfer data amount: 200 Mb / s), destination subscriber user accommodation The guide destination management list 26 is searched using the device core # 3 as a search key, the core # 8 that is the guide destination candidate 1 is specified, and the current transfer data amount of the core # 8 is 400 Mb / s (byte per second). Since the threshold value exceeds 500 Mb / s when the transfer data amount of 200 Mb / s is added, the core # 7 that is the guide destination candidate 2 is specified, and the current transfer data amount of the core # 7 is 10 When the transfer data amount 200 Mb / s of the packet flow is added to Mb / s, it is confirmed that the threshold value is less than 400 Mb / s, the packet processing device of the packet flow is determined to be the core # 7, and the flow guide destination The packet flow information is added to the management function, and the control after (a) described in FIG. 8 is performed.

  As described above, according to the present invention, when a control target packet flow occurs, a packet flow guidance destination packet processing device is determined from a plurality of prioritized packet processing devices determined for each subscriber user accommodation device. In this case, when it is determined that there is a possibility of congestion after the control, the next candidate packet processing device is specified.

  As a result, load distribution among a plurality of packet processing apparatuses can be realized, and abnormal traffic analysis / control can be realized at low cost.

  FIG. 13 shows a transfer path after control to which the load distribution shown in FIG. 12 is applied. Although the same control information as that at the time of control in FIG. 11 is received, in this figure, the subscriber user accommodation device 1, the link 101, the packet transfer device 5, the link 105, the packet transfer, between the user # 1 and the user # 5. Device 6, link 103, subscriber user accommodation device 3, link 103, packet transfer device 6, link 105, packet transfer device 5, link 106, packet processing device 7, link 106, packet transfer device 5, link 105, packet transfer The packet is transferred via the device 6, the link 103, and the subscriber user accommodation device 3.

  FIG. 14 shows an operation example of the network control apparatus when performing dynamic load balancing among a plurality of packet processing apparatuses other than when control information is received. The flow guide destination management function 28 includes a guide destination packet processing device, a destination address and a source address, a destination subscriber user accommodation device address, and a source of the packet flow currently guided to the guide destination packet processing device. It has a flow management list for managing the address of the subscriber user accommodation device and the amount of transfer data.

  The network control device 9 periodically collects the transfer data amount of each packet processing device. At this time, the transfer data amount at the time of collection is compared with the threshold value managed by the guide destination traffic management function 27. Here, when it is detected that the total transfer data amount of the packet processing unit core # 8 exceeds the threshold by 100 Mb / s (in the example of FIG. 14, 600 Mb / s (total transfer data amount of the core # 8) −500 Mb / s) s (threshold of core # 8) = the total transfer data amount of core # 8 exceeds the threshold of core # 8 by 100 Mb / s), and the packet flow or flows directed to the packet processing apparatus Then, one or a plurality of packet flows that are specified from the guidance destination traffic management function 27 and that have a transfer data amount of 100 Mb / s or more exceeding the threshold are extracted. In this embodiment, the singular case is taken as an example, but the plural case can be dealt with by repeating the singular case a plurality of times. In the present embodiment, a packet flow whose destination user address is user # 5 and whose source address is user # 1 is specified as a control target packet flow.

  Since the destination subscriber user accommodation apparatus of this packet flow is the core # 3, the guide destination management list 26 is searched using the core # 3 as a search key, and the packet processing apparatus core # 8 of the candidate 1 is specified. Since # 8 is the current guidance destination packet processing device, it is assumed that the candidate 2 packet processing device core # 7 is the new guidance destination. If candidate 1 is not the current guidance destination, it is assumed that candidate 1 is a new detour destination.

  When the network control device 9 identifies the current transfer data amount 100 Mb / s of the assumed packet processor core # 7 from the guidance destination traffic management function 27 and adds it to the transfer data amount 200 Mb / s of the control target packet flow, After confirming that the threshold value is below 400 Mb / s, the packet processor core # 7 is determined as a new guidance destination. When it is confirmed that the threshold value is exceeded, the next candidate is specified from the guide destination management list 26. After the packet processing device core # 7 is determined as the new guidance destination, the guidance destination packet processing device of the packet flow information of the flow guidance destination management function is updated to the core # 7, and the following control is performed.

(A) The logical port setting instruction function 29 is used to instruct the address core # 3 indicating the destination subscriber user accommodating apparatus to set the logical port to the address core # 7 indicating the detour packet processing apparatus.
(B) The logical port setting instruction function 29 is used to instruct the address core # 7 indicating the packet processing apparatus to set the logical port to the address core # 3 indicating the bypassing subscriber user accommodating apparatus.
(C) Using the route setting instruction function 30, a label assigned to the packet whose destination address is the user # 5 is assigned to the logical port to the core # 8 with respect to the address core # 3 indicating the subscriber user accommodating device. The label is changed to the label assigned to the logical port to the core # 7.
At this time, when the destination traffic management function 27 manages a plurality of flows and there is another entry having the subscriber user accommodation device core # 3 and the packet processing device core # 7, (a) and (b) ) Is omitted.

  As described above, according to the present invention, even when there is a possibility that the transfer data amount of the packet flow being guided to the packet processing device dynamically increases and congestion occurs in the packet processing device, each subscriber user accommodating device A new guidance destination packet processing device in which congestion does not occur after control is specified from a plurality of predetermined prioritized packet processing devices.

  As a result, dynamic load distribution among a plurality of packet processing devices can be realized, and abnormal traffic analysis / control can be realized at low cost.

  Each device described above has means for realizing the function, and the means can be constituted by a computer and a program stored in a storage device. Moreover, it can replace with a part or all of the program, and can also be comprised with a hardware.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Of course.

2 shows an example of a network model of a network to which the present invention is applied. 2 shows an example of a physical model of a network to which the present invention is applied. 1 shows a configuration example of a network control apparatus installed in a communication network that implements the network control method of the present invention. The example of a structure of the subscriber user accommodation apparatus installed in the communication network which implements the network control method of this invention is shown. 1 shows a configuration example of a packet processing apparatus installed in a communication network that implements the network control method of the present invention. The transfer path example before the detour control to the packet processing device is shown. The operation example of the subscriber user accommodation apparatus 3 before the detour control to a packet processing apparatus is shown. An example of the operation of the network control device at the start of detouring to the packet processing device is shown. The operation example of the subscriber user accommodation apparatus 3 at the time of the detour start to a packet processing apparatus is shown. An operation example of the packet processing device 8 at the start of detouring to the packet processing device is shown. The transfer path example after the detour control to the packet processing device is shown. An example of the operation of the network control device during load distribution among a plurality of packet processing devices is shown. The transfer path example after the detour control to the packet processing device is shown. An example of the operation of the network control device during dynamic load distribution among a plurality of packet processing devices is shown.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1-4 ... Subscriber user accommodation apparatus, 5-6 ... Packet transfer apparatus, 7-8 ... Packet processing apparatus, 9 ... Network control apparatus, 10-17 ... User terminal, 18-21 ... Access network, 22 ... Core network , 23 ... User network, 24 ... Control flow management function, 25 ... External device control unit, 26 ... Connection destination management list, 27 ... Guide destination traffic management function, 28 ... Flow connection destination management function, 29 ... Logical port setting instruction function , 30 ... Path setting instruction function, 31 ... Packet transfer unit, 32 ... Server connection unit, 33 ... Transfer table, 34 ... Access control list, 35 ... Logical port setting function, 39 ... Transfer data amount observation function, 40 ... Packet processing Function 41 ... Packet return function 42 ... Server connection unit 43 ... Return path setting function 44 ... Packet return table 10 -116 ... link

Claims (6)

Multiple subscriber user accommodation devices capable of setting logical ports, multiple packet processing devices capable of setting logical ports and equipped with a packet passage control function, destination subscriber user accommodation device addresses and transmission source subscriptions A network in a packet transfer network having a network control device that receives notification of packet flow information composed of an address, a destination address and a source address of a user user accommodating device and control information composed of a transfer data amount of the packet flow A control method,
The network controller is
For each subscriber user accommodation device, managing a plurality of prioritized packet processing device lists,
Add the amount of transfer data of the notified packet flow and the amount of transfer data of the first priority packet processing device for the destination subscriber user accommodation device described in the notification, and check whether it exceeds a predetermined value And
If it does not exceed a certain value, set a logical port between the subscriber user accommodation device and the packet processing device,
A network characterized in that when a certain value is exceeded, the above processing is tried from a packet processing device having a high priority and a logical port is set between a certain packet processing device and the subscriber user accommodation device. Control method. The network control method according to claim 1,
The packet processing device
Count the amount of transfer data per fixed time of the passing packet flow,
The network controller is
While managing the packet flow transferred to each packet processing device as a flow management list together with the source subscriber user accommodation device and the destination subscriber user accommodation device,
By referring to the total amount of transfer data for each fixed time of the packet processing device and detecting a packet processing device whose transfer data amount exceeds a predetermined value, transfer data exceeding the excess amount is detected for the packet processing device. Identify one or more observed packet flows, identify the destination subscriber user accommodation device of the packet flow from the flow management list for the identified packet flow, and specify the first packet flow for the destination subscriber user accommodation device. Add the transfer data amount of the one-priority packet processing device and the transfer data amount of the specified packet flow, and check whether it exceeds a predetermined value,
When it does not exceed a certain value, the packet processing device is set as a new packet flow transfer destination,
A network control method, characterized in that when a certain value is exceeded, the above processing is tried from a packet processing device having a high priority, and a certain packet processing device is identified as a new packet flow transfer destination. The network control method according to claim 1 or 2,
The network controller is
Receives notification of the address of the destination subscriber user accommodation device, the address of the transmission source subscriber user accommodation device, the packet flow information composed of the destination address and the transmission source address, and the control information composed of the transfer data amount of the packet flow. instead,
It has a function to identify the subscriber user accommodation device that accommodates the address from the address, and notifies the packet flow information composed of the destination address and the source address and the control information composed of the transfer data amount of the packet flow. Upon receipt, the destination subscriber user accommodation device is identified from the destination address, the transmission source subscriber user accommodation device is identified from the transmission source address, and the identified subscriber user accommodation device is designated as the subscriber user described in the notification. A network control method characterized by being used as a storage device. The network control method according to any one of claims 1 to 3,
A network control method characterized by using a transfer load composed of a transfer data amount, a transfer packet number, and a transfer packet flow number instead of the transfer data amount. In the network control method according to any one of claims 1 to 4,
The packet processing device is
As the packet passing process of the packet passing control function, the cumulative value of the transfer data amount for each destination address of the transfer packet is measured at a certain period, and the cumulative value of the transfer data amount of a certain destination address is equal to or greater than a predetermined threshold value. A network control method characterized by discarding a packet corresponding to a threshold excess amount in the next period with respect to a packet having the destination address. In the network control method according to any one of claims 1 to 4,
The packet processing device is
As the packet passing process of the packet passing control function, the cumulative value of the transfer packet number and the transfer data amount for each header information of the received packet is observed at regular intervals, and the transfer packet number of the header information and the cumulative value of the transfer data amount are observed. A network control method characterized by discarding a packet having the header information from the next cycle when the increase value of the value exceeds a predetermined threshold value.

Images