JP6352459B2 - Inspection control device, inspection control method, and program - Google Patents

Description

  The present invention relates to a technique for inspecting the normality of a network composed of packet transfer apparatuses that transfer packets.

  In recent years, a technique called OpenFlow has become widespread. In OpenFlow, the controller creates a user communication path (path) in End-End by setting a flow table in a plurality of OpenFlow switches (OFS) placed in the network.

  When a data packet is input to the OFS, the OFS refers to arbitrary and plural fields of the packet, and performs packet transfer and rewriting operations according to instructions described in entries in the flow table.

  In OpenFlow, by appropriately setting entries in the flow table, for example, the transfer destination can be freely changed according to the policy of the NW operator, the field itself can be added, or the field value can be freely rewritten. Furthermore, it is possible to prepare a plurality of flow tables in one OFS and perform processing by referring to them continuously (referred to as pipeline processing).

JP 2007-036839 A

  For example, in a network that performs transfer that does not comply with a single protocol rule, such as the above OpenFlow, when End-End communication is NG, sufficient separation cannot be performed using only the conventional protocol standard OAM function. There is a problem. Therefore, when communication NG occurs, for example, it is necessary to check the setting contents of each relay node one by one, which is inefficient.

  The present invention has been made in view of the above points, and an object of the present invention is to provide a technique that enables efficient communication inspection even in a network that performs transfer that does not follow a single protocol rule. To do.

In order to solve the above problem, the present invention is an inspection control device that performs inspection control on a packet transfer device that constitutes a network for transferring packets,
The packet transfer apparatus includes a packet transfer processing unit that performs packet transfer processing based on a list of processing rules for an input packet,
With respect to the packet transfer device, by transmitting the information including the processing rules of the test packet, before and after the packet forwarding processing means definitive to the packet transfer device, and means for adding the test packet processing means,
Means for injecting an inspection packet into the packet transfer device;
Each of the inspection packet processing means provided before and after the packet transfer processing means acquires information to be output by performing processing on the inspection packet ;
And a determination unit that determines normality of the network based on the acquired information.

  The determination unit obtains the configuration information from an operation control apparatus that stores the configuration information of the network, and compares the configuration information with the configuration information based on the acquired information, thereby determining the normality of the network. You may comprise so that it may determine.

  ADVANTAGE OF THE INVENTION According to this invention, even in the network which performs the transfer which does not follow a single protocol rule, the technique which enables the inspection of communication efficiently is provided.

1 is an overall configuration diagram of a communication system according to an embodiment of the present invention. It is a figure which shows the operation | movement outline | summary of this Embodiment. It is a figure which shows the operation | movement outline | summary of this Embodiment. 2 is a functional configuration diagram of a packet transfer apparatus 100. FIG. 2 is a diagram illustrating a configuration example of a packet transfer apparatus 100. FIG. 2 is a diagram illustrating a configuration example of a packet transfer apparatus 100. FIG. 2 is a diagram illustrating a configuration example of a packet transfer apparatus 100. FIG. It is a function block diagram of the packet transfer apparatus 100 in the case of test | inspecting. 2 is a functional configuration diagram of an inspection control device 10. FIG. It is a flowchart which shows the flow of operation | movement of the communication system of this Embodiment. It is a figure which shows the process which designates a test object path | route and grasps | ascertains the header information of the packet for a test | inspection. It is a figure which shows the process which captures user data. It is a figure which shows the process which adds a reservation table for a test | inspection. It is a figure which shows the process of inject | pouring a test | inspection packet, and the process of acquisition of a test | inspection packet. It is a figure which shows the process which acquires a counter value. It is a figure which shows that the packet transfer apparatus 2 is a suspicious apparatus. It is a functional block diagram of the packet transfer apparatus 100 in the case of narrowing down within a packet transfer apparatus. It is a functional block diagram of the packet transfer apparatus 100 in the case of narrowing down within a packet transfer apparatus. It is a figure for demonstrating the jump of a table. 2 is a diagram illustrating a basic configuration of a packet transfer apparatus 100. FIG. FIG. 3 is a diagram in which a packet transfer processing unit is used as a list of processing rules in the packet transfer apparatus 100. It is a figure which shows the packet transfer apparatus 100 of the modification 1. FIG. It is a figure which shows the packet transfer apparatus 100 of the modification 2. It is a figure which shows the example of the table of the modification 2. It is a figure which shows the packet transfer apparatus 100 of the modification 3. It is the figure which showed the basic example and the modification collectively. It is a figure which shows the example at the time of mounting this invention by OpenFlow (it respond | corresponds to the packet transfer apparatuses 1 and 2). It is a figure which shows the example at the time of mounting this invention by OpenFlow (it respond | corresponds to the packet transfer apparatus 3).

  Embodiments of the present invention will be described below with reference to the drawings. The embodiment described below is only an example, and the embodiment to which the present invention is applied is not limited to the following embodiment. For example, in the following embodiments, the case where the present invention is applied to the OpenFlow technology is described, but the application destination of the present invention is not limited to the OpenFlow technology, and can be applied to various communication methods.

(Explanation of issues)
In describing the embodiment of the present invention, first, problems in OpenFlow will be described in more detail.

  An End-End flow (corresponding to the main signal communication path) through which user communication passes is completed when the flow table setting is normally performed for all OpenFlow switches (OFS), but is normally written for each OFS device. The contents of the flow table are different. Therefore, if any communication abnormality is encountered, it is necessary for the operator to check whether the flow table of each OFS existing in the route is set as intended.

  Generally, when there is a problem in the user's End-End communication, a standard fault management function or tool set provided for the communication protocol (D-Plane) is used to diagnose / isolate the cause. (OAM function) is often used. Examples of such functions include IP-Ping / traceroute (in the case of IP), Y. 1731 / 802.1ag LoopBack / LinkTrace (in the case of Ethernet (registered trademark)), LSP-ping / trace (in the case of MPLS), and the like.

  However, there is currently no standard technology for the OAM function for D-Plane in the OpenFlow standard. In OpenFlow, OFS freely refers to various fields in the D-Plane packet, and performs transfer that does not necessarily follow the rules of a single protocol. Therefore, the OAM function provided for each of the various protocols cannot be used as it is.

  For example, consider a case where a conventional user terminal corresponding to IP is connected to the outside of the network space of the OpenFlow switch, and the communication provider provides IP communication reachability at End-End. In this environment, if IP-Ping is issued from the user terminal, it can be determined whether or not the terminal is connected to a remote terminal. However, when there is no Ping response, it is difficult to isolate from there. In this case, as the next step, it becomes necessary to determine which relay OpenFlow switch has the problem, but IP-traceroute is not useful (OpenFlow does not have a transfer rule according to IP, so TTL It may not have been subtracted, or the IP header may be replaced by an Eteher header).

  As described above, in OpenFlow, OFS refers to various protocol fields freely and does not always follow the rules of the conventional protocol. Therefore, the D-Plane OAM function (eg, IP-Ping) of the conventional protocol standard is used. However, it is not possible to properly check / analyze failures. Currently, for example, it is necessary to log in to the OFS one by one and check the contents of the flow table in order. It takes time to work.

  In this embodiment, the contents of the flow table are correct without performing inefficient work as described above, and the flow table is correctly entered into the OFS as intended by the controller, and the transfer setting is completed. There is provided a technique that makes it possible to efficiently check whether or not the information is reflected.

(System configuration, operation overview)
FIG. 1 shows an overall configuration diagram of a communication system according to the present embodiment. As shown in FIG. 1, the communication system according to the present embodiment includes a relay network composed of a plurality of packet transfer apparatuses, an inspection control apparatus 10, and an operation control apparatus 20. In this example, for convenience of illustration, three packet transfer apparatuses 1, 2, and 3 are shown as packet transfer apparatuses included in the relay network. The source user apparatus 30 is connected to the Ingress packet transfer apparatus 1 via the UNI, and the destination user apparatus 40 is connected to the Egress packet transfer apparatus 3 via the UNI. The inspection control device 10 and the operation control device 20 can communicate with each packet transfer device via a management network or the like, but in FIG. 1, the inspection control device 10 and each packet transfer device are connected (communication is possible). The status is shown.

  The inspection control device 10 and the operation control device 20 are also communicably connected. Note that the inspection control device 10 and the operation control device 20 may be configured as one device, for example, the function of the inspection control device 10 is provided in the operation control device 20.

  An outline of the operation during path inspection in the communication system shown in FIG. 1 will be described with reference to FIGS. Here, based on an instruction from the operation control device 20 to each packet transfer device, a path (from the packet transfer device 1 to the packet transfer device 3) is accommodated in order to accommodate communication from the transmission source user device 30 to the destination user device 40. An operation example in which the inspection control apparatus 10 confirms whether or not the path is actually communicated will be described.

Step 1) Addition of inspection commands and generation of inspection packets (Fig. 2)
In this example, VLAN-VID100 is used as an inspection flag, and a command to be notified to the inspection control apparatus 10 is written to each packet transfer apparatus when a packet of VLAN-VID100 is received. As will be described later, in the present embodiment, this instruction is realized as an entry in the table. Further, the inspection control apparatus 10 generates a packet including the VLAN-VID 100 that is a packet that flows through the path to be inspected.

Step 2) Inspection packet injection and notification (FIG. 3)
The inspection control device 10 injects the generated inspection packet into the packet transfer device 1. The packet is transferred according to the rules set in each packet transfer apparatus corresponding to the inspection target path. In the present embodiment, each packet relay apparatus uses the command set in step 1 Accordingly, when a packet of VLAN-VID 100 arrives, the inspection control apparatus 10 is notified of the arrival, and a transfer process to the next packet transfer apparatus is performed.

Step 3) Result Output and Inspection Command Deletion The inspection control device 10 outputs information indicating whether a desired result has been obtained based on a notification received from each packet transfer device. For example, based on the information acquired from the operation control device 20, it knows that the path to be inspected is a path that passes through the packet transfer devices 1 to 3, and if a certain packet transfer device and subsequent packet relays When the notification is not received from the device, information indicating that there is some malfunction in the specific packet transfer device is output. In this case, for example, it is possible to isolate a fault in the packet transfer apparatus by a method described later. Thereafter, the inspection control device 10 deletes the command used for the inspection in each packet transfer device.

  Hereinafter, the configuration and operation of each device will be described in more detail.

(Device configuration)
<About packet transfer equipment>
Each packet transfer apparatus constituting the relay network in the present embodiment is configured using the OpenFlow switch technology. First, with reference to FIG. 4, a basic functional configuration of the packet transfer apparatus 100 used as each packet transfer apparatus constituting the relay network will be described.

  As illustrated in FIG. 4, the packet transfer apparatus 100 includes a plurality of tables (flow tables).

  A plurality of entries are described in each table in the packet transfer apparatus 100. Each entry includes a “match condition” for the field of the packet and an “instruction” (one or more actions) that is the processing content when the field matches the match condition (when hit). Field rewriting and transfer destination are determined according to the contents of the instruction.

  For example, as in the example shown in FIG. 4, when the “match condition” is “IP destination address is ◯” and “TCP port number is 80”, the packet input to the table In the corresponding field of “IP destination address is ◯” and “TCP port number is 80”, the processing (action) designated by “instruction”, that is, ““ VLAN tag 100 "Set number" and "Specify output port number as # 10" and "Transition to next table" are performed on the packet.

  Moreover, a priority (priority) is given to a set of match conditions and instructions (= entries), and the search for entries (match conditions) in the same table is performed in descending order of priority. Different entries may have the same priority. If there are multiple matching entries with the same priority, alternative selection is performed by some algorithm.

  In addition, transition to another table can be performed by an explicit instruction as in the above example or as a process when no match is found. Numbers are assigned to the tables, and in the present embodiment, the tables transition in the ascending order of the numbers, and the input packet is searched from the table arranged first.

  Basically, the contents of each table in the packet transfer apparatus 100 are appropriately set or rewritten from the operation control apparatus 20 according to the connection configuration of the path to be created. In this way, a table that is appropriately set and rewritten from the operation control apparatus 20 in order to configure a path for realizing user communication is referred to as a normal table.

  In the present embodiment, the method for realizing the packet transfer apparatus 100 having the above-described functional configuration is not limited to a specific method. For example, as shown in FIG. 5, a configuration including a packet transfer processing unit 110 and a table storage unit 120 can be adopted. In this configuration, each table (data) is stored in the table storage unit 120. When the packet transfer processing unit 110 receives a packet from the input port, the packet transfer processing unit 110 sequentially refers to the tables stored in the table storage unit 120, thereby performing the “match condition” and the “instruction” similarly to the processing described with reference to FIG. Is executed for each table, and a packet is output from the output port based on the “instruction” in the last table. The table stored in the table storage unit 120 may actually be divided into a plurality of (multi-stage) and numbered tables as shown in FIG. 4, or may be a single table including the contents of the plurality of tables. May be.

  In the configuration of FIG. 5, the packet transfer processing unit 110 can be realized by a dedicated hardware circuit, and the data storage unit 120 can be realized by a storage device such as a memory. Further, the apparatus shown in FIG. 5 can also be realized by a computer having a communication IF. In that case, the operation of the packet transfer processing unit 110 can be realized by causing the computer to operate the program. The program in this case is, for example, a program corresponding to an operation for processing a packet in accordance with the contents of an entry described in a table stored in the table storage unit 120.

  Further, the packet transfer apparatus 100 illustrated in FIG. 5 may include a plurality of packet transfer processing units each corresponding to one table. That is, as shown in FIG. 6, one table and the packet transfer processing unit 110 correspond to a packet transfer processing unit of one sub-element, and another table and the packet transfer processing unit 110 transfer packet of another sub-element. It corresponds to the processing unit. For example, the sub-element packet transfer processing unit configured by the table n is provided before the packet transfer processing unit configured by the table n + 1.

  For example, when a table is added to the table storage unit 120, a sub-element packet transfer processing unit is added. A set of packet transfer processing units corresponding to the normal table before the reservation table described later is added can be referred to as a packet transfer processing unit.

  In addition to the configurations shown in FIGS. 5 and 6, each table having the configuration shown in FIG. 4 may have a packet transfer function. That is, as illustrated in FIG. 7, the packet transfer apparatus 100 may include a plurality of packet transfer processing units that receive a packet and perform processing based on the “match condition” and “instruction”. One packet transfer processing unit shown in FIG. 7 corresponds to one table shown in FIG. Each packet transfer processing unit illustrated in FIG. 7 includes, for example, a storage unit that stores a plurality of entries (= tables) and a packet transfer unit that performs a transfer process of an input packet according to the entries. Each packet transfer processing unit shown in FIG. 7 may be realized by a hardware circuit, for example. Further, the packet transfer apparatus 100 shown in FIG. 7 may be realized by a computer, and each packet transfer processing unit may be a software module. By using a software module, a packet transfer processing unit can be added or deleted as necessary. The software module is a functional unit realized by causing a hardware such as a CPU and a memory to execute a program. The set of packet transfer processing units shown in FIG. 6 may be referred to as packet transfer processing means.

  As described above, the packet transfer apparatus 100 according to the present embodiment can be realized by causing a computer having a communication function to execute a program describing the processing contents described in the present embodiment. In other words, each functional unit in the packet transfer apparatus 100 can be realized by executing a program corresponding to a process executed by each unit using hardware resources such as a CPU, a memory, and a hard disk built in the computer. Is possible. The above-mentioned program can be recorded on a computer-readable recording medium (portable memory or the like), stored, or distributed. It is also possible to provide the program through a network such as the Internet or electronic mail.

  In the following, the configuration and processing of the packet transfer apparatus will be described with the description method shown in FIG. 4, but the implementation method may be the configuration shown in FIGS. 5 and 6, or the configuration shown in FIG. However, other configurations may be used.

  FIG. 8 shows a functional configuration of the packet transfer apparatus 100 corresponding to each packet transfer apparatus when each packet transfer apparatus of the present embodiment shown in FIG. As shown in FIG. 8, in the packet transfer apparatus 100, an “input reservation table” is provided in the foremost stage, and an “output reservation table” is provided in the last stage. Each reservation table is guarded to be written by the packet transfer apparatus 100 so that it can be operated (set, changed, deleted, etc.) only from the inspection control apparatus 10.

  In the present embodiment, by providing such a reservation table, inspection can be performed without operating any other normal table.

  As shown in FIG. 8, in each reservation table, when a predetermined inspection field exists, an entry with the highest priority describing an instruction including outputting a packet to the inspection control device 10 is set. Yes. That is, in the example shown in FIG. 8, when the inspection reservation field exists in the packet, the input reservation table transitions to the next table and outputs (copy-outputs) the packet to the inspection control device 10. Is described with the highest priority (priority = 0). Further, in the output reservation table, when the inspection field exists and the output port instruction information is No. 1, the packet is output to the port No. 1 and the packet is output to the inspection control apparatus 10. The entry shown is described with the highest priority (priority = 0).

  “The inspection field exists” means, for example, that a predetermined bit value exists at a predetermined location in the packet, but the determination method of the inspection packet is not limited to such a method. The “output port instruction information” is a process in which the normal table (tables 0 to N) in FIG. 8 is pipeline-processed, and when the output port number is determined by some means, This is a value (a value used only inside the device) that is referred to in order to carry the value information to the table.

  The input reservation table shown in FIG. 8 includes an entry for transitioning a normal packet that does not match “existing field exists” as the next priority entry to the next table. The output reservation table includes an entry for outputting a packet to port 1 when the output port instruction information is No. 1 as an entry of the next priority. In this way, normal packets that are not inspection packets can be processed as usual.

  In the case of the implementation method shown in FIG. 5, the function shown in FIG. 8 can be realized by additionally storing the input reservation table and the output reservation table in the table storage unit 120. That is, a packet transfer processing unit of one sub-element is added by the additionally stored table and the packet transfer processing unit 110. The packet transfer processing unit added by adding the reservation table may be referred to as an inspection packet processing unit.

  In addition, in the case of the implementation method shown in FIG. 7, a packet transfer processing unit that performs processing with logic corresponding to the contents of the input reservation table is added to the front stage of the packet transfer processing unit configured in multiple stages, and is configured in multiple stages. The function shown in FIG. 7 can be realized by providing a packet transfer processing unit that performs processing with logic corresponding to the contents of the output reservation table at the last stage of the packet transfer processing unit.

  The added packet transfer processing unit may be referred to as an inspection packet processing unit. Further, based on the table information received from the inspection control apparatus 10, the inspection packet processing unit generates (adds) a program module (an object or the like) configured to perform processing with reference to the table information. It is realized by doing. The packet transfer apparatus 100 has a function of adding a program module configured to perform processing with reference to the table information based on the table information received from the inspection control apparatus 10.

  As described above, the packet transfer apparatus according to the present embodiment is a packet transfer apparatus that constitutes a network that performs packet transfer, and includes a packet transfer processing unit that performs the packet transfer process. Based on the information received from the packet transfer processing unit, an inspection packet processing unit is added before or after the packet transfer processing unit, and the inspection packet processing unit notifies the inspection control device 10 when the inspection packet is received. And the processing set in the inspection packet processing unit (transition to the next table, etc.) is performed on the inspection packet.

  The packet transfer processing unit includes a list of processing rules for the input packet, and the inspection packet processing unit is added by adding a processing rule for the inspection packet to the top part or the last part of the list. Is done. The list of processing rules is configured as a multi-stage table, and the inspection packet processing unit adds a table including processing rules for inspection packets to the beginning or end of the multi-stage table. Is added.

<About operation control equipment and inspection control equipment>
The operation control apparatus 20 according to the present embodiment has a database, and the database includes a connection configuration (physical topology) of packet transfer apparatuses in a relay network, a start point, an end point, a route, and the like of each path (flow). Information (information indicating which port of which packet transfer device passes through), information such as a bandwidth, a table in each packet transfer device, contents of entries in the table, and the like are stored. The inspection control apparatus 10 can acquire desired information from the database by accessing the operation control apparatus 20. The operation control device 20 has a function of adding, deleting, and managing entries in the normal table of each packet transfer device.

  Next, the inspection control apparatus 10 will be described. FIG. 9 is a functional configuration diagram of the inspection control apparatus 10. As shown in FIG. 9, the inspection control device 10 includes an operation IF unit 11, an inspection packet creation processing unit 12, an inspection packet injection unit 13, an inspection command setting unit 14, an inspection information acquisition unit 15, and a failure determination unit. 16.

  The operation IF unit 11 includes functions such as an operator inputting operation information to the inspection control device 11 and displaying information output from the inspection control device 11. For example, an information display means (display, etc.), information Includes input means (keyboard, etc.). Further, the operation IF unit 11 may be an interface when an operator performs an operation from a remote terminal via a network. In this case, for example, the operation IF unit 11 includes a Web server function and displays a Web screen on the remote screen. Provided to the terminal, the operator can input a command on the Web screen and view the failure determination result.

  The inspection packet creation processing unit 12 creates an inspection packet by a method described later. Based on an instruction from the operation IF unit 11, the inspection packet injection unit 13 injects an inspection packet from the input port of the instructed packet transfer device through which the path to be inspected passes to the packet transfer device. The inspection command setting unit 14 adds, deletes, and changes reservation tables and scanning tables for each packet inspection device. The inspection command setting unit 14 can also add, delete, change, etc., entries once added in the reservation table or scanning table.

  Further, as will be described later, when adopting a configuration in which an inspection entry is provided in a normal table without using a reservation table, the inspection instruction setting unit 14 adds, deletes, and changes the inspection entry. It can also be done. Further, when adopting a configuration in which an inspection action is provided in the entry, the inspection instruction setting unit 14 can also add, delete, change, etc. the inspection action.

  The inspection information acquisition unit 15 receives information such as inspection packets output from each packet transfer device based on the inspection entry command, and passes the inspection packets to the failure determination unit 16. In addition, the packet transfer apparatus may not output the inspection packet itself to the inspection control apparatus 10 by setting the inspection entry. In this case, the inspection information acquisition unit 15 may, for example, The counter value indicating the number of times the inspection packet has passed the reservation table can be acquired.

  The failure determination unit 16 has a function of determining the presence / absence of a failure based on the information passed from the inspection information acquisition unit 15 and outputting it. For example, the failure determination unit 16 includes a path connection state (configuration information) grasped by information passed from the inspection information acquisition unit 15, correct route information of the inspection target path acquired from the operation control device 20, etc. (configuration information) ) To determine whether or not the actual path is correctly connected, and the result is output from the operation IF unit 11.

  Note that the inspection packet creation processing unit 12 may not exist in the inspection control device 10, and for example, the inspection packet creation processing unit 12 may be realized by using another device.

  The inspection control apparatus 10 according to the present embodiment can be realized by causing a computer used as the inspection control apparatus 10 to execute a program describing the processing contents described in the present embodiment. In other words, each function unit in the inspection control apparatus 10 can be realized by executing a program corresponding to a process executed by each unit using hardware resources such as a CPU, a memory, and a hard disk built in the computer. Is possible. The above-mentioned program can be recorded on a computer-readable recording medium (portable memory or the like), stored, or distributed. It is also possible to provide the program through a network such as the Internet or electronic mail.

  Further, the operation control apparatus 20 may have the function of the inspection control apparatus 10 by causing the operation control apparatus 20 to execute the program (application).

(Basic operation details)
The basic operation from the creation of the inspection packet to the failure determination performed by the packet transfer apparatus and the inspection control apparatus 10 described so far will be described below in accordance with the procedure shown in FIG. In the description, FIGS. The following step numbers correspond to the step numbers shown in FIG.

  In steps 101 to 103, an inspection packet is created. In order to check the normality of a user communication path by sending a packet in a relay network that transfers packets by referring to arbitrary information in the packet, which is assumed in the present embodiment, the packet is a user It should be as identical as possible to the packets that are output and forwarded from the device. Therefore, an inspection packet is created as in steps 101 to 103 below. However, creating the inspection packet as in steps 101 to 103 is merely an example. Any method may be used to create the inspection packet.

<Step 101: Specify inspection path>
First, in the inspection control apparatus 10, the operator inputs which path (user line or flow) is to be inspected using the operation IF ((1) in FIG. 11). The input information is, for example, a name, number, etc. that can identify the path (these are referred to as path IDs). The path ID is notified to the inspection packet creation processing unit 12 and the failure determination unit 16. The inspection packet creation processing unit 12 generates an inspection packet corresponding to the designated inspection target path. Specifically, it is as follows.

  In the present embodiment, the inspection packet creation processing unit 12 refers to an entry in the table related to the inspection target path Ingress port (UNI) in the packet transfer apparatus 1 to perform packet transfer on the inspection target path. The header information of the packet to be used is acquired ((2) in FIG. 11). Alternatively, the inspection control device 10 may acquire the information of the table from the operation control device 10 by specifying the path ID, and extract the header information.

<Step 102: Capture user data>
Next, the inspection packet creation processing unit 12 in the inspection control apparatus 10 samples and captures user data of the inspection target path ((1) and (2) in FIG. 12), and creates a payload portion of the inspection packet. Note that the operator (carrier) may create the payload portion without sampling capture. For example, a technique such as sFlow can be used as the capture method.

<Step 103: Create Inspection Packet>
The inspection packet creation processing unit 12 in the inspection control apparatus 10 creates an inspection packet from the header information confirmed in Step 101 and the payload created in Step 102. Note that the inspection packet creation processing unit 12 itself may have a packet generation function, or is provided with a packet generator module outside the inspection control apparatus 10, which makes a packet creation request to the packet generator module. The inspection control apparatus 10 may receive the packet.

  Some identification information for distinguishing the inspection packet from the normal packet is added to the inspection packet. The identification information may be arbitrarily specified by the inspection packet creation processing unit 12 in an area range not used in user communication, or may be manually specified by an operator. However, the information of the description area in the identification information packet determined here and the value of the identification information are reflected in the determination condition of the inspection packet in the reservation table (and a scanning table described later).

  The area for describing the identification information includes, for example, an IP Type of Service field, an Ethernet (registered trademark) destination MAC address field, a VLAN-VID field, and a Class of Service field. It may be an arbitrary bit value in these fields, or may be a combination condition of a plurality of different bits or fields.

<Step 104: Add reservation table for inspection>
Subsequently, the inspection command setting unit 14 of the inspection control device 10 creates an input reservation table and an output reservation table on the basis of the instruction content from the operator received from the operation IF unit 11, and the packet transfer devices 1 to The input reservation table and the output reservation table are set in each of 3 (FIG. 13). Each reservation table describes a match condition for determining that the packet is an inspection packet and an instruction (such as an instruction for executing an action) when the packet matches. The instruction includes transmitting an inspection packet and / or other information to the inspection control apparatus 10.

  As a result, each packet transfer apparatus has a configuration in which an input reservation table is provided in the foremost stage and an output reservation table is provided in the last stage as shown in FIG. That is, inspection packet processing means is added in each packet transfer apparatus.

  Note that step 104 may not be performed every time an inspection is performed. For example, a reservation table (inspection packet processing means) may be added to the packet transfer apparatus on the network only once and used fixedly.

<Step 105: Inject inspection packet>
The inspection packet injection unit 13 of the inspection control device 10 injects the inspection packet created by the inspection packet creation processing unit 12 into the packet transfer device 1 (FIG. 14). In this example, since it is assumed that the inspection from the input to the output in the relay network is performed, the inspection packet is injected into the Ingress packet transfer apparatus 1, but the inspection packet is the purpose of the inspection. Depending on the case, it may be injected from an arbitrary packet transfer apparatus.

  A Packet-Out message can be used for injection of the inspection packet. In the OpenFlow Packet-out message standard, an actually input port can be processed as if it were another port (addition of input port information). Therefore, as shown in FIG. 14, even if the physical port to which the inspection packet is input is a port different from the input port (UNI port) of the inspection target path, by adding the information of the UNI port, Thus, it is possible to inject the inspection packet that has become user communication. Of course, the inspection packet may be input directly from the UNI port without using such a technique.

  In this example, only the last packet transfer device 3 that outputs to the destination user device 40 is exceptionally not transferred to the UNI for processing of the inspection packet in the output reservation table. . By doing so, an in-network test can be realized without outputting the inspection packet to the destination user apparatus.

<Step 106: Acquisition of information for inspection>
In the packet transfer apparatus 1, if the normal use table (that is, the inspection target) functions normally, the inspection packet is transferred to the packet transfer apparatus 2, and the inspection packet should be output to the inspection control apparatus 10 side. It is. The same applies to the transfer from the packet transfer apparatus 2 to the packet transfer apparatus 3. The inspection control apparatus 10 can receive an inspection packet using, for example, an OpenFlow Packet-In message.

  If there is any abnormality in any of the packet transfer apparatuses, the inspection packet does not reach downstream, and the inspection packet is not output to the inspection control apparatus 10. In the example shown in FIG. 14, the inspection packet is output on both the input side and the output side in each packet transfer apparatus. The inspection packet output from the input side in each packet transfer device includes information for identifying the packet transfer device and information for identifying the input port (information indicating which port of which packet transfer device is input). The inspection packet that is added and output from the output side of each packet transfer device includes information for identifying the packet transfer device and information for identifying the output port (from which port of which packet transfer device is output). Information) may be added. Further, information for identifying a table (an ID indicating an input reservation table, an ID indicating an output reservation table) may be added to each of the input side and the output side.

  The inspection information acquisition unit 15 of the inspection control apparatus 10 acquires the inspection packet and additional information output as described above, and passes the acquired information to the failure determination unit 16.

  In the packet transfer apparatus according to the present embodiment, a statistical information counter is prepared for each entry. If the inspection packet matches the inspection entry and the inspection packet passes the reservation table, the counter is counted up. The The inspection information acquisition unit 15 of the inspection control apparatus 10 transfers the value of the counter to each packet as shown in FIG. 15 in addition to acquiring the inspection packet or instead of acquiring the inspection packet. It is good also as acquiring from an apparatus.

  It should be noted that the amount of inspection packet to be injected in step 105 can be arbitrarily set by, for example, the operator specifying the inspection packet injection unit 13 via the operation unit IF unit 11. Also, what data is acquired in step 106 (what data is to be output to the packet transfer apparatus) is determined by the operator via the operation unit IF unit 11 with respect to the inspection command setting unit 13, for example. By performing the designation, the inspection command setting unit 13 can designate each packet transfer apparatus.

<Step 107: Failure determination and result output>
In the present embodiment, the failure determination unit 16 of the inspection control apparatus 10 determines whether or not the inspection target path is normal based on information such as an inspection packet passed from the inspection information acquisition unit 15. For example, a judgment such as an inspection packet rising from a packet forwarding device / port that does not follow the expected route given in advance, or a point where the inspection packet itself does not rise within a certain time is judged as an error. I do.

  Further, for example, the failure determination unit 16 acquires correct route information (information about which port of which packet transfer device is routed) from the operation control device 20 and stores it in a memory or the like. Then, the failure determination unit 16 creates path information (information about which port of which packet transfer device is routed) through which the inspection packet passes from the inspection packet and additional information passed from the inspection information acquisition unit 15. Then, the path information is compared with the correct path information stored in the memory, and it is determined whether or not the path is normal depending on whether or not they match. If they match, information indicating normality is output from the operation IF unit 11, and if they do not match, information indicating abnormality and a packet transfer apparatus estimated to be abnormal (for example, the inspection packet output is first output). The operation IF unit 11 outputs information on a packet transfer apparatus that is stopped at the time of transmission and information on a transmission section estimated to be abnormal.

  Here, by using the counter value described above, for example, by comparing the counter value at a certain point with a predetermined threshold, if the counter value is equal to or smaller than the predetermined threshold, the inspection packet is received. In addition, it can be determined that the point is abnormal.

  The failure determination unit 16 may be configured not to make a determination. For example, the inspection information acquisition unit 15 does not include the failure determination unit 16 and determines the path connection state based on the inspection information (inspection packet, additional information, counter value, etc.) received from each packet transfer device. The image information shown may be created and output from the operation IF unit 11. In this case, for example, an operator who knows the correct path configuration can determine whether there is a path abnormality by viewing the image.

  In the case of the example illustrated in FIG. 14, the inspection packet is normally output from the input side and the output side of all the packet transfer apparatuses, and the failure determination unit 16 outputs information indicating that the path is normal. .

  In the case of the example shown in FIG. 16, the inspection packet is not output from the output side of the packet transfer apparatus 2 and the subsequent points. In this case, the failure determination unit 16 determines that there is an abnormality in the packet transfer device 2 and outputs that fact.

  The technology according to the present embodiment can be used for inspection in both in-service and out-of-service.

  The out-of-service inspection is an inspection in a state where the traffic conduction between user apparatuses is not performed, and is performed before the path is opened. At this time, the packet transfer device is in a state in which transfer settings are entered, but the UNI connected to the user device is in the off (down) state, and whether or not it can be turned on (up) from now on. Is to inspect. The in-service inspection is an inspection that is performed while the traffic continuity is being established between the user apparatuses after the path is opened, and is inspected in a form that is distinguished from the user traffic.

(About narrowing down suspected packet forwarding equipment)
In the present embodiment, in the case shown in FIG. 16, as described below, the scan table is inserted into an arbitrary place to isolate the abnormal table in the suspected packet transfer apparatus (range). Can be narrowed down).

  FIG. 17 is a diagram illustrating a configuration in which a scanning table is inserted into the packet transfer apparatus 100. Such generation of the scan table and setting (insertion) into the packet transfer apparatus is performed by an inspection command from the inspection control apparatus 10 based on an instruction from the operator (instruction on which table in which apparatus is inserted). The setting unit 15 executes. That is, the packet transfer apparatus 100 receives scanning table information from the inspection command setting unit 15 of the inspection control apparatus 10 and thereby adds scanning packet processing means for performing inspection in the packet transfer apparatus 100. As shown in FIG. 17 as an example, in the scanning table, as in the reservation table for input, a test field is found (matched) in the input test packet as the highest priority entry. Then, an instruction for copying and transferring data to the inspection control apparatus 10 and transitioning to the next table is described. When copying and transferring data to the inspection control apparatus 10, identification information of a table may be added.

  As a result, the inspection range can be set as shown in the figure. For example, in the state of FIG. In the case where no data is received from a point in the output reservation table, the failure determination unit 16 can determine that there is an abnormality between the scan table and the output reservation table.

  The packet transfer apparatus 100 may include a function of adjusting the order between the scanning table and the normal use table as an internal table management function. For example, when the inspection control apparatus 10 tries to insert the inspection table between the normal table m and the normal table m + 1 (m: arbitrary), the packet transfer apparatus 100 automatically performs this scan after the table m. Adjust to a table. For example, as an example realized using OpenFlow, the inspection control apparatus 10 stores these table numbers while managing the numbers inside the packet transfer apparatus 100 with numbers such as tables 10, 20, 30,. It is possible to implement such that tables 1, 2, 3,... Are shown, and when the scanning table is inserted immediately after m = 2, the scanning table is internally set as the table 25.

  As shown in FIG. 17, the separation may be performed by inserting one scanning table, or, as shown in FIG. 18, the narrowing inspection in which the interval between input and output is determined can be realized by inserting two scanning tables. Is also possible. Based on information such as inspection packets received by the inspection information acquisition unit 15 from the packet transfer device, the inspection control device 10 changes the position at which the scanning table is sandwiched as appropriate, and which part (table) has a problem. Can be determined.

  As shown in FIG. 17 and FIG. 18 described above, in the method of searching for an abnormal place by changing the position where the scanning table is inserted in accordance with the acquisition status of the inspection packet or the like from the packet transfer apparatus 100, each packet In the transfer apparatus 100, it is desirable to perform an operation that prohibits jumping over a table for entry search.

  When jumping over the table is permitted, as shown in FIG. 19, the scanning table is jumped, the inspection packet is not output from the position of the scanning table, and the inspection control apparatus 10 is abnormal in the inspection range shown in FIG. This is because there may be a case where it is erroneously determined that there is.

  However, for example, the inspection control device 10 acquires information on the table and entry in the packet transfer device from the database of the operation control device 20, and a jump from table 0 to table m + 1 is defined as shown in FIG. If it is determined that the scanning table is inserted (eg, after the table m + 1), it is not necessary to prohibit the operation of jumping over the table. It becomes possible to do appropriately.

  In this embodiment, the reservation table for input and the reservation table for output are set in each packet transfer apparatus as the reservation table, but only one of them may be set. Only one of them can identify a packet transfer apparatus that may be abnormal.

  In the present embodiment, the reservation table is provided separately from the normal table. However, the entries described in the reservation table described so far are described in the normal table, so that an inspection can be performed. It is also possible to realize the configuration.

  The multistage table in the present embodiment may be referred to as a list of processing rules for input packets. A set of entries may be referred to as a list of processing rules for an input packet.

(Other configuration examples)
As described above with reference to FIGS. 5 to 8 and the like, the basic configuration of the packet transfer apparatus 100 according to the present embodiment is as shown in FIG. 20, and before and after one or more packet transfer processing units ( Any one of them (same below) is provided with an inspection packet processing unit. In the examples described so far, each packet transfer processing unit and inspection packet processing unit are configured by tables, but each packet transfer processing unit is not limited to a table, and may be configured based on some processing rule. . That is, one or more packet transfer processing units shown in FIG. 20 can be configured from a list of processing rules (FIG. 21).

  The processing rules, that is, the example in which the packet transfer processing unit is configured from the table (this is called a basic example) is as described above, but the packet transfer processing unit may be configured from the action in the entry. (Modification 1) may be configured from entries in the table (Modification 2). The packet transfer processing unit may be a packet processing device (switch or the like) (Modification 3). Hereinafter, these modifications 1 to 3 will be described.

<Modification 1>
As illustrated in FIG. 22, the packet transfer apparatus 100 according to the first modification focuses on one entry in the table and uses each packet transfer processing unit as an action in the entry. An inspection action as an inspection packet processing unit is provided before and after the list. That is, a list of processing rules is configured as the one or more actions in an entry including a match condition and one or more actions, and the inspection packet processing unit is configured to have the head part of the one or more actions or The last part is added by adding an action to the inspection packet.

  The packet transfer apparatus 100 illustrated in FIG. 22 corresponds to one entry, but the packet transfer apparatus 100 includes entries other than the entry and a packet processing unit corresponding to a table including these entries. Good. Hereinafter, the configuration shown in FIG. 22 will be described more specifically.

In OpenFlow used in the present embodiment, there is a command called “Apply-Actions” that is executed in the order of written actions. An example in Entry X is shown below.
(Example) Entry X
priority = 100, match = import: 1, eth_dst: A, vlan_vid: M,
apply_actions = pop_vlan, eth_src: B, output: 2
In the above example, when a packet enters from port 1 (import: 1), the destination address of the Ether header is A (eth_dst: A), and the VLAN tag ID is M (vlan_vid: M) (match section), VLAN The actions of removing the tag (pop_vlan), changing the source address of the Ether header to B (eth_src: B), and outputting to the port 2 (output: 2) are executed in order (apply_actions section).

  In order to check whether the apply_actions section is operating normally, an inspection action (output: Controller) for transmitting a packet to the inspection control apparatus 10 is inserted before and after the action list as described below.

(Example) Entry X
priority = 100, match = import: 1, eth_dst: A, vlan_vid: M,
apply_actions = output: Controller, pop_vlan, eth_src: B, output: 2, output: Controller
In the above example, “the appearance of the packet before the execution of the original apply_actions” can be found by the front side of the inspection action, and “the appearance of the packet after the execution of the original apply_action” can be found by the back side. When the front side is executed and the rear side is not executed, it is possible to determine that a failure has occurred in any of the actions in the original apply_actions.

  The fact that this inspection action has been executed can be determined from the fact that a certain packet hits the entry part of Entry X and arrives at Entry X. Therefore, it is useful not only for checking whether apply_actions functions normally but also for the purpose of “checking whether a packet arrives at this Entry or operates normally”.

  As described above, only one of the inspection packet processing units may be provided. However, as described above, even when an inspection action is provided as the inspection packet processing unit, only one of the inspection packet processing units functions sufficiently. To do.

  The inspection action may be directly written in Entry X as in the above example, or may be created as Entry X ′ with Priority set to a value higher than 100 (high priority). The creation of a new entry corresponds to the following second modification.

<Modification 2>
As shown in FIG. 23, the packet transfer apparatus 100 according to the second modification focuses on one table, sets each packet transfer processing unit as an entry in the table, and stores one or more entries (list of processing rules). An inspection entry as an inspection packet processing unit is provided before and after. That is, the list of processing rules is configured as one or a plurality of entries each including a match condition and an action, and the inspection packet processing unit uses the inspection rule at the beginning or end of the one or more entries. It is added by adding an entry containing an action for the packet.

  Although the packet transfer apparatus 100 illustrated in FIG. 23 corresponds to one table, the packet transfer apparatus 100 may include a packet processing unit corresponding to a table other than the table. An example of a table including inspection entries is shown in FIG.

  In the example shown in FIG. 24, if a test entry (front) is hit, it is found that a test packet has arrived at this table from another table, and if a test entry (after) is hit, the test entry is found from another table. In this table, it can be seen that the inspection field has been rewritten and a packet that has not been hit (not processed) in any entry of Entry 1 to X has arrived. That is, if the entry for inspection (after) is hit, it can be seen that the processing has failed in the table processed before this table.

<Modification 3>
As shown in FIG. 25, the packet transfer device 100 (system consisting of a plurality of devices) of Modification 3 uses each packet transfer processing unit as a packet processing device, and performs packet processing for inspection before and after one or more packet processing devices. The inspection packet processing apparatus as a unit is provided.

  Each packet processing device may be an existing network device such as a switch or a router, and does not have to support OpenFlow. As described above, the inspection packet processing apparatus does not support OpenFlow as long as it is a packet processing apparatus having a function capable of transmitting a packet to the inspection control apparatus 10 based on a predetermined match condition. Also good.

  In this modification, a packet processing device such as a switch is sandwiched between inspection packet processing devices, and the packet processing device can be inspected as a black box without any modification.

  FIG. 26 shows a summary of the above modifications and the basic example described above (using a reservation table). In each example, as in the scan table in the basic example, it is possible to perform a narrowing inspection by inserting a processing rule for inspection into the list of processing rules.

  In each example, as in the case of the table, when the inspection packet processing unit is added before the packet transfer processing unit (list of processing rules), the processing set in the inspection packet processing unit is For example, when the inspection packet processing unit is added to the packet transfer processing unit after the inspection packet processing unit is added to the packet transfer processing unit, the processing set in the inspection packet processing unit is, for example, The inspection packet can be output from a predetermined port. When the packet transfer apparatus 100 is connected to the user apparatus that is the destination of the packet through the predetermined port, the processing set in the inspection packet processing unit outputs the inspection packet from the predetermined port. It may be excluded.

(Concrete example)
FIG. 27 shows a specific example of a table configuration corresponding to the packet transfer apparatuses 1 and 2, and FIG. 28 shows a specific example of a table corresponding to the packet transfer apparatus 3. Basically, an input reservation table and an output reservation table similar to the input reservation table and the output reservation table described so far are shown, but they are described more specifically in FIGS. ing.

  In FIG. 27 and FIG. 28, it is assumed that the higher the priority value, the higher the priority, in accordance with the specification of the implementation OpenFlow. 27 and 28, there is a description of metadata (metadata), which is referred to in order to take over the information of the value in the subsequent table, as in the “output port instruction information” described above. This value is used only inside the device. Also, “OAM field” in the figure corresponds to “existing field exists” shown in FIG. “Normal data is empty shot” in the figure means that normal data is transferred as it is to the normal table in the subsequent stage.

(Other application examples)
In the present embodiment, it is assumed that an OpenFlow switch is used as a packet transfer device, but the present invention can be applied without depending on a communication method.

  For example, in an L2 switch, an L3 (IP) router, or a firewall device, an end-end path using a function (eg, policy-based routing technology) that can specify an arbitrary condition match / forwarding destination for an input packet As described above, the path inspection similar to the path inspection described so far is performed by setting the match condition of the inspection packet and the transfer command to the inspection control device 10 as described above. Is possible.

(Summary of the embodiment, effects, etc.)
As described above, in the packet transfer apparatus according to the present embodiment, in addition to the packet transfer processing unit such as the normal table, the input having the function of identifying the inspection packet and transmitting the packet information to the inspection control apparatus 10 An inspection packet processing unit such as a reservation table for output and / or a reservation table for output is provided. Further, it is possible to provide a scanning packet processing unit such as a scanning table that can perform an investigation by narrowing down the range of an arbitrary table or the like in the packet transfer apparatus.

  In addition, the inspection control device 10 includes an inspection packet creation function, a function of injecting inspection packets into the packet transfer device, a function of operating a reservation table and a scan table, information of inspection packets received from the packet transfer device, etc. Based on this, a function for determining the presence or absence of a failure and outputting the result is provided.

  According to such a technique according to the present embodiment, even in an OpenFlow network in which a packet field is arbitrarily rewritten during transfer, it passes through exactly the same communication path and processing table as user data. There is an effect that inspection of D-Plane can be made universally.

  When the conventional OAM technology (IP-Ping, etc.) performed between user terminals is compared with the technology according to the present embodiment, a test (for inspection) packet is not sent to the UNI (user direction) of Egress at the final stage. In other words, there is an effect that it can be kept inside the network without generating extra traffic.

  In the embodiment using the reservation table, the inspection can be realized without rewriting a normal table or performing an operation on the normal table. Therefore, there is also an effect that there is no risk of correcting / damaging a communication table entry or the like that controls the actual flow of user data at the time of inspection.

  Further, according to the present embodiment, by additionally using a function such as a scanning table, it is possible to classify in detail which table has an abnormality in the suspected packet transfer apparatus. Become.

  Furthermore, in the present embodiment, data that is substantially the same as the packet sent by the user (excluding only the check bit) can be flowed in as the check packet. That is, since it is not a packet format dedicated to the OAM function as in the prior art, it is possible to perform a more faithful test that has become the actual communication of the user, and it is possible to perform an accurate separation. .

  Hereinafter, the configurations disclosed in this specification are listed as examples.

(Section 1)
A packet transfer apparatus constituting a network for transferring packets,
A packet transfer processing means for transferring the packet;
Based on information received from the inspection control device, an inspection packet processing means is added before or after the packet transfer processing means,
The inspection packet processing means performs processing set in the inspection packet processing means on the inspection packet, and notifies the inspection control device according to the processing.
A packet transfer apparatus.
(Section 2)
The packet transfer processing means includes a list of processing rules for the input packet, and the inspection packet processing means is added by adding a processing rule for the inspection packet to the head part or the last part of the list. The packet transfer apparatus according to item 1, characterized in that:
(Section 3)
The list of processing rules is configured as a multi-stage table, and the inspection packet processing means adds a table including processing rules for inspection packets to the beginning or end of the multi-stage table. The packet transfer apparatus according to item 2, wherein the packet transfer apparatus is added.
(Section 4)
The list of processing rules is configured as one or a plurality of entries each including a match condition and an action, and the inspection packet processing means is configured to inspect a head portion or a last portion of the one or a plurality of entries. The packet transfer apparatus according to claim 2, which is added by adding an entry including an action for the packet.
(Section 5)
The list of processing rules is configured as the one or more actions in an entry including a match condition and one or more actions, and the inspection packet processing means includes a head portion of the one or more actions or The packet transfer device according to item 2, wherein the packet transfer device is added by adding an action to the inspection packet at the last part.
(Section 6)
Based on the information received from the inspection control device, scanning packet processing means for performing inspection in the packet transfer device is added by adding a processing rule for the inspection packet to the list of processing rules. The packet transfer device according to any one of Items 2 to 5, wherein
(Section 7)
When the inspection packet processing means is added before the packet transfer processing means, the processing set in the inspection packet processing means is to transfer the inspection packet to the packet transfer processing means, When the inspection packet processing means is added after the packet transfer processing means, the processing set in the inspection packet processing means is to output the inspection packet from a predetermined port. The packet transfer device according to any one of claims 1 to 6.
(Section 8)
When the packet transfer apparatus is connected to a user apparatus that is a packet destination via the predetermined port, the processing set in the inspection packet processing means outputs the inspection packet from the predetermined port. The packet transfer apparatus according to item 7, wherein the packet transfer apparatus is not included.
(Section 9)
An inspection method in a packet transfer apparatus constituting a network for transferring packets,
The packet transfer apparatus includes a packet transfer processing unit that performs transfer processing of the packet,
Adding inspection packet processing means before or after the packet transfer processing means based on information received from the inspection control device;
The inspection packet processing means includes a step of performing processing set in the inspection packet processing means on the inspection packet and notifying the inspection control device according to the processing. Inspection method.
(Section 10)
A program for causing a computer to function as each unit in the packet transfer apparatus according to any one of Items 1 to 8.
(Section 11)
An inspection control device that performs inspection control on a packet transfer device constituting a network for transferring packets,
The packet transfer apparatus includes a packet transfer processing unit that performs packet transfer processing based on a list of processing rules for an input packet,
Means for causing the packet transfer apparatus to add inspection packet processing means by transmitting information including processing rules for the inspection packet to the packet transfer apparatus;
Means for injecting an inspection packet into the packet transfer device;
Means for obtaining information output by the inspection packet processing means that has received the inspection packet;
An inspection control apparatus comprising: a determination unit that determines normality of the network based on the acquired information.
(Section 12)
The determination unit obtains the configuration information from an operation control apparatus that stores the configuration information of the network, and compares the configuration information with the configuration information based on the acquired information, thereby determining the normality of the network. The inspection control device according to item 11, wherein the inspection control device is determined.
(Section 13)
An inspection control method executed by an inspection control device that performs inspection control on a packet transfer device constituting a network for transferring packets,
The packet transfer apparatus includes a packet transfer processing unit that performs packet transfer processing based on a list of processing rules for an input packet,
Sending the packet transfer device with inspection packet processing means by transmitting information including the inspection packet processing rules to the packet transfer device;
Injecting inspection packets into the packet forwarding device;
Obtaining information output by the inspection packet processing means that has received the inspection packet;
A test control method comprising: a determination step of determining normality of the network based on the acquired information.
(Section 14)
A program for causing a computer to function as each means in the inspection control apparatus according to Item 11 or 12.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

DESCRIPTION OF SYMBOLS 10 Inspection control apparatus 11 Operation IF part 12 Inspection packet preparation process part 13 Inspection packet injection part 14 Inspection instruction setting part 15 Inspection information acquisition part 16 Failure determination part 20 Operation control apparatuses 1-3, 100 Packet transfer apparatus 30 Source user device 40 Destination user device

Claims (4)

An inspection control device that performs inspection control on a packet transfer device constituting a network for transferring packets,
The packet transfer apparatus includes a packet transfer processing unit that performs packet transfer processing based on a list of processing rules for an input packet,
With respect to the packet transfer device, by transmitting the information including the processing rules of the test packet, before and after the packet forwarding processing means definitive to the packet transfer device, and means for adding the test packet processing means,
Means for injecting an inspection packet into the packet transfer device;
Each of the inspection packet processing means provided before and after the packet transfer processing means acquires information to be output by performing processing on the inspection packet ;
An inspection control apparatus comprising: a determination unit that determines normality of the network based on the acquired information. The determination unit obtains the configuration information from an operation control apparatus that stores the configuration information of the network, and compares the configuration information with the configuration information based on the acquired information, thereby determining the normality of the network. The inspection control apparatus according to claim 1, wherein determination is performed. An inspection control method executed by an inspection control device that performs inspection control on a packet transfer device constituting a network for transferring packets,
The packet transfer apparatus includes a packet transfer processing unit that performs packet transfer processing based on a list of processing rules for an input packet,
With respect to the packet transfer device, by transmitting the information including the processing rules of the test packet, before and after the packet forwarding processing means definitive in the packet forwarding device, a step of adding a test packet processing means,
Injecting inspection packets into the packet forwarding device;
Each of the inspection packet processing means provided before and after the packet transfer processing means obtains information to be output by performing processing on the inspection packet ; and
A test control method comprising: a determination step of determining normality of the network based on the acquired information.   The program for functioning a computer as each means in the test | inspection control apparatus of Claim 1 or 2.

Images