KR101712168B1 - Method for controling packet-in message, switch and controller thereof - Google Patents

Abstract

Disclosed are a packet input message control method, and a switch and a controller performing the same. The packet input message control method by a switch in software-defined network comprises: a step that the switch determines whether a flow entry matching with a packet received from a place of dispatch exists; a step of determining whether usage of a central processing unit (CPU) is less than a critical value if the matching flow entry does not exist; and a step of generating a packet input message for the received packet and transmitting the generated message to a controller if the CPU is less than the critical value.

Description

[0001] METHOD FOR CONTROLLING PACKET IN MESSAGE, SWITCH AND CONTROLLER THEREOF [0002]

[0001] The present invention relates to a packet input message control method, a switch and a controller for performing the same, and more particularly, to a switch and a controller through packet input (PACKET_IN) message control in a Software Defined Network (SDN) Lt; / RTI >

OpenFlow technology has emerged to provide an open standard interface to users or developers while addressing the high cost of the switch.

The open flow technology separates the packet forwarding and control functions of the network switch and provides a protocol for communication between the two functions so that the software driven by the external control device can determine the packet path in the switch regardless of the equipment manufacturer .

An open flow system includes a switch and a controller. The open flow system is configured to use a standardized open flow protocol between a switch and a controller to perform a current network function. A software defined network SDN) network.

In normal SDN network communication, when a new packet is received by the switch and processing for the packet is not defined in the flow entry table, a packet input (PACKET_IN) message (OpenFlow Encapsulated Packet) including a part of the packet is sent to the controller To the controller. After receiving the message, the controller parses the packet input (PACKET_IN) message, defines an action to process it, generates a flow modification (FLOW_MOD) message including the action, and transmits the message to the switch.

The switch creates a flow table according to the flow modification (FLOW_MOD) message received from the controller. Thereafter, when a packet including the same field value as the information defined in the flow table (for example, an incoming port, a MAC address, an IP address, etc.) is received, the packet is processed according to the action defined in the flow table.

However, when a large number of new packets (that is, packets having different field values from the information stored in the flow table) are input to the switch, the CPU load of the switch is rapidly increased, so that other service flows may be affected, You may face a situation that could lead to

In addition, since the controller receives an excessive packet input (PACKET_IN) message, it also affects the performance of a controller that plays an important role in the SDN structure.

In addition, packets generated from multiple clients such as DDoS are all input into a packet input (PACKET_IN) message for the reason mentioned above, so that it is necessary to effectively control packet input (PACKET_IN) messages.

SUMMARY OF THE INVENTION Accordingly, it is an object of the present invention to provide a packet input message control method for controlling a limited number of packet input (PACKET_IN) messages of a switch based on a CPU (Central Processing Unit) usage amount and a traffic amount of a switch, Controller.

According to one aspect of the present invention, a method for controlling a packet input message includes the steps of: determining whether a switch has a flow entry matching a received packet received from a source, Determining whether a usage amount of the CPU (CENTRAL PROCESSING UNIT) is less than a threshold value if the matched flow entry does not exist, and generating a packet input message for the received packet if the matched value is less than the threshold, .

Prior to determining whether the matched flow entry is present,

Further comprising setting a certain number of packets per second (PPS) per default unit,

Wherein the transmitting comprises:

And generating and transmitting a packet input message packet within the specific number.

After determining whether the CPU usage is below a threshold,

Reporting the CPU usage to the controller and receiving a predetermined number of packets per second reset in accordance with the CPU usage,

Wherein the transmitting comprises:

And generating and transmitting a packet input message packet within a predetermined number of packets per second of the reset unit.

After the setting of the specific number,

Monitoring the amount of CPU usage and amount of traffic, reporting the monitored CPU usage and amount of traffic to the controller, and receiving a predetermined number of packets per second reset unit when the CPU usage exceeds a threshold value Further comprising:

Wherein the transmitting comprises:

And generating and transmitting a packet input message packet within a predetermined number of packets per second of the reset unit.

Wherein said reporting comprises:

And can report the CPU usage amount and the traffic amount to the controller through SNMP (Simple Network Management Protocol).

Wherein the step of receiving from the controller a predetermined number of packets per second,

A predetermined number of packets per second can be received by using the newly defined open flow message or a newly defined application programming interface (API).

Prior to determining whether the matched flow entry is present,

Determining whether an IP address of the received packet is included in a blacklist IP address, and discarding the received packet if the IP address is included in the blacklist IP address,

Wherein determining whether the matched flow entry is present comprises:

If the IP address of the received packet is not included in the black list IP address, it is possible to determine whether there is a flow entry matching the received packet.

Prior to determining whether the IP address of the received packet is included in the blacklisted IP address,

Transmitting a packet input message to the controller, receiving a flow modification message in which an action for blocking a packet having an IP address included in the black list is defined, and setting a flow entry according to the flow modification message Further included,

Wherein the step of determining whether the IP address of the received packet is included in the blacklist IP address comprises:

And determine whether the IP address of the received packet matches the flow entry according to the black list.

Prior to determining whether the matched flow entry is present,

Transmitting a packet input message for a received packet to the controller, receiving a flow modification message defining an action for limiting generation of a packet input message for a time defined for a packet having a destination IP address of the received packet from the controller And registering the flow entry including the action according to the flow modification message,

After determining whether the matched flow entry exists,

Blocking generation of a packet input message for the currently received packet if the currently received packet from the source matches the flow entry for which the action limiting the generation of the packet input message is defined and before the predetermined time has expired, And discarding the flow entry after the predetermined time has expired.

According to another aspect of the present invention, there is provided a switch of a software defined network, comprising: a packet processor for determining whether there is a flow entry matched with a received packet received from a source and, if so, processing the received packet according to a corresponding flow entry; A packet input message controller for determining whether a usage amount of the CPU (CENTRAL PROCESSING UNIT) is less than a threshold if the matched flow entry does not exist, and a controller for generating a packet input message for controller Processing unit.

Wherein the packet input message controller comprises:

The number of packets per second (PPS) per default unit can be set to a specific number, and generation of the packet input message packet can be restricted within the specific number.

Wherein the switch further comprises a threshold receiver for reporting the CPU usage to the controller and receiving a predetermined number of packets per second reset in accordance with the CPU usage when the CPU usage is greater than or equal to a threshold,

Wherein the packet input message controller comprises:

The generation of the packet input message packet may be restricted within a predetermined number of packets per second of the reset unit.

Wherein the threshold value receiver comprises:

A predetermined number of packets per second can be received by using the newly defined open flow message or a newly defined application programming interface (API).

Wherein the threshold value receiver comprises:

When the amount of traffic of a specific port is N times or more than the amount of traffic of another port, a certain number of packets per second, which is reset to 1 / N, is transmitted to the packet input message controller have.

Wherein the threshold value receiver comprises:

It is possible to receive from the controller a predetermined number of packets per unit of a plurality of units set differently for each port.

The number of packets per second set in a port connected to a switch in the same domain may be set lower than a predetermined number of packets per second set in a port connected to the outside.

The switch may further include a monitoring unit for monitoring the CPU usage amount and an amount of traffic, and an SNMP communication unit reporting the CPU usage amount and the traffic amount provided from the monitoring unit to the controller through SNMP (Simple Network Management Protocol) have.

Wherein the switch further comprises a flow table storing unit for storing a flow entry including a black list IP address and a flow table controller for registering the flow entry including the black list in a flow table storing unit according to the flow modification message,

The message processing unit,

Receiving a flow modification message defining an action for blocking a packet having an IP address included in the black list by transmitting a packet input message to the controller and delivering the flow modification message to the flow table controller,

The packet processing unit,

It is possible to inquire the flow entry registered in the flow table storage unit to determine whether the IP address of the received packet is included in the blacklist IP address and discard the received packet if the IP address is included in the blacklist IP address.

The message processing unit,

Receiving a flow modification message in which an action is defined for transmitting a packet input message to the controller to restrict generation of a packet input message for a predetermined time,

Wherein the flow table control unit comprises:

Registering the flow entry in the flow table storage unit according to the flow modification message, discarding the flow entry after the predetermined time has expired,

The packet processing unit,

It may block generation of a packet input message for the currently received packet if the currently received packet from the source matches the flow entry for which the action of restricting the generation of the packet input message is defined and before the predetermined time has expired.

According to another aspect of the present invention, a controller is a controller of a software defined network, comprising: a monitoring unit for monitoring a usage amount of a CPU (CENTRAL PROCESSING UNIT) of a switch of the software defined network; and, when the CPU usage exceeds a predetermined threshold, And a threshold setting unit for resetting the number of packets per second (PPS) for limiting the packet input message generating packet and providing the packet to the switch.

The threshold value setting unit may set,

A plurality of threshold values different from each other in steps may be compared with the CPU usage amount, and the predetermined number of packets per second (PPS) may be increased / decreased step by step according to the comparison result.

The controller further includes an SNMP communication unit for receiving the CPU usage amount and the traffic amount of the switch from the switch through a Simple Network Management Protocol (SNMP) and transmitting the received amount to the monitoring unit,

The threshold value setting unit may set,

It is possible to transmit the predetermined number of packets per second (PPS) reset according to the CPU usage amount and the traffic amount to the switch using a newly defined open flow message or a newly defined application programming interface (API).

The threshold value setting unit may set,

If the amount of traffic on a particular port is N times greater than the amount of traffic on another port, the number of packets per second per port can be set to 1 / N.

The threshold value setting unit may set,

It is possible to set the port connected to the switch of the same domain to be higher in priority than the port connected to the outside and set the number of certain packets per second unit of the higher priority port to be lower than the number of certain packets per unit of the port whose priority is relatively low .

The controller receives a packet input message from the switch and transmits a flow modification message to the switch, and generates a black list by collecting IP information generating malicious traffic from the security center, Further comprising a flow rule generator for defining an action for blocking a packet having an IP address included in the black list if the source IP address and the destination IP address included in the black list are compared with the black list,

The message processing unit,

A flow modification message including the action may be transmitted to the switch.

Wherein the controller comprises: a message processor for receiving a packet input message from the switch and transmitting a flow modification message to the switch; and, if the traffic volume or CPU usage of the incoming port extracted from the packet input message exceeds a threshold, Further comprising a flow rule generator for generating an IP table composed of IP addresses extracted from the packet input message and defining an action for restricting generation of a packet input message for a packet having the IP address for a predetermined time,

The message processing unit may transmit the flow modification message including the action to the switch.

According to the embodiment of the present invention, an excessive packet input (PACKET_IN) message according to a new connection request of the SDN-based network equipment is confirmed and controlled in real time, and thereby the CPU load of the GiGA office network equipment (controller and switch) It is possible to prevent malfunctions in advance and to provide services to various customers in a stable manner.

In addition to providing stability of SDN-based network devices (switches, controllers), it can effectively block malicious traffic such as DDoS in the SDN network.

1 is a configuration diagram of a SDN (Software Defined Network) network system according to an embodiment of the present invention.
2 is a block diagram showing the detailed configuration of the controller of Fig.
3 is a block diagram showing a detailed configuration of the switch of FIG.
4 illustrates a structure of a packet input message according to an embodiment of the present invention.
5 is a flowchart illustrating a method of controlling a packet input message according to an embodiment of the present invention.
6 is a flowchart illustrating a method of setting a packet input message control condition according to an embodiment of the present invention.
7 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention.
8 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention.
9 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention.
10 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention.
11 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.

Also, the terms of " part ", "... module" in the description mean units for processing at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software.

Hereinafter, a method of controlling a packet input message according to an embodiment of the present invention, a switch and a controller for performing the method will be described in detail with reference to the drawings.

1 is a configuration diagram of a SDN (Software Defined Network) network system according to an embodiment of the present invention.

Referring to FIG. 1, an SDN network includes a controller 100 and a plurality of switches 200.

The controller 100 is a server device that performs path control of a plurality of switches 200 in the SDN network, but is not limited by physical implementation form, implementation location, or the like.

The controller 100 monitors a plurality of switches 200 in the SDN network and dynamically sets a transmission path of packets to a plurality of switches 200 in the SDN network according to communication conditions. The controller 100 registers the flow on the switch by creating a flow table using an Open Flow Protocol message.

The controller 100 may make a plurality of switches 200 as requests for adding, changing, and deleting information on the flow tables of the plurality of switches 200. [

Here, the flow defines a predetermined action to be performed on a packet conforming to a predetermined rule. The rules of the flow are defined by various combinations of any or all of the destination address, the source address, the destination port, and the source port included in the header area of the packet frame, and the rule is identifiable.

The plurality of switches 200 is a switching node in the SDN network and transmits packets received from the source 300 to the destination 400 according to the flow entry registered in its flow table. At this time, the source 300 and the destination 400 may be a network device or a server.

When the switch 1 (200-1) receives a packet from the source 300 (①), it checks whether the flow entry corresponding to the received packet is registered in the flow table. If it is not registered, the controller 100 transmits a packet input (PACKET_IN) message to the controller 100 for inquiring about a flow entry corresponding to the received packet (2).

The controller 100 refers to the source IP address and the destination IP address of the packet received by the switch 1 200-1 through the analysis of the received packet input (PACKET_IN) message, And newly generates flow control information for the packet. Then, the switch 1 (200-1) transmits a flow modification (FLOW_MOD) message to the switch 1 (200-1), which defines an action to be performed for a packet having the same field, (3). Here, the flow modification (FLOW_MOD) message is a message for setting (adding, changing, deleting) a flow entry or creating a flow table for the flow table of the switch 1 (200-1).

The switch 1 (200-1) transmits the received packet to the switch 2 (200-3) according to the flow entry set by the flow modification (FLOW_MOD) message (4)

If the flow entry corresponding to the received packet is not registered in the flow table, the switch 2 (200-3) transmits to the controller 100 a packet input (PACKET_IN) message inquiring about the flow entry corresponding to the received packet (⑤).

The controller 100 transmits a flow modification (FLOW_MOD) message defining an action to the switch 2 (200-3) through analysis of the received packet input (PACKET_IN) message (6). Then, the switch 2 (200-3) transmits the received packet to the destination 400 according to the flow entry set by the flow modification (FLOW_MOD) message (7)

2 is a block diagram showing the detailed configuration of the controller of Fig.

2, the controller 100 includes a message processing unit 101, a flow rule generation unit 103, a Simple Network Management Protocol (SNMP) communication unit 105, and a threshold value setting unit 107.

The message processing unit 101 receives a packet input message from the switch 200 and transmits a flow modification message to the switch 200. The message processing unit 101 delivers the received packet input message to the flow rule generation unit 103. The message processing unit 101 generates and transmits a flow modification message including the flow rule (or action) received from the flow rule generation unit 103. [

The flow rule generation unit 103 manages a black list composed of IP addresses related to malicious traffic provided from a national cyber security center (not shown). If a source IP address and a destination IP address of a packet input (PACKET_IN) message received from the switch 200 are included in a black list, an action for dropping a packet having the same field, .

When a packet not registered in the flow table is received in the switch 200, the flow rule generation unit 103 determines whether the CPU usage amount of the switch 200 and the threshold value of the total traffic are exceeded. If not, (PACKET_IN) message to the controller 100, but if exceeded, defines an action to limit the number of packet input (PACKET_IN) messages until the CPU usage of the switch 200 and the total traffic are below the threshold.

In addition, the flow rule generation unit 103 may limit the number of packet input (PACKET_IN) messages for a particular port having a large incoming traffic until the CPU usage of the switch 200 and the total traffic become less than the threshold, And defines an action to limit new traffic coming into the corresponding specific port.

The flow rule generation unit 103 drops a packet input (PACKET_IN) message for a specific destination IP address without generating a packet for a predetermined period of time when the CPU usage of the switch 200 and the total traffic exceed a threshold value Define the action.

When the CPU usage amount of the switch 200 or the total traffic exceeds the threshold value, the flow rule generation unit 103 generates SRC_IP = *, DST_IP = destination IP address of the destination address having a large number of packet input (PACKET_IN) , action = meter_id ". After blocking the packet input (PACKET_IN) message for a specific time using the hard_timeout of the flow modification (FLOW_MOD) message, DST_IP = defines an action that causes a new packet destined for the destination IP to be delivered directly to the destination.

The SNMP communication unit 105 receives the CPU usage amount and the traffic amount of the switch 200 from the switch 200 through SNMP communication and transmits the received amount to the monitoring unit 109.

The threshold value setting unit 107 determines whether the CPU usage amount and the traffic amount of the switch 200 monitored by the monitoring unit 109 exceed the threshold value and if the CPU usage amount and the traffic amount exceed the threshold value, the threshold setting unit 107 resets the PPS of the switch 200, .

The threshold value setting unit 107 reduces the number of packet input (PACKET_IN) messages that can be processed by the switch 200 by adjusting the PPS whenever the CPU usage amount or the traffic amount exceeds a specific threshold value.

The threshold value setting unit 107 can set PPS = N / M. Here, the default number of PPS is N, and M is a user-defined number. That is, by dividing the number of default PPSs (N) by a user-defined number (M), the number of packet input messages per second transmitted by the switch 200 to the controller 100 is reduced.

For example, assume that the limit number PPS of the first packet input (PACKET_IN) message is N. When the CPU usage is 50%, the packet input (PACKET_IN) message limitation number (PPS) is set to N / 2, and when the CPU usage is 60%, the packet input (PACKET_IN) message limitation number (PPS) If the CPU usage is more than 90%, set the packet input (PACKET_IN) message limit (PPS) to 0 until the CPU usage drops below 80%. The PPS (PACKET_IN) message limit number (PPS) is also adjusted for the amount of traffic through the same method.

Since the CPU load of the switch 200 increases as the PPS increases, the threshold setting unit 107 decreases the PPS threshold value as the CPU load increases. The switch 200 uses the CPU of the switch 200 to process the packet input (PACKET_IN) message. However, if the PPS exceeds a specific value, that is, a threshold value, the CPU of the switch 200 rapidly increases and the packet input (PACKET_IN) message can not be normally generated. For example, when the PPS is set to about 5,000, there is almost no CPU load. However, when the number of PPS is about 10,000, the CPU load is considerably generated, so that the normal operation may not be performed on the packet received from the switch 200. Accordingly, the switch 200 determines whether to generate a packet input (PACKET_IN) message in comparison with the PPS threshold, thereby eventually reducing the load on the switch 200.

In addition, the threshold value setting unit 107 sets the priority of a switch port connected to a location in the same domain higher than that of a switch port connected to the outside, and transmits a packet input (PACKET_IN) message restriction number (PPS) It is set to be larger than the packet input (PACKET_IN) message limitation number (PPS) of the connected port.

The description of these components will be described later in more detail with reference to Figs. 5 to 12. Fig.

3 is a block diagram showing a detailed configuration of the switch of FIG.

3, the plurality of switches 200 includes a packet receiving unit 201, a packet processing unit 203, a packet transfer unit 205, a flow table storage unit 207, a flow table control unit 209, a message processing unit A packet input message control unit 213, a threshold value receiving unit 215, an SNMP communication unit 217, and a monitoring unit 219.

The packet receiving unit 201 receives the packet from the source 300. And transmits the received packet to the packet processing unit 203.

The packet processing unit 203 extracts the flow information from the received packet. Then, it is judged whether or not the flow entry matched with the flow information is registered in the flow table storage unit 207. If registered, the packet transmitting unit 205 transmits the received packet to the destination 400 according to the flow entry matched with the flow information.

On the other hand, if not registered, the packet processing unit 203 requests the message processing unit 211 to generate a packet input (PACKET_IN) message.

The flow table storage unit 207 stores a flow table composed of a plurality of flow entries. The flow entries are composed of match fields, counters, and action information. The flow entries provided from the controller 100 may constitute a flow table in the switch 200.

The match field includes the MAC address, IP address, port, priority, etc. of the port 200 of the switch 200, ethernet and protocol information, source (i.e., source) and destination (destination) Can be stored.

The packet processing unit 203 compares the flow information extracted from the received packet to the switch 200 with the information of the match field of the flow table to determine whether flow control information on the received packet exists in the flow table.

Actions include information on how to process the packet when the information of the packet flowing into the switch 200 matches the information of the match field of the flow table, and the flow rule generator (controller) 103).

The counters indicate the amount of traffic transmitted and received per flow entry, and may be used as a parameter when the controller 100 calculates the communication path of the packet.

The flow table control unit 209 performs processing specified by the flow modification message received from the controller 100 through the message processing unit 211 (that is, adding, deleting, or changing the flow entry).

The packet input message control unit 213 restricts generation of a packet input message according to an action stored in the flow table storage unit 207. [

The threshold value receiving unit 215 receives the threshold PPS value from the controller 100. At this time, the default value is set to N for PPS.

The SNMP communication unit 217 reports the amount of CPU usage and traffic of the switch 200 monitored by the monitoring unit 219 to the controller 100.

The monitoring unit 219 monitors the amount of CPU usage and traffic of the switch 200 and transmits the monitoring result to the SNMMP communication unit 217.

The description of these components will be described later in more detail with reference to Figs. 5 to 12. Fig.

4 shows a structure of a packet input (PACKET_IN) message according to an embodiment of the present invention.

4, each field includes a buffer ID, a total length, a reason, a table ID tbl_id, a cookie, a match field, a pad, Data field and includes a portion of the data packet received from the source 3000. The packet input (PACKET_IN) message is slightly different for each OpenFlow version, and the structure of FIG. .

At this time, it is a flow entry composed of Match Fields, Counters, and Actions information, and the flow entries provided from the controller 100 can constitute a flow table in the switch 200. [

Here, the match field includes a MAC address, an IP address, a port, and a priority of the port 200 of the switch 200, ethernet and protocol information, a source (i.e., a source) and a destination Ranking and the like can be stored.

The switch 200 can compare the information of the incoming packet with the information of the match field of the flow table to determine whether the flow control information on the packet exists in the flow table. Actions may include information on how to process the packet when the information of the packet flowing into the open flow switch 200 matches the information of the match field of the flow table.

The counters indicate the amount of traffic transmitted and received per flow entry, and may be used as a parameter when the controller 100 calculates the communication path of the packet.

FIG. 5 is a flowchart illustrating a method of controlling a packet input message according to an embodiment of the present invention, illustrating the operation of the switch 200. FIG.

Referring to FIG. 5, the packet input message controller 213 sets the number of packets per second (PPS) as a threshold value N (S101). Here, 'PPS = N' means that a packet input (PACKET_IN) message that can be transmitted from the switch 200 to the controller 100 is set to N per second. That is, it also means that it can not exceed N.

When the packet receiving unit 201 receives a packet from the source 300 (S103), it transfers the received packet to the packet processing unit 203. [ The packet processing unit 203 determines whether the IP address of the received packet is included in the black list (S105).

Here, the black list includes a source IP address and a destination IP address for generating malicious traffic, and is included in a flow table stored in the flow table storage unit 207.

If the IP address of the received packet, that is, the source IP address or the destination IP address is included in the black list, the packet processing unit 203 discards the received packet (S107).

On the other hand, if it is determined in step S109 that the IP address is not included in the black list IP address, the packet processing unit 203 extracts the flow information from the received packet. The flow information includes identification information of an ingress port, a packet inflow port of the switch 200, packet header information (IP address of a source and destination, MAC address, port, VLAN information, etc.), metadata .

The packet processing unit 203 inquires the flow table storage unit 207 based on the flow information and determines whether there is a flow entry matched with the matched received packet (S109).

At this time, if there is a matched flow entry, the packet processing unit 203 processes the received packet according to the matched flow entry (S111). The packet transferring unit 205 transfers the received packet to the packet path set in the flow entry.

On the other hand, if there is no matched flow entry, the packet processing unit 203 requests the message processing unit 211 to transmit a packet input (PACKET_IN) message.

Before the message processor 211 generates a packet input message PACKET_IN, the packet input message controller 213 determines whether the CPU usage amount monitored by the monitoring unit 219 is less than a threshold value (S115).

If the CPU usage exceeds the threshold value, the packet input message controller 213 resets the PPS (S117). That is, the SNMP communication unit 217 reports the monitored CPU usage amount and the traffic amount to the controller 100, and the threshold reception unit 215 receives the reset PPS and transfers the received PPS to the packet input message control unit 213.

The packet input message control unit 213 controls the number of generated packets for the packet input message within the PPS. That is, the packet input message exceeding the PPS is not generated. In this case, the received packet is discarded.

On the other hand, if it is less than the threshold value in step S115, the message processing unit 211 generates a packet input (PACKET_IN) message (S119) and transmits it to the controller 100 (S121).

The message processing unit 211 receives a flow modification (FLOW_MOD) message including a flow entry for a received packet from the controller 100 (S123), and transfers the flow modification message to the flow table control unit 209. [ Then, the flow table control unit 209 registers the flow entry in the flow table storage unit 207 (S125). Then, the packet processing unit 203 processes the received packet according to the registered flow entry (S127). The packet transmitting unit 205 transmits the received packet to the packet path set in the registered flow entry.

FIG. 6 is a flowchart illustrating a method of setting a packet input message control condition according to an embodiment of the present invention, and shows a linking operation of the controller 100 and the switch 200. In particular, the process of setting the blacklist condition of FIG. 5 is shown.

6, the flow rule generation unit 103 of the controller 100 collects IP information for generating malicious traffic, that is, a source IP address and a destination IP address from a security center (not shown) (S201) . Then, a black list is generated based on the collected IP information (S203) and stored.

Here, when malicious traffic such as DdoS occurs, the National Cyber Security Center sends malicious (or illegal) information to the domestic Internet service provider (ISP) (KT, SKT, LG U + And information about the IP traffic. The flow rule generation unit 103 can confirm IP information about the zombie PC that generates the DdoS and IP information about the terminal that controls the zombie PC in the center among the information received from the national cybersecurity center.

The controller 100 updates the black list every time the malicious IP information is updated and sets a flow rule to the switch 200 in advance.

Here, the flow rule setting is implemented by transmitting the flow modification message to the switch 200 through the packet input (PACKET_IN) message received from the switch 200 in the controller 100.

That is, the message processing unit 101 receives a packet input (PACKET_IN) message from the switch 200 (S205). The flow rule generation unit 103 compares the source IP address and the destination IP address included in the packet input (PACKET_IN) message with the black list generated in step S203 (S207), and determines whether the source IP address and the destination IP address coincide with each other (S209).

At this time, if there is a match, the flow rule generation unit 103 defines an action for blocking a packet having an IP address included in the black list (S211). The message processing unit 101 transmits a flow modification message including the defined action to the switch 200 (S213).

The flow table control unit 209 of the switch 200 registers the flow entry set in accordance with the flow modification message received in step S213 in the flow table storage unit 207 (S215). In this manner, steps S105 and S107 of FIG. 5 are performed according to the registered flow entry. The registered flow entry defines an action to discard the received packet if the IP address of the received packet is included in the blacklisted IP address.

On the other hand, if they do not match in step S209, the flow rule generation unit 103 defines an action based on the information of the received packet included in the packet input (PACKET_IN) message (S217). Then, the message processing unit 101 transmits a flow modification message including the defined action to the switch 200 (S219).

The flow table control unit 209 of the switch 200 registers the flow entry set in accordance with the flow modification message received in step S219 in the flow table storage unit 207 (S221).

Steps S201 to S3221 of FIG. 6 may be performed in parallel with steps S101 to S125 of FIG.

FIG. 7 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention, and shows a linking operation of the controller 100 and the switch 200. FIG. Particularly, the process of resetting the PPS threshold value of FIG. 5 based on the result of monitoring the CPU usage amount of the switch 200 is shown.

Referring to FIG. 7, the monitoring unit 219 of the switch 200 monitors the CPU usage amount and the traffic amount in real time (S301). Then, the SNMP communication unit 217 reports the CPU usage amount and the traffic amount monitored by the monitoring unit 219 to the controller 100 using SNMP (S303).

The SNMP communication unit 105 of the controller 100 determines whether the CPU usage amount received in step S303 exceeds a threshold value (S305).

At this time, if exceeded, the threshold setting unit 107 re-sets the PPS threshold value (S307), and transmits the reset PPS threshold value to the switch 200 (S309).

Here, the threshold setting unit 107 may transmit the PPS threshold reset to the switch 200 using a message defined in the OpenFlow standard or a newly defined open flow message. Or a PPS threshold reset to the switch 200 via a separate application programming interface (API).

The switch 200 changes the default PPS threshold to the PPS threshold received in step S309 (S311). Then, step S113 of FIG. 5 is performed based on the default PPS threshold changed in step S311.

The steps S301 to S311 in FIG. 7 can be performed in parallel with the steps S101 to S125 in FIG.

FIG. 8 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention, and shows the operation of the controller 100. Referring to FIG. In particular, FIG. 5 illustrates a process of resetting the PPS threshold value of FIG. 5 based on a result of monitoring the CPU usage of the switch 200 by a plurality of different threshold values.

8, the default PPS = N by setting (S401) the state threshold setting unit 107 in judges that the CPU usage been reported from the switch 200 exceeds the first threshold (Th ₁₎ (S403) .

First exceeds the threshold value (Th _1), and a threshold setting section 107 sets the threshold PPS to N (S405). That is, the default PPS threshold is maintained.

On the other hand, first it is determined that the first threshold value does not exceed the (Th _1), threshold setting unit 107, a CPU utilization exceeds a second threshold (Th ₂₎ (S407).

When the two exceeds a threshold value (Th _2), the threshold setting unit 107 sets the threshold PPS to N / 2 (S409).

On the other hand, first it is determined that the second threshold is not exceeded the (Th _2), the threshold setting unit 107, a CPU utilization exceeds a third threshold (Th ₃₎ (S411).

When the three exceeds the threshold (Th _3), the threshold setting unit 107 sets the threshold PPS as N / 3 (S413).

N / K (K = 4, ..., N) is determined for the fourth threshold value (Th ₄ ) to the N-1th threshold value (Th _{N - 1} ) if the CPU usage exceeds the threshold value as in steps S403 to S413. N-1) to set the PPS threshold.

The threshold setting unit 107 determines whether the CPU usage exceeds the Nth threshold (Th _N ) (S415). If the Nth threshold value (Th _N ) is exceeded, the PPS threshold value is set to 0 (S417).

Next, the threshold setting unit 107 monitors the CPU usage amount again after setting the PPS threshold value (S419), and performs the process again from step S403.

The PPS threshold value thus set is transmitted to the switch 200 through step S309 of FIG.

FIG. 9 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention, and shows the operation of the controller 100. Referring to FIG. In particular, a process of limiting the number of generated packet input (PACKET_IN) messages for each incoming port of the switch 200 is shown.

Referring to FIG. 9, in a state in which PPS = N is set (S501), the threshold setting unit 107 receives the CPU usage amount and the traffic amount monitored by the monitoring unit 219 from the switch 200 (S503).

The threshold setting unit 107 determines whether the CPU usage exceeds the threshold (S505). At this time, if it is not exceeded, step S503 is performed again.

On the other hand, if it is determined that the amount of traffic of the specific port is greater than N times the amount of traffic of the other port (S507).

At this time, if it is N times or more, the PPS threshold value of the specific port is set to 1 / N (S509). The PPS threshold value thus set is transmitted to the switch 200 through step S309 of FIG.

FIG. 10 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention, and shows a linking operation of the controller 100 and the switch 200. FIG. In particular, it shows the process of limiting the number of packet input (PACKET_IN) messages generated per destination.

 10, the message processing unit 101 of the controller 100 receives a packet input (PACKET_IN) message transmitted by the message processing unit 211 of the switch 200 (S601).

The flow rule generation unit 103 extracts a destination IP address and a port into which the packet is received from the packet input (PACKET_IN) message received from the message processing unit 211 (S603).

The flow rule generation unit 103 determines whether the amount of traffic or CPU usage of the incoming port that the monitoring unit 109 has checked from the switch 200 exceeds a threshold value (S605).

At this time, if the threshold value is exceeded, the flow rule generation unit 103 generates an IP table having a port, a destination IP, and a packet input (PACKET_IN) message in which the packet is input to the switch 200 (S607).

The flow rule generation unit 103 defines an action for dropping a packet without generating a packet input (PACKET_IN) message for a fixed time (hard_timeout) for a packet having a specific destination IP based on the IP table S609). Then, the message processing unit 101 transmits a flow modification message including the defined action to the switch 200 (S611).

The flow table control unit 209 sets a flow entry according to the flow modification message received in step S611 (S613) and registers the flow entry in the flow table storage unit 207. [

As a detailed operation corresponding to step S111 of FIG. 5, according to the flow entry registered in step S613, the packet processing unit 203 receives a packet input (PACKET_IN) for a received packet having a specific destination IP address for a fixed time (hard_timeout) ) Message, but discard it altogether. Here, there are two schemes in which the flow table control unit 209 reflects the flow, as hard_timeout and idle_timeout. In the case of hard_timeout, a specific time is set, and the flow rule is removed when a specified time elapses. The flow rule is deleted after a predetermined time regardless of whether a packet matched with the flow rule is received. On the other hand, if idle_timeout does not receive a packet matched with the flow rule for a specific time, the flow rule is deleted. In the embodiment of the present invention, the hard_timeout method is adopted.

On the other hand, if the threshold is not exceeded in step S605, the flow rule generation unit 103 defines an action such as a packet path for the IP address of the received packet (S615). Then, the message processing unit 101 transmits a flow modification message including the defined action to the switch 200 (S617). The flow table control unit 209 sets a flow entry according to the flow modification message received in step S617 (S619) and registers the flow entry in the flow table storage unit 207. [ Then, the packet processing unit 203 processes the received packet according to the flow entry (S111 in Fig. 5).

FIG. 11 is a flowchart illustrating a method of setting a packet input message control condition according to another embodiment of the present invention, and shows the operation of the controller 100. Referring to FIG. Particularly, a process of limiting the number of generated packet input (PACKET_IN) messages according to the priority order is shown.

In this case, the port is divided into a first port connected to the switch 200 of the same domain and a second port connected to the outside (Internet, etc.).

Referring to FIG. 11, the threshold setting unit 107 sets the first port to a higher priority than the second port (S701). The PPS of the first port having a higher priority is set to be lower than the PPS of the second port having a lower priority (S703).

Here, the PPS setting for each port is performed through the method shown in FIG. 7 and FIG.

The embodiments of the present invention described above are not implemented only by the apparatus and method, but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

Claims (26)

CLAIMS What is claimed is: 1. A method for controlling a packet entry message in a software defined network,
Determining whether a flow entry matching the received packet received from the source exists in the switch,
Determining whether a usage amount of the CPU (CENTRAL PROCESSING UNIT) is less than a threshold value if the matched flow entry does not exist;
Generating a packet input message for the received packet and transmitting the packet to the controller if the received packet is smaller than the threshold value;
Blocking generation of a packet input message for a received packet having a predetermined destination IP address predetermined for a predetermined time and discarding a received packet having the specific destination IP address when the threshold value is greater than the predetermined value;
The specific destination IP address may include,
Wherein the packet input message is set to a destination IP address of received packets that generate the packet input message over a predetermined reference value. The method according to claim 1,
Prior to determining whether the matched flow entry is present,
Further comprising setting a certain number of packets per second (PPS) per default unit,
Wherein the transmitting comprises:
And generating and transmitting a packet input message packet within the specific number. 3. The method of claim 2,
After determining whether the CPU usage is below a threshold,
Reporting the CPU usage to the controller and receiving a predetermined number of packets per second reset in accordance with the CPU usage,
Wherein the transmitting comprises:
And generating and transmitting a packet input message packet within a predetermined number of packets per second of the reset unit. 3. The method of claim 2,
After the setting of the specific number,
Monitoring the CPU usage and amount of traffic,
Reporting the monitored CPU usage and traffic volume to the controller, and
Further comprising receiving from the controller a predetermined number of packets per second reset unit when the CPU usage exceeds a threshold,
Wherein the transmitting comprises:
And generating and transmitting a packet input message packet within a predetermined number of packets per second of the reset unit. 5. The method of claim 4,
Wherein said reporting comprises:
And reporting the CPU usage amount and the traffic amount to the controller through SNMP (Simple Network Management Protocol). 6. The method of claim 5,
Wherein the step of receiving from the controller a predetermined number of packets per second,
A method of controlling a packet input message, the method comprising: receiving a predetermined number of packets per second, which is reset using a newly defined open flow message or a newly defined application programming interface (API). 3. The method of claim 2,
Prior to determining whether the matched flow entry is present,
Determining whether an IP address of the received packet is included in a blacklisted IP address, and
Further comprising discarding the received packet if the IP address is included in the blacklist IP address,
Wherein determining whether the matched flow entry is present comprises:
And determining whether a flow entry matching the received packet exists if the IP address of the received packet is not included in the black list IP address. 8. The method of claim 7,
Prior to determining whether the IP address of the received packet is included in the blacklisted IP address,
Transmitting a packet input message to the controller,
Receiving a flow modification message in which an action for blocking a packet having an IP address included in the black list is defined, and
Further comprising setting a flow entry according to the flow modification message,
Wherein the step of determining whether the IP address of the received packet is included in the blacklist IP address comprises:
And determining whether an IP address of the received packet matches a flow entry according to the black list. 3. The method of claim 2,
Prior to determining whether the matched flow entry is present,
Transmitting a packet input message for a received packet to the controller,
Receiving, from the controller, a flow modification message defining an action for limiting a packet input message generation for a defined time for a packet having a destination IP address of the received packet; and
Further comprising registering a flow entry including the action according to the flow modification message,
After determining whether the matched flow entry exists,
Blocking generation of a packet input message for the currently received packet if the currently received packet from the source matches the flow entry for which the action limiting the generation of the packet input message is defined and before the predetermined time has expired,
Discarding the flow entry after the predetermined time has expired
Further comprising the step of: As a switch in a software defined network,
A packet processor for determining whether there is a flow entry matched with a received packet received from a source and processing the received packet according to a flow entry corresponding to the received flow entry,
A packet input message control unit for determining whether a usage amount of the CPU (CENTRAL PROCESSING UNIT) is less than a threshold value if the matched flow entry does not exist, and
And a message processor for generating and transmitting a packet input message for the received packet if the received packet is smaller than the threshold,
Wherein,
Blocking the generation of a packet input message for a received packet having a predetermined destination IP address predetermined for a predefined time, discarding a received packet having the specific destination IP address,
The specific destination IP address may include,
And a destination IP address of the packets received by the packet input message. 11. The method of claim 10,
Wherein the packet input message controller comprises:
A switch for setting a predetermined number of packets per second (PPS) per default unit, and restricting generation of the packet input message packet within the specific number. 12. The method of claim 11,
And a threshold receiving unit reporting the CPU usage amount to the controller and receiving a predetermined number of packets per second reset in accordance with the CPU usage amount when the CPU usage amount is equal to or greater than a threshold value,
Wherein the packet input message controller comprises:
And restricting generation of the packet input message packet within a predetermined number of packets per second of the reset unit. 13. The method of claim 12,
Wherein the threshold value receiver comprises:
A switch that receives the reset packet number per second using a newly defined open flow message or a newly defined application programming interface (API). 13. The method of claim 12,
Wherein the threshold value receiver comprises:
When the amount of traffic of a specific port is more than N times the amount of traffic of another port, the control unit receives a certain number of packets per second unit reset to a certain number of packets per second of the specific port, and transmits the packet to the packet input message control unit switch. 13. The method of claim 12,
Wherein the threshold value receiver comprises:
And receives from the controller a predetermined number of packets per unit of a plurality of units set differently for each port. 16. The method of claim 15,
A switch that is set to a port connected to a switch in the same domain and a certain number of packets per second is set lower than a predetermined number of packets per second set in a port connected to the outside. 13. The method of claim 12,
A monitoring unit for monitoring the CPU usage amount and the traffic amount, and
An SNMP communication unit reporting the amount of CPU usage and the amount of traffic provided from the monitoring unit to the controller through Simple Network Management Protocol (SNMP)
Lt; / RTI > 13. The method of claim 12,
A flow table storage unit for storing a flow entry including a blacklisted IP address, and
And a flow table control unit for registering the flow entry including the black list in the flow table storage unit according to the flow modification message,
The message processing unit,
Receiving a flow modification message defining an action for blocking a packet having an IP address included in the black list by transmitting a packet input message to the controller and delivering the flow modification message to the flow table controller,
The packet processing unit,
Inquiring a flow entry registered in the flow table storage unit to determine whether an IP address of a received packet is included in a blacklist IP address, and discarding the received packet if the IP address is included in the blacklist IP address. 19. The method of claim 18,
The message processing unit,
Receiving a flow modification message in which an action is defined for transmitting a packet input message to the controller to restrict generation of a packet input message for a predetermined time,
Wherein the flow table control unit comprises:
Registering the flow entry in the flow table storage unit according to the flow modification message, discarding the flow entry after the predetermined time has expired,
The packet processing unit,
Blocking the generation of a packet input message for the currently received packet if the currently received packet from the source matches the flow entry for which the action limiting the creation of the packet input message is defined and before the predetermined time has expired. As a controller in a software defined network,
A monitoring unit for monitoring a usage amount of a CPU (CENTRAL PROCESSING UNIT) of a switch of the software defined network,
A threshold setting unit for resetting a predetermined number of packets per second (PPS) for limiting a packet input message generating packet and providing the switch to the switch when the CPU usage exceeds a predetermined threshold,
If the CPU usage is equal to or greater than the threshold value, generation of a packet input message for a received packet having a predetermined destination IP address predetermined for a predetermined time is blocked, and an action for discarding a received packet having the specific destination IP address is defined A flow rule generation unit for
And a message processing unit for transmitting a flow modification message including the action to the switch,
The specific destination IP address may include,
And setting the destination IP address of the received packets that causes the packet input message to generate a predetermined reference value or more. 21. The method of claim 20,
The threshold value setting unit may set,
A controller for comparing the plurality of different threshold values with the CPU usage amount and incrementing or decrementing a predetermined number of packets per unit of time (PPS) per step in accordance with a comparison result. 21. The method of claim 20,
And an SNMP communication unit for receiving the CPU usage amount and the traffic amount of the switch from the switch through SNMP (Simple Network Management Protocol) and transmitting the received amount to the monitoring unit,
The threshold value setting unit may set,
(PPS) per unit time, which is reset according to the amount of CPU usage and traffic, to the switch using a newly defined open flow message or a newly defined application programming interface (API). 23. The method of claim 22,
The threshold value setting unit may set,
If the amount of traffic on a particular port is more than N times the amount of traffic on another port, the controller sets a certain number of packets per second per port as 1 / N. 23. The method of claim 22,
The threshold value setting unit may set,
A port connected to a switch in the same domain is set to have a higher priority than a port connected to the outside and a certain number of packets per second unit of a port having a higher priority is set to be lower than a predetermined number of packets per unit of a port having a lower priority, . 21. The method of claim 20,
Wherein the flow rule generation unit comprises:
A black list is generated by collecting IP information generating malicious traffic from the security center, and if a source IP address and a destination IP address included in the packet input message are compared with the black list, Define an action that blocks packets with IP addresses,
The message processing unit,
Receiving a packet input message from the switch, and transmitting a flow modification message including the action to the switch. 21. The method of claim 20,
Wherein the flow rule generation unit comprises:
Generating an IP table composed of the incoming port and the IP address extracted from the packet input message when the amount of traffic or CPU usage of the incoming port extracted from the packet input message exceeds a threshold value, Defines an action that restricts the generation of packet input messages during a session,
The message processing unit,
Receiving a packet input message from the switch, and transmitting a flow modification message including the action to the switch.

Images