JP6321496B2 - Packet header identification control device, control method, control program, and management device - Google Patents

Description

  The present invention relates to a packet header identification control device, a control method, a control program, and a management device.

  In order to provide an application-aware communication service and provision, a technique for performing flow control by analyzing a payload portion (hereinafter referred to as L7) of a packet in an IP (Internet Protocol) network has been proposed. For example, when a specific user's communication is analyzed by L7 analysis by means of flow control (hereinafter referred to as application identification means) and a flow of a specific application is identified, the technology can identify 5tuple information (source IP address) of the flow. , Destination address, transmission source port number, destination port number, and protocol number) are recorded as application identification results. Then, the application identification means identifies and controls the packet of this flow by the 5 tuple information of the application identification result. As a result, the application identification unit can control the flow of a specific user and a specific application without performing L7 analysis on all packets of the flow.

  An architecture has also been proposed for performing charging control and policy control (priority control, filtering, maximum bandwidth limitation, etc.) on a flow (see Non-Patent Document 1). In this architecture, PCEF (Policy and Charging Enforcement Function) is a function that realizes 5tuple-based flow control, TDF (Traffic Detection Function) is a function that realizes application detection through L7 analysis, and policies are managed for PCEF and TDF. The function to be set is defined as PCRF (Policy Control and Charging Rules Function).

3GPP TS 23.203: 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Policy and charging control architecture, [online], [searched August 25, 2014], Internet <URL: http: //www.qtc. jp / 3GPP / Specs / 23203-7b0.pdf />

  Here, in order to perform maintenance or the like of the application identification unit, it is necessary to switch the communication of the user accommodated in the application identification unit (switching source application identification unit) to another application identification unit (switch destination application identification unit). There is.

  However, when the above switching is performed according to the conventional technique, the switching destination application identification unit may receive a series of flows from the middle. In this case, since the switching destination application identification unit does not have the application identification result of the flow, there is a possibility that control for the flow cannot be performed.

  Further, the application identification unit may analyze the flow of a specific user for each application, and output the analysis result (for example, the count result of the number of packets) to the management device or the like every predetermined period. In such a case, if the above switching is performed, the analysis result between the time when the switching source application identification unit last transmits the analysis result and the time when the switching destination application identification unit starts the analysis of the flow becomes May be missing. That is, the flow analysis result may not be accurate.

  In addition, in order to accurately control the existing flow and analyze the flow, the information of the application identification result and the flow analysis result is synchronized between the switching source application identifying unit and the switching destination application identifying unit. It is also possible to take However, the switching-destination application identification unit must be provided on a one-to-one basis with respect to the switching-source application identification unit, which requires many resources. In addition, the information synchronization described above has a large processing load on the application identification means, which may affect flow control and flow analysis.

  Therefore, the present invention solves the above-described problem and, when switching application identification means, controls the existing flow and performs flow control without performing information synchronization between the switching source and switching destination application identification means. The task is to perform the analysis accurately.

  In order to solve the above-described problems, the present invention provides a packet header identification control device for transferring a flow transmitted from a user terminal or a server to a predetermined application identification device in a network, wherein the application identification of a transfer destination of each flow is performed. A storage unit for storing a flow table indicating a device and a transfer policy table indicating a transfer destination application identification device of each flow designated from an external device; and when receiving a flow corresponding to the transfer policy table, A determination unit that determines whether or not there is an entry related to the received flow in the flow table; and when the determination unit determines that there is no entry related to the received flow in the flow table, the transfer of the received flow The destination is shown in the transfer policy table. A flow table updating unit that adds an entry as a raw application identification device to the flow table; and a transfer unit that transfers the received flow to the application identification device with reference to the flow table. .

  The present invention also provides a management apparatus for managing a packet header identification control apparatus for transferring a flow transmitted from a user terminal or a server to a predetermined application identification apparatus in a network, wherein the communication flow indicates a communication flow. A storage unit that stores information and application identification device information indicating a transfer destination application identification device of each flow; and when switching an application identification device in operation to another application identification device, the application identification device information and the Referring to the in-communication flow information, the first policy for changing the transfer destination of the flow having the application identification device in operation as the transfer destination to the other application identification device and the application identification device in operation are transferred. Of the previous flows, A second policy that keeps the transfer destination as the application identification device in operation, and sets the priority of the second policy to be higher than the priority of the first policy. And a policy setting unit set in the identification control device.

  According to the present invention, when switching the switching source and switching destination application identification means, it is possible to accurately control the existing flow and analyze the flow without performing information synchronization between the application identification means. it can.

FIG. 1 is a diagram illustrating an example of a configuration of a system according to the first embodiment. FIG. 2 is a diagram showing the configuration of the packet header identification control device of FIG. FIG. 3 is a diagram illustrating an example of the transfer policy table of FIG. FIG. 4 is a diagram showing the configuration of the policy management apparatus of FIG. FIG. 5 is a diagram illustrating an example of the control policy information of FIG. FIG. 6 is a diagram illustrating an example of the application identification device information in FIG. FIG. 7 is a flowchart showing a processing procedure of the policy management apparatus of FIG. FIG. 8 is a flowchart showing a processing procedure of the packet header identification control device of FIG. FIG. 9 is a diagram illustrating an example of a configuration of a system according to the second embodiment. FIG. 10 is a diagram showing a configuration of the policy management apparatus of FIG. FIG. 11 is a diagram illustrating an example of the communication flow information in FIG. FIG. 12 is a diagram illustrating an example of the packet header identification control device of FIG. FIG. 13 is a diagram illustrating an example of the flow table of FIG. FIG. 14 is a flowchart showing a processing procedure of the policy management apparatus of FIG. FIG. 15 is a diagram illustrating an example of a processing procedure of the system according to the second embodiment. FIG. 16 is a flowchart showing a processing procedure of the policy management apparatus of FIG. FIG. 17 is a flowchart showing a processing procedure in S20 of FIG. FIG. 18 is a diagram for explaining a specific example of the system according to the first embodiment and the second embodiment. FIG. 19 is a diagram illustrating an example of a transfer policy table and a flow table in the specific example of the system according to the first embodiment. FIG. 20 is a diagram illustrating an example of a processing procedure in a specific example of the system according to the first embodiment. FIG. 21 is a diagram illustrating an example of a processing procedure in a specific example of the system according to the second embodiment. FIG. 22 is a diagram illustrating a computer that executes a control program.

  Hereinafter, embodiments of the present invention will be described by dividing them into a first embodiment and a second embodiment with reference to the drawings. The present invention is not limited to this embodiment.

(First embodiment)
(Overview)
The outline of the system according to the first embodiment will be described with reference to FIG. As shown in FIG. 1, the system includes a packet header identification control device 10, an application identification device 20 (20A, 20B), and a policy management device 30. These devices are connected by a network such as the Internet. The number of each device is not limited to the number shown in FIG.

  The packet header identification control device 10 refers to header information of a flow packet received from a user terminal (not shown) or a server (for example, the servers α and β), and controls and analyzes the flow for the application identification device 20. Forward the flow to The flow transfer destination application identification device 20 here is specified by referring to the flow table 122 provided in the packet header identification control device 10.

  When the packet header identification control device 10 receives the flow A, the 5tuple information (source IP address (src IP), destination address (dst IP), source port number (src port) in the header information of the packet of this flow is received. The flow is specified from the destination port number (dst port) and the protocol number (protocol)), and the flow is transferred to the transfer destination application identification device 20 shown in the flow table 122. For example, the packet header identification control device 10 transfers the flow A of 5 tuple information = a ′ to the application identification device 20A. The packet header identification control device 10 also includes a transfer policy table 121. The transfer policy table 121 is information indicating a transfer policy in the packet header identification control device 10, and when the packet header identification control device 10 receives a packet of a new flow, the transfer of the flow according to the transfer policy is performed. Perform (details below). Note that the flow identification information (“flow” information) in the transfer policy table 121 is set to include the flow identification information (“flow” information) in the flow table 122. For example, an entry of 5tuple information = a (for example, src IP = A, dst IP = any (anything)) is set in the transfer policy table 121, and 5tuple information = a ′ (for example, src IP) in the flow table 122. = A, dst IP = B) is set.

  The application identification device 20 controls the flow transferred from the packet header identification control device 10 (for example, flow blocking or shaping, flow analysis, etc.).

  The policy management device 30 controls the packet header identification control device 10 and the application identification device 20. The policy management apparatus 30 includes control policy information 321 indicating the control content performed by the application identification apparatus 20 and application identification apparatus information 322 indicating the application identification apparatus 20 in which each flow is accommodated. Then, the control contents for the application identification device 20 are instructed, and based on the application identification device information 322, the packet header identification control device 10 is instructed to change the setting of the transfer policy.

  For example, a policy rule V and a policy rule W having a transfer destination of a specific flow (5 tuple information = a and 5 tuple information = b) as the application identification device 20 </ b> A are previously stored as information in the transfer policy table 121 of the packet header identification control device 10. When the application identification device 20A in operation in the system is switched to the application identification device 20B, the policy management device 30 uses the application identification device 20A as the transfer destination for the packet header identification control device 10. For the flow to be performed (flows A and B), the transfer policy setting is changed so as to be transferred to the application identification device 20B in the future.

  In response to this, the packet header identification control device 10 updates the information in the transfer policy table 121. For example, the transfer destination application identification apparatus 20 of the policy rule V (5 tuple information = a) and the policy rule W (5 tuple information = b) in the transfer policy table 121 is changed from “20A” to “20B”.

  Then, when the packet header identification control device 10 receives a packet of a new flow and this packet is a packet of the flow indicated in the transfer policy table 121, the packet header identification control device 10 executes the flow according to the transfer policy indicated in the transfer policy table 121. The table 122 is updated.

  Specifically, the packet header identification control device 10 stores an entry of a flow (for example, a new flow B) that is described in the transfer policy table 121 for the received flow but is not in the flow table 122 in the flow table 122. to add. Then, the packet header identification control device 10 transfers the received flow based on the added entry. For example, the new flow B is transferred to the application identification device 20B.

  Thereby, the packet header identification control device 10 transfers the newly received flow (for example, flow B) to the switching destination application identification device 20B, while transferring the flow to the switching source application identification device 20A. For (for example, the existing flow A), the transfer destination can remain the switching source application identification device 20A. Thus, the system can accurately control the existing flow and analyze the flow even when the application identification device 20 is switched.

(Packet header identification control device)
Next, the packet header identification control device 10 will be described in detail with reference to FIG. As shown in FIG. 2, the packet header identification control device 10 includes an input / output unit 11, a storage unit 12, and a control unit 13.

  The input / output unit 11 controls transmission / reception of various data to / from the policy management device 30 and the application identification device 20.

  The storage unit 12 stores a transfer policy table 121, a flow table 122, and a routing table 123.

  The transfer policy table 121 is information indicating a flow transfer policy in the packet header identification control device 10. This transfer policy is information indicating the flow to be transferred to the application identification device 20 and the latest application identification device 20 that is the transfer destination of the flow, that is, the application identification device 20 that is the switching destination of the flow. . Each transfer policy in the transfer policy table 121 is updated by the policy management apparatus 30 via the transfer policy table update unit 133 (described later).

  For example, the transfer policy table 121 illustrated in FIG. 3 indicates that the application identification apparatus 20 that is the switching destination of the policy rule V (5 tuple information = a) and the policy rule W (5 tuple information = b) is “20B”.

  The flow table 122 of FIG. 2 is information indicating the transfer destination application identification apparatus 20 having the header information for each header information (for example, 5 tuple information) of the packet of the flow.

  For example, in the flow table 122 shown in FIG. 1, the transfer destination application identification device 20 of the flow A (5 tuple information = a ′) is “20A”, and the transfer destination application identification of the flow B (5 tuple information = b ′). The device 20 indicates “20B”.

  The routing table 123 is information that is referred to when the transfer unit 131 performs normal routing. For example, when receiving a packet having header information that is not registered in the transfer policy table 121, the transfer unit 131 performs routing using the routing table 123.

  The control unit 13 includes a packet reception unit 130, a transfer unit 131, a determination unit 132, a transfer policy table update unit 133, and a flow table update unit 134.

  The packet receiving unit 130 receives a packet from a user terminal (not shown) or the like via the input / output unit 11.

  The determination unit 132 determines whether the packet received by the packet reception unit 130 is a packet of the flow described in the transfer policy table 121. Further, when the received packet is a packet of a flow described in the transfer policy table 121, the determination unit 132 determines whether there is an entry related to the flow in the flow table 122.

  When the determination unit 132 determines that the flow table 122 has an entry related to the flow (received flow), the transfer unit 131 transmits the flow to the flow indicated by the flow table 122 via the input / output unit 11. Transfer to the transfer destination application identification device 20. When the determination unit 132 determines that the packet received by the packet reception unit 130 is not a packet of the flow described in the transfer policy table 121, the transfer unit 131 uses the routing table 123 to route the packet. I do.

  The transfer policy table update unit 133 updates the transfer policy table 121 based on the transfer policy setting change instruction from the policy management apparatus 30. For example, the transfer policy table update unit 133, based on the transfer policy setting change instruction from the policy management apparatus 30, as shown in FIG. 1, in the transfer policy table 121, the policy rule V (5 tuple information = a) and the policy The application identification device 20 that is the switching destination of the rule W (5 tuple information = b) is updated from “20A” to “20B”.

  When the determination unit 132 determines that there is no entry regarding the flow (received flow) in the flow table 122, the flow table update unit 134 determines the header information of the flow and the transfer destination of the flow in the transfer policy table 121. An entry that associates the identification information of the application identification device 20 is added to the flow table 122.

  For example, when it is determined that there is no entry related to the flow B in the flow table 122, the header information of the flow B (5 tuple information = b ′) and the transfer destination of the policy rule W in the transfer policy table 121 (see FIG. 3). An entry that associates the identification information (“20B”) of the application identification device 20 is added to the flow table 122.

(Policy management device)
Next, the policy management apparatus 30 will be described in detail with reference to FIG. As shown in FIG. 4, the policy management apparatus 30 includes an input / output unit 31, a storage unit 32, and a control unit 33.

  The input / output unit 31 controls transmission / reception of various data to / from the packet header identification control device 10 and the application identification device 20.

  The storage unit 32 stores control policy information 321 and application identification device information 322.

  The control policy information 321 is information indicating the content of control performed by each application identification device 20. For example, the control policy information 321 shown in FIG. 5 “blocks” a flow that matches the identification target application “X” in the application identification device 20A (“20A”), and in the application identification device 20B (“20B”), It indicates that the flow that matches the identification target application “XX” is “counted”.

  The application identification device information 322 in FIG. 4 is information indicating the application identification device 20 that is the accommodation destination (transfer destination) of each flow. For example, in the application identification device information 322 shown in FIG. 6, the flow of 5 tuple information = a is accommodated in the application identification device 20A (“20A”), and the flow of 5 tuple information = b is stored in the application identification device 20B (“20B”). Indicates being contained.

  The control unit 33 in FIG. 4 includes an input reception unit 331, an information update unit 332, a control policy setting unit 333, and a transfer policy setting unit 334.

  The input receiving unit 331 receives an input of a switching instruction from the application identification device 20. For example, when the input reception unit 331 receives an input of information indicating that the flow having the application identification device 20 </ b> A as the accommodation destination is switched to the application identification device 20 </ b> B, the input reception unit 331 outputs this information to the information update unit 332. In addition, upon receiving information such as the update of the control policy information 321 and the application identification device information 322, the input reception unit 331 outputs this information to the information update unit 332.

  The information update unit 332 updates the control policy information 321 and the application identification device information 322 based on the update information of the control policy information 321 and the application identification device information 322 received via the input reception unit 331. For example, the information update unit 332 uses the information for switching the flow having the application identification device 20A as the accommodation destination to the application identification device 20B, with respect to the flow having the application identification device 20A as the accommodation destination in the application identification device information 322. The accommodation destination of the flow is updated to the application identification device 20B. In addition, the information update unit 332 sets the policy of the flow in the application identification device 20A in the control policy information 321 also in the policy in the application identification device 20B.

  The control policy setting unit 333 sets the control policy of each application identification device 20 indicated in the control policy information 321 for each application identification device 20. For example, when the control policy of the application identification devices 20A and 20B in the control policy information 321 is updated, the control policy setting unit 333 sets the updated control policy for each application identification device 20A and 20B.

  The transfer policy setting unit 334 sets the transfer policy table 121 for the packet header identification control device 10. For example, when the application identification device 20 that is the transfer destination of the policy rules V and W is updated from “20A” to “20B” in the application identification device information 322, the transfer policy setting unit 334 determines the policy rule in the transfer policy table 121. An instruction is given to change the application identification device 20 as the transfer destination of V and W from “20A” to “20B”.

  According to the system described above, when the application identification device 20 is switched, the packet header identification control device 10 keeps the transfer destination as the switching source application identification device 20 for the existing flow, and for the new flow The transfer destination is the switching destination application identification device 20. As a result, the system can accurately control the existing flow and analyze the flow even when the application identification device 20 is switched.

(Processing procedure)
Next, the processing procedure of the policy management apparatus 30 will be described with reference to FIG. First, when the policy management device 30 receives a switching instruction for the application identification device 20 via the input reception unit 331 (S1), the information update unit 332 updates the application identification device information 322 (S2). Further, the information update unit 332 updates the control policy information 321 (S3).

  For example, when the input reception unit 331 receives an instruction to switch the flow having the application identification device 20A as the accommodation destination to the application identification device 20B, the information update unit 332 includes the application identification device 20A in the application identification device information 322 as the accommodation destination. For the flow (flow matching the policy rules V and W), the accommodation destination of the flow is updated to the application identification device 20B. In addition, the information update unit 332 sets the policy of the flow in the application identification device 20A in the control policy information 321 also in the policy in the application identification device 20B.

  Next, the transfer policy setting unit 334 sets the transfer policy table 121 for the packet header identification control device 10 (S4). For example, when the application identification device 20 that is the transfer destination of the policy rules V and W is updated from “20A” to “20B” in the application identification device information 322, the transfer policy setting unit 334 displays the policy rule in the transfer policy table 121. An instruction is given to change the application identification device 20 as the transfer destination of V and W from “20A” to “20B”.

  Next, the processing procedure of the packet header identification control device 10 will be described with reference to FIG. First, when the packet receiving unit 130 of the packet header identification control device 10 receives a packet (S6), the determining unit 132 determines whether or not the packet received by the packet receiving unit 130 matches the transfer policy (S7). ). That is, the determination unit 132 determines whether the received packet is a packet of a flow described in the transfer policy table 121. Here, when the determination unit 132 determines that the packet received by the packet reception unit 130 does not match the transfer policy (No in S7), the transfer unit 131 transfers the packet based on the routing table 123 (S8).

  On the other hand, when the determination unit 132 determines that the packet received by the packet reception unit 130 matches the transfer policy (Yes in S7), it determines whether there is an entry for the packet in the flow table 122 (S9). ). Here, when the determination unit 132 determines that there is an entry related to the packet in the flow table 122 (Yes in S9), the transfer unit 131 transfers the packet (flow) based on the flow table 122 (S10).

  On the other hand, when the determination unit 132 determines that there is no entry related to the packet in the flow table 122 (No in S9), the flow table update unit 134 adds the entry of the packet to the flow table 122 (S11), and The transfer unit 131 transfers the packet based on the flow table 122 (that is, the flow table 122 after the entry is added) (S10).

  For example, when the packet header identification control device 10 receives a packet of a new flow, an entry related to this packet does not exist in the flow table 122. Therefore, referring to the transfer policy table 121, the transfer destination of this packet (flow) is referred to. The application identification device 20 is specified. Then, the packet header identification control device 10 adds, to the flow table 122, an entry that associates the header information (for example, 5 tuple information) of the packet with the identified application identification device 20 as a transfer destination. Then, the packet header identification control device 10 transfers the received packet based on the added entry. Further, the packet header identification control device 10 thereafter transfers the packet (flow) having the same header information as the received packet to the application identification device 20 with reference to the flow table 122 after the entry is added.

  According to the system described above, when the application identification device 20 is switched, the packet header identification control device 10 transfers the existing flow to the application identification device 20 that is the switching source, and the new flow is the switching destination. Transfer to the application identification device 20. As a result, the system can accurately control the existing flow and analyze the flow even when the application identification device 20 is switched.

(Second Embodiment)
(Overview)
The outline of the system of the second embodiment will be described with reference to FIG. The same configurations as those of the first embodiment described above are denoted by the same reference numerals and description thereof is omitted. As shown in FIG. 9, the system of the second embodiment includes a packet header identification control device 210, an application identification device 20 (20A, 20B), and a policy management device 230. These devices are connected by a network such as the Internet. The number of each device is not limited to the number shown in FIG.

  In the system according to the second embodiment, the policy management device 230 grasps which flow is in communication (during transfer) based on the communication flow information 323. Then, when switching the application identification device 20 in the system, the switching source application identification device 20 is included in the flow in which the switching source application identification device 20 is accommodated with respect to the packet header identification control device 210. For the transfer destination of the flow as the accommodation destination, a policy (first policy) is set in which the transfer destination is the application identification device 20 as the switching destination. Further, the policy management apparatus 230 has a policy of keeping the transfer destination as the switching source application identification apparatus 20 for the communication flow among the flows having the switching source application identification apparatus 20 as the accommodation destination (second processing). Policy). Here, the policy management device 230 sets the priority of the second policy higher than the priority of the first policy.

  With this setting, the packet header identification control device 210 preferentially applies the second policy over the first policy in determining the flow transfer destination. As a result, the packet header identification control device 210 keeps the transfer destination as the switching source application identification device 20 for the communication flow among the flows having the switching source application identification device 20 as the accommodation destination. For the flow (new flow), the transfer destination is the application identification device 20 that is the switching destination.

  Hereinafter, a case where the application identification device 20A is switched to the application identification device 20B will be described as an example. The flows accommodated by the application identification device 20A are the flows A and B of the user X.

  In this case, for example, when the policy management device 230 recognizes that the flow A of the user X is a communication flow, the following policy addition is added to the packet header identification control device 210 as shown in FIG. Set up. That is, the policy management apparatus 230 gives high priority to the setting of the policy (second policy) of transferring the existing flow (for example, flow A) of the user X to the application identification apparatus 20A with respect to the packet header identification control apparatus 210. The policy (first policy) of transferring the flow of user X (all flows) to the application identification device 20B is set to be applied with low priority. Further, the policy management apparatus 230 performs a policy deletion setting of transferring the flow of the user X to the application identification apparatus 20A.

  With this policy setting, the packet header identification control device 210 keeps the transfer destination of the user X's flow A (existing flow) as the application identification device 20A and the user X's flow B (new flow). The transfer destination is the application identification device 20B.

(Policy management device)
Next, the policy management apparatus 230 will be described with reference to FIG. Here, a configuration different from the policy management apparatus 30 of the first embodiment will be described.

  The communication flow information 323 in the storage unit 232 is information indicating a flow during communication. For example, the communication flow information 323 illustrated in FIG. 11 indicates that the communication flow is the flow A of the user X. In addition, as shown in FIG. 11, this communication flow information 323 may include information of information on flows that are not in communication (no communication flow). For example, the non-communication flow in the communication flow information 323 shown in FIG.

  The communication information receiving unit 330 of the control unit 233 in FIG. 10 receives a flow communication start notification and a flow communication end notification from the application identification device 20. Then, the communication information receiving unit 330 updates the in-communication flow information 323 based on the received communication start notification and communication end notification. For example, the communication information receiving unit 330 receives a communication start notification but records a flow that has not yet received a communication end notification as a communication flow in the communication flow information 323.

  For example, a notification transmitted from the application identification device 20 is used as the flow communication start notification and the flow communication end notification. For example, the communication start notification of the flow is performed when L7 analysis (payload part analysis) of the packet of the flow received by the application identification device 20 is performed and the flow matches the control policy and is determined to be a new flow. To the policy management device 230. The communication start notification of this flow includes 5 tuple information of the flow and a user identifier. The flow communication end notification is transmitted to the policy management apparatus 230 when the application identification apparatus 20 receives the final packet of the flow, for example. The communication end notification of this flow also includes the 5 tuple information and the user identifier of the flow. The user identifier includes, for example, an IP address of a flow transmission source, a MAC address (Media Access Control address), an IMSI (International Mobile Subscriber Identity) number, a VLAN (Virtual Local Area Network) ID assigned to the user line, and the like. Use.

  The policy setting unit 335 sets a policy for the packet header identification control device 210. Specifically, the policy setting unit 335 performs the following processing with reference to the application identification device information 322 and the in-communication flow information 323 when the input reception unit 331 receives information regarding switching of the application identification device 20. .

  In other words, the policy setting unit 335 specifies a flow in which the switching source application identification device 20 is an accommodation destination in the application identification device information 322. Then, the policy setting unit 335 creates a first policy in which the transfer destination of the identified flow is the switching destination application identification device 20. Further, the policy setting unit 335 refers to the communication flow information 323, and among the flows having the switching source application identification device 20 as the accommodation destination, the policy setting unit 335 determines the transfer destination of the communication flow as the switching source application identification device 20. A second policy is created. Then, the policy setting unit 335 sets the priority of the second policy out of the created policies to be higher than the priority of the first policy in the packet header identification control device 210. Further, the policy setting unit 335 performs setting to delete a policy in the packet header identification control device 210 in which the flow transfer destination is the switching source application identification device 20.

(Packet header identification control device)
Next, the packet header identification control device 210 will be described with reference to FIG. Also here, a configuration different from the packet header identification control device 10 of the first embodiment will be described.

  The flow table 122a of the storage unit 232 is information indicating the transfer destination application identification device 20 having the header information for each header information (for example, 5 tuple information) of the packet of the flow. The flow table 122a also includes information on the priority when applying each information (entry). For example, in the flow table 122a indicated by reference numeral 1201 in FIG. 13, the transfer destination application identification device 20 of 5tuple information = c (user X flow) is “20A”, and its priority is “2 (high)”. Indicates that there is. Further, the transfer destination application identification device 20 of 5 tuple information = f (user Y flow) is “20B”, and its priority is “2 (high)”.

  The flow table update unit 134a of the control unit 213 in FIG. 12 updates the flow table 122a based on the policy setting from the policy management device 230.

  For example, the flow table update unit 134a determines from the policy management device 230 that the transfer destination application identification device 20 of 5tuple information = d (user X's flow A) is “20A”, and its priority is “2 (high)”. "And the tuple information = e (all flows of user X), the transfer destination application identification apparatus 20 is" 20B ", and the priority is" 1 (low) ". When the setting for deleting the policy for setting the transfer destination application identification apparatus 20 to “20A” is received, the flow table 122a is updated from the state indicated by reference numeral 1201 in FIG. 13 to the state indicated by reference numeral 1202.

  That is, the flow table update unit 134a has an entry that the transfer destination application identification device 20 of 5tuple information = d (user X's flow A) is “20A”, and its priority is “2 (high)”. The application identification device 20 that is the transfer destination of 5tuple information = e (all flows of user X) is “20B”, and an entry that the priority is “1 (low)” is added to the flow table 122a. The application identification device 20 that is the transfer destination of information = c (user X) is “20A”, and the entry that the priority is “2 (high)” is deleted from the flow table 122a.

  Consider a case where the flow table 122a is updated in this way and the transfer unit 131 receives the flow A of the user X. In this case, the flow table 122a has two entries relating to the header of the flow A of the user X (an entry relating to the flow A of the user X shown by reference numeral 1203 in FIG. 13 and an entry relating to all the flows of the user X shown in reference numeral 1204). Among them, an entry with higher priority (entry indicated by reference numeral 1203 in FIG. 13) is applied to transfer the flow. That is, in this case, the transfer unit 131 transfers the flow A of the user X to the application identification device 20 of “20A”, and the other flow (for example, the flow B of FIG. 9) of the user X is the application identification of “20A”. Transfer to device 20.

  According to the system described above, when the application identification device 20 is switched, the packet header identification control device 210 keeps the transfer destination as the switching source application identification device 20 for the existing flow, and for the new flow The transfer destination is the switching destination application identification device 20. As a result, the system can accurately control the existing flow and analyze the flow even when the application identification device 20 is switched.

(Processing procedure)
Next, the processing procedure of the policy management apparatus 230 will be described with reference to FIGS.

  First, with reference to FIG. 14, update processing of the communication flow information 323 in the policy management apparatus 230 will be described. When the communication information receiving unit 330 of the policy management device 230 receives the flow communication start notification or communication end notification from the application identification device 20 (Yes in S11), the communication flow information 323 is updated based on this (S12). In other words, the communication information receiving unit 330 records, in the communication flow information 323, a flow that has received a communication start notification and has not received a communication end notification as “busy”, and records other flows as “no communication”. To do. In addition, when the communication information receiving unit 330 of the policy management device 230 has not received the flow communication start notification or the communication end notification from the application identification device 20 (No in S11), the process returns to S11.

  A specific example of updating the communication flow information will be described with reference to FIG. When the packet header identification control device 210 starts transferring the flow A of the user X to the application identification device 20A (S31), the communication information receiving unit 330 of the policy management device 230 communicates the flow A of the user X from the application identification device 20A. A start notification is received (S32), and it is recorded that the communication flow in the communication flow information 323 is the flow A of the user X and the non-communication user is the user Y (see reference numeral 171). Thereafter, when the communication information receiving unit 330 of the policy management device 230 receives the communication end notification of the flow A of the user X from the application identification device 20A (S33), the communication flow is indicated in the communication flow information 323 based on this notification. The fact that the user without communication is the users X and Y is recorded (see reference numeral 172).

  Next, when the packet header identification control device 210 transfers the flow B of the user Y to the application identification device 20A (S34), the communication information receiving unit 330 of the policy management device 230 transmits the flow B of the user Y from the application identification device 20A. A communication start notification is received (S35), and based on this notification, the communication flow information 323 records that the communication flow is the flow B of the user Y and the non-communication user is the user X (see reference numeral 173). ).

  After that, when the packet header identification control device 210 starts transferring the flow C of the user Y to the application identification device 20A in addition to the flow B of the user Y (S36), the communication information receiving unit 330 of the policy management device 230 The communication start notification of the flow C of the user Y is received from the identification device 20A (S37). Based on this notification, the communication flow is the flow B of the user Y and the flow C of the user Y based on the communication flow information 323. The fact that the user without communication is user X is recorded (see reference numeral 174).

  Next, when the packet header identification control device 210 finishes transferring the flow C of the user Y to the application identification device 20A and transfers only the flow B of the user Y (S38), the policy management device 230 receives the communication information. The unit 330 receives the communication end notification of the flow C of the user Y from the application identification device 20A (S39). Based on this notification, the communication flow is the flow B of the user Y in the communication flow information 323. The fact that the user is user X is recorded (see reference numeral 175).

  Thereafter, when the packet header identification control device 210 completes the transfer of the flow B of the user Y to the application identification device 20A, the communication information receiving unit 330 of the policy management device 230 terminates the communication of the flow B of the user Y from the application identification device 20A. The notification is received (S40), and it is recorded in the communication flow information 323 that there is no communication flow and the users without communication are the users X and Y (see reference numeral 176).

  As described above, the policy management device 230 updates the communication flow information 323 based on the communication start notification and communication end notification of each flow from the application identification device 20.

  Next, a processing procedure when the policy management apparatus 230 receives a switching instruction for the application identification apparatus 20 will be described with reference to FIG.

  When the input receiving unit 331 of the policy management device 230 receives a switching instruction for the application identification device 20 (S1 in FIG. 16), the policy management device 230 updates the application identification device information 322 (S2 in FIG. 7 described above). The control policy information 321 is updated (S3) in the same manner as in S3 in FIG. Then, the policy setting unit 335 sets a policy for the packet header identification control device 210 (S20).

  Here, the policy setting to the packet header identification control apparatus 210 by the policy setting unit 335 in S20 of FIG. 16 will be described in detail with reference to FIG.

  First, the policy setting unit 335 specifies a flow having the switching source application identification device 20 as the accommodation destination (transfer destination) in the application identification device information 322 (S21).

  Next, the policy setting unit 335 creates a policy (first policy) in which the transfer destination of the identified flow (for example, all flows of the user X) is the switching destination application identification device 20, and sets the priority to “ "Low" (S22). Further, the policy setting unit 335 refers to the communication flow information 323, and among the flows identified in S21, the transfer destination of the communication flow (for example, the flow A of the user X) is set as the switching source application identification device 20. (Second policy) is created and the priority is set to “high” (S23).

  Then, the policy setting unit 335 sets the policy created in S22 and S23 in the packet header identification control device 210 (S24). In addition, the policy setting unit 335 performs setting for deleting the policy in which the transfer destination of the flow specified in S21 (for example, all flows of the user X) is the switching source application identification device 20 in the packet header identification control device 210. (S25).

  The packet header identification control device 210 that has received such settings updates the flow table 122a from the state indicated by reference numeral 1201 in FIG. 13 to the state indicated by reference numeral 1202, for example. Then, the packet header identification control device 210 determines the flow transfer destination application identification device 20 based on the updated flow table 122a. For example, the packet header identification control device 210 transfers the flow A (existing flow) of the user X to the application identification device 20 of “20A”. Further, all flows other than the flow A of the user X (for example, a new flow B) are transferred to the application identification device 20B.

  According to the system described above, even when the application identification device 20 is switched, the packet header identification control device 210 transfers the existing flow to the switching source application identification device 20 and switches the new flow to the switching destination. To the application identification device 20. As a result, the system can accurately control the existing flow and analyze the flow even when the application identification device 20 is switched.

(Concrete example)
Next, specific examples of the system of the first embodiment and the system of the second embodiment will be described with reference to FIG. Here, the system of the first embodiment includes a TDF (Traffic Detection Function) 320 (320A, 320B) having the function of the application identification device 20 and a PCRF (Policy Control and Charging Rules Function) having the function of the policy management device 30. ) 330 and a PCEF (Policy and Charging Rule Enforcement Function) 310 having a function of the packet header identification control device 10 will be described as an example. Note that servers α, β, and γ are connected to the network, and each TDF 320 performs control and analysis of flows to the servers α, β, and γ received via the PCEF 310.

(Specific example of the system of the first embodiment)
First, a specific example of the system of the first embodiment will be described. The PCRF 330 in the system sets a transfer policy for the PCEF 310. An example of a transfer policy table held by the PCEF 310 is indicated by reference numeral 1601 in FIG. A transfer policy table indicated by reference numeral 1601 indicates a transfer policy relating to the flows of the user X and the user Y. The transfer policy in the first line is “src IP = user X, dst IP = any, src port = any, dst port = any, protocol. = Any ”flow (that is, all flows from the user X) indicates that the TDF 320 of the transfer destination is“ 320A ”. The transfer policy in the second line is a flow of “src IP = user Y, dst IP = any, src port = any, dst port = 80, protocol = 6” (that is, destination port number “80” from user Y). The TDF 320 of the transfer destination of the protocol number “6”) is also “320A”.

  An example of a flow table held by the PCEF 310 is indicated by reference numeral 1602. The flow table indicated by reference numeral 1601 indicates the TDF 320 of the transfer destination in flows A, B, and C. For example, the first line is information on the flow A, “src IP = user X, dst IP = server α, src port = 50001, The TDF 320 of the transfer destination of the flow of “dst port = 80, protocol = 6” indicates “320A”.

  When the PCEF 310 receives a flow packet, and there is an entry that matches the transfer policy table indicated by reference numeral 1601, the PCEF 310 refers to the flow table indicated by reference numeral 1602 to determine the TDF 320 of the transfer destination of the packet. On the other hand, if there is no entry that matches the transfer policy table indicated by reference numeral 1601, the PCEF 310 refers to the transfer policy indicated by reference numeral 1601 and adds an entry relating to the packet to the flow table indicated by reference numeral 1602.

  For example, consider a case where the system switches the flows of all users accommodated in the TDF 320A to the TDF 320B. In this case, the PCRF 330 instructs the PCEF 310 to change the flow transfer destinations of all users (for example, users X and Y) accommodated in the TDF 320A to the TDF 320B. Upon receiving this instruction, the PCEF 310 changes, for example, the transfer destination TDF 320 of the flow of the user (user X, Y) in the transfer policy table indicated by reference numeral 1601 in FIG. 18 from “320A” to “320B”. Is updated to the state indicated by reference numeral 1801 in FIG.

  The PCEF 310 then sends a packet of the new flow D from the users X and Y (“src IP = user X, dst IP = server γ, src port = 50003, dst port = 8080, protocol = 6”) and a packet of the flow E. (“Src IP = user Y, dst IP = server γ, src port = 60004, dst port = 80, protocol = 6”), the flows D and E have a transfer policy table indicated by reference numeral 1801 in FIG. However, there are no entries for flows D and E in the flow table indicated by reference numeral 1602 in FIG. Accordingly, the PCEF 310 adds the entries of flows D and E to the flow table indicated by reference numeral 1602 in FIG. 18 and updates the flow table to the state indicated by reference numeral 1802 in FIG. Then, the PCEF 310 transfers a packet (flow) based on the added entry.

  For example, as shown in FIG. 20, in a state where the PCEF 310 is transferring the user A flow A, the user X flow B, and the user Y flow C to the TDF 320A (S41), the accommodation of the TDF 320 (that is, the TDF 320A is changed). (S42), the PCRF 330 instructs the PCEF 310 to change the flow policy of the users X and Y (S43). For example, the PCRF 330 instructs the PCEF 310 to change the transfer destination of the flows of the users X and Y to the TDF 320B.

  Receiving this, the PCEF 310 changes the transfer policy table, and for the existing flows (for example, flows A, B, C) of the users X and Y, the transfer destination remains TDF320A (S44), and the new flows of the users X, Y When (for example, flows D and E) are received, an entry is added to the flow table, and the transfer destination is set to TDF 320B (S45). Then, when all the communication of existing flows (for example, flows A, B, and C) is completed, all the flows of users X and Y are transferred to TDF 320B.

  As a result, when the TDF 320 is switched, the system keeps the transfer destination as the switching source TDF 320A for the existing flow, and sets the transfer destination as the switching destination TDF 320B for the new flow. As a result, the system can accurately control the existing flow and analyze the flow even when the TDF 320 is switched.

(Specific example of the second embodiment)
Next, a specific example of the system of the second embodiment will be described. Here, in the system of the second embodiment, the TDF 320 having the function of the application identification device 20, the PCRF 330 having the function of the policy management device 230, and the PCEF 310 having the function of the packet header identification control device 210 are mutually connected by a network. An example of the case of being connected to will be described. The system configuration is the same as in FIG.

  For example, when the reception of a new flow is detected, the TDF 320A transmits a CCR (Credit Control Request) in which application_start is set in the Event-Trigger AVP as a flow communication start notification to the PCRF 330. Further, when detecting the end of the flow, the TDF 320A transmits a CCR in which application_stop is set in the Event-Trigger AVP to the PCRF 330 as a communication end notification of the flow. The PCRF 330 acquires the user identifier and the 5-tuple information of the flow from the received CCR, and records them in the communicating flow information 323.

  Then, the PCRF 330 sets a policy (first policy) with a priority “low” so as to switch the user flow accommodated in the TDF 320A to the TDF 320B. In addition, among the users accommodated in the TDF 320A, a policy (second policy) for keeping the communication flow as the TDF 320A is set with the priority “high”.

  An example of the processing procedure of the system will be described with reference to FIG. Here, in the state in which the PCEF 310 is transferring the flow E of the user X, the flow D of the user Y, and the flow C of the user Y to the TDF 320A, the accommodation of the TDF 320 is started (that is, switching from the TDF 320A to the TDF 320B). An example of this will be described.

  In this case, the TDF 320A starts the communication start of the flow E of the user X to the PCRF 330 by CCR (application_start, user X-flow E), the communication start of the flow of the user Y by CCR (application_start, user Y-flow D), and the user Y. The communication start of the flow C is notified by CCR (application_start, user Y-flow C) (S51).

  Then, the PCRF 330 updates the in-communication flow information 323 as indicated by reference numeral 2101 based on the received CCR. That is, the PCRF 330 indicates that the communication flow in the TDF 320A is the flow E of the user X, the flow D of the user Y, and the flow C of the user Y, and that the non-communication user is the user Z. To record.

  Then, when the accommodation change of the TDF 320 (that is, switching from the TDF 320A to the TDF 320B) is started (S52), the PCRF 330 gives the PCEF 310 high priority for the policy setting of transferring the flow E of the user X to the TDF 320A. The policy setting of transferring the flow of the user X to the TDF 320B is additionally set with low priority, and the setting of the policy setting of transferring the flow of the user X to the TDF 320A is deleted (S53). Accordingly, the PCEF 310 transfers the flow E of the user X to the TDF 320A (S54), and transfers the new flow of the user X (that is, a flow other than the flow E of the user X) to the TDF 320B (S55).

  Also, the PCRF 330 transfers the user Y flow to the TDF 320B with high priority for the policy setting of transferring the user Y flow D to the TDF 320A and the policy setting of transferring the user Y flow C to the TDF 320A. The policy setting of “additional setting with low priority” and the policy setting of transferring the flow of the user Y to the TDF 320A is deleted (S56). As a result, the PCEF 310 transfers the flows D and C of the user Y to the TDF 320A (S57), and transfers the new flows of the user Y (that is, flows other than the flows D and C of the user Y) to the TDF 320B (S58). .

  Further, the PCRF 330 sets a policy setting for transferring the user Z flow to the TDF 320B, and deletes the setting for the policy setting for transferring the user Z flow to the TDF 320A (S59). Thereby, the new flow of the user Z is transferred to the TDF 320B (S60).

  Thus, when the TDF 320 is switched, the PCEF 310 keeps the transfer destination as the switching source TDF 320A for the existing flow (flow in communication), and sets the transfer destination as the switching destination TDF 320B for the new flow. As a result, the system can accurately control the existing flow and analyze the flow even when the TDF 320 is switched.

(Other embodiments)
In the above-described embodiment, the packet header identification control devices 10 and 210, for example, when the existing flow (for example, flow A) is not received for a predetermined time or longer, are entered from the flow tables 122 and 122a. May be deleted. In this way, entries relating to flows that are no longer communicated do not remain in the flow tables 122 and 122a, so that the memory capacity used for the flow tables 122 and 122a can be reduced.

  In the above-described embodiment, the policy management apparatuses 30 and 230 switch all the flows of users accommodated in the switching source application identification apparatus 20 to the switching destination application identification apparatus 20 or a part of them. An instruction input indicating whether to switch to the switching destination application identification device 20 is accepted in the user flow, and only the designated user flow is transferred to the switching destination application identification device 20 to the packet header identification control devices 10 and 210. It may be. Accordingly, the system can change the application identification device 20 of the accommodation destination (transfer destination) only for a flow that needs to be changed of the application identification device 20 of the accommodation destination (transfer destination).

  In each of the above embodiments, the case where the policy management devices 30 and 230, the packet header identification control devices 10 and 210, and the application identification device 20 are separate devices has been described as an example, but the present invention is not limited to this. For example, the packet header identification control devices 10 and 210 may have the function of the policy management devices 30 and 230, and the packet header identification control devices 10 and 210 may have the function of the application identification device 20.

(program)
It is also possible to create and execute a program that describes the processing executed by the policy management devices 30 and 230 and the packet header identification control devices 10 and 210 in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Further, such a program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed to execute the same processing as in the above embodiment. Hereinafter, an example of a computer that executes a control program that realizes the same function as the policy management devices 30 and 230 and the packet header identification control devices 10 and 210 will be described.

  FIG. 22 is a diagram illustrating a computer that executes a control program. As shown in FIG. 22, a computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, a network Interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 22, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each table described in the above embodiment is stored in the hard disk drive 1090 or the memory 1010, for example.

  Further, the control program is stored in the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described, for example. Specifically, a program module describing each process executed by the policy management devices 30 and 230 and the packet header identification control devices 10 and 210 described in the above embodiment is stored in the hard disk drive 1090.

  Data used for information processing by the control program is stored as program data in, for example, the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the control program are not limited to being stored in the hard disk drive 1090. For example, the program module 1093 and the program data 1094 are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. May be. Alternatively, the program module 1093 and the program data 1094 related to the program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and the CPU 1020 via the network interface 1070. May be read.

10, 210 Packet header identification control device 11, 31 Input / output unit 12, 32, 212, 232 Storage unit 13, 33, 213, 233 Control unit 20 (20A, 20B) Application identification device 30, 230 Policy management device 121 Transfer policy Table 122, 122a Flow table 123 Routing table 130 Packet receiving unit 131 Transfer unit 132 Determination unit 133 Transfer policy table update unit 134, 134a Flow table update unit 321 Control policy information 322 Application identification device information 323 Flow information during communication 330 Communication information reception Section 331 Input reception section 332 Information update section 333 Control policy setting section 334 Transfer policy setting section 335 Policy setting section

Claims (8)

A packet header identification control device for transferring a flow transmitted from a user terminal or a server to a predetermined application identification device in a network,
A storage unit that stores a flow table indicating a transfer destination application identification device of each flow, and a transfer policy table indicating a transfer destination application identification device of each flow specified by an external device;
A determination unit that determines whether or not there is an entry related to the received flow in the flow table when a flow corresponding to the transfer policy table is received;
When the determination unit determines that there is no entry related to the received flow in the flow table, the received flow is determined as a new flow, and the transfer destination of the new flow is indicated in the transfer policy table. A flow table update unit for adding an entry as an application identification device of the flow to the flow table;
Referring to the flow table, the new flow is transferred to the first application identification device that is the transfer destination application identification device , and the existing flow is transferred to the flow destination application identification device . A packet header identification control device comprising: a transfer unit configured to transfer to a second application identification device. The flow table update unit
The packet header identification control apparatus according to claim 1, wherein when there is an entry of a flow that is not received for a predetermined period or longer in the flow table, the entry is deleted. In the network, a packet header identification control device that transfers a flow transmitted from a user terminal or server to a predetermined application identification device,
When a flow corresponding to the transfer policy table is received with reference to the transfer policy table indicating the transfer destination application identification device of each flow designated by the external device, the transfer destination application identification device of the previous flow is indicated. Determining whether the received flow table has an entry for the received flow;
When it is determined that there is no entry related to the received flow in the flow table, the received flow is determined as a new flow, and the transfer destination of the new flow is set to the application of the flow indicated in the transfer policy table. Adding an entry as an identification device to the flow table;
Referring to the flow table, the new flow is transferred to the first application identification device that is the transfer destination application identification device , and the existing flow is transferred to the flow destination application identification device . And a transfer method to a second application identification device . In a network, a computer that is a packet header identification control device that transfers a flow transmitted from a user terminal or server to a predetermined application identification device,
Referring to the transfer policy table indicating the transfer destination application identification device of each flow specified from the external device, when the flow corresponding to the transfer policy table is received, the transfer destination application identification device of each flow is indicated. Determining whether there is an entry for the received flow in the flow table;
When it is determined that there is no entry related to the received flow in the flow table, the received flow is determined as a new flow, and the transfer destination of the new flow is set to the application of the flow indicated in the transfer policy table. Adding an entry as an identification device to the flow table;
Referring to the flow table, the new flow is transferred to the first application identification device that is the transfer destination application identification device , and the existing flow is transferred to the flow destination application identification device . And a step of transferring to a second application identification device . In a network, a management device that manages a packet header identification control device that transfers a flow transmitted from a user terminal or server to a predetermined application identification device,
A communication information receiving unit that updates communication flow information indicating a flow in communication in the application identification device based on a communication start notification and a communication end notification of a flow from the application identification device;
A storage unit that stores the communication flow information and application identification device information indicating a transfer destination application identification device of each flow;
When switching the application identification device in operation to another application identification device, the transfer destination of the flow whose transfer destination is the application identification device in operation is referred to by referring to the application identification device information and the communication flow information. Of the first policy to be changed to another application identification device and the flow having the application identification device in operation as a transfer destination, the transfer destination of the flow being communicated remains the application identification device in operation. And a policy setting unit that sets the priority of the second policy to be higher than the priority of the first policy and sets the priority in the packet header identification control device. Management device.   6. The management according to claim 5, wherein the policy setting unit further deletes setting of a policy for setting the transfer destination of the flow as the application identification device in operation to the packet header identification control device. apparatus. In the network, a management device that manages a packet header identification control device that transfers a flow transmitted from a user terminal or a server to a predetermined application identification device,
Updating communication flow information indicating a communication flow in the application identification device based on a communication start notification and a communication end notification of the flow from the application identification device;
When switching the application identification apparatus in operation to another application identification apparatus, the application identification apparatus in operation is referred to by referring to the application identification apparatus information indicating the transfer destination application identification apparatus of each flow and the communication flow information. The first policy for changing the transfer destination of a flow having the transfer destination to the other application identification device, and the transfer destination of the communication flow among the flows having the application identification device in operation as the transfer destination Creating a second policy that remains an application identification device in operation;
And setting the priority of the second policy higher than the priority of the first policy in the packet header identification control device. In a network, a computer that is a management device that manages a packet header identification control device that transfers a flow transmitted from a user terminal or a server to a predetermined application identification device.
Updating communication flow information indicating a communication flow in the application identification device based on a communication start notification and a communication end notification of the flow from the application identification device;
When switching the application identification apparatus in operation to another application identification apparatus, the application identification apparatus in operation is referred to by referring to the application identification apparatus information indicating the transfer destination application identification apparatus of each flow and the communication flow information. The first policy for changing the transfer destination of a flow having the transfer destination to the other application identification device, and the transfer destination of the communication flow among the flows having the application identification device in operation as the transfer destination Creating a second policy that remains an application identification device in operation;
And a step of causing the packet header identification control device to set a priority of the second policy higher than that of the first policy.

Images