KR101724922B1 - Apparatus and Method for controlling middleboxs - Google Patents

Apparatus and Method for controlling middleboxs Download PDF

Info

Publication number
KR101724922B1
KR101724922B1 KR1020150142294A KR20150142294A KR101724922B1 KR 101724922 B1 KR101724922 B1 KR 101724922B1 KR 1020150142294 A KR1020150142294 A KR 1020150142294A KR 20150142294 A KR20150142294 A KR 20150142294A KR 101724922 B1 KR101724922 B1 KR 101724922B1
Authority
KR
South Korea
Prior art keywords
packet
header
management unit
middle box
flow
Prior art date
Application number
KR1020150142294A
Other languages
Korean (ko)
Other versions
KR20160097115A (en
Inventor
김영한
응오민탄
Original Assignee
숭실대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR20150018382 external-priority
Application filed by 숭실대학교산학협력단 filed Critical 숭실대학교산학협력단
Publication of KR20160097115A publication Critical patent/KR20160097115A/en
Application granted granted Critical
Publication of KR101724922B1 publication Critical patent/KR101724922B1/en

Links

Images

Classifications

    • H04L67/2852
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The present invention discloses a middle box control apparatus and method. According to an embodiment of the present invention, there is provided a controller apparatus for controlling a plurality of middleboxes, the apparatus comprising: a policy managing unit that manages at least one of information on the arrangement and operation of the plurality of middleboxes, Management; And a rule manager for managing traffic of a connected middle box, distributing a header required in each middle box with reference to the policy manager, and mediating information required by each middle box.

Description

[0001] Apparatus and Method for controlling middleboxes [

BACKGROUND OF THE INVENTION 1. Field of the Invention [0002] The present invention relates to a middle box control apparatus and method, and more particularly, to an apparatus and a method for a controller to efficiently control a plurality of middle boxes.

In the current network, various types of middleboxes are operated to maintain security and improve performance. These middleboxes must operate correctly according to the purpose / policy of the communication carrier.

The middle box is a device that performs service as an intermediary of a network having a certain intelligent function. However, many middlebox functions such as NAT, Firewall, IDS, and Proxy are difficult to change policy dynamically due to network changes. In other words, as networks become increasingly complex, there is a growing need to flexibly and dynamically manage a large number of middleboxes. However, existing middlebox management techniques require that the management manually pass policies to the middleboxes, There is a problem that it causes high complexity and management cost.

Also, since the current middleboxes are configured independently of each other and have unique policies, it is difficult to apply policies for the services provided in the middleboxes. Also, many types of middleboxes have more difficulties because of their different characteristics.

Software-based networking (SND) technology, which has been proposed in recent years, can solve this situation to some extent. However, the management of the middle box using SDN is still problematic.

In order to solve the problems of the prior art as described above, the present invention proposes a middle box control method and apparatus capable of controlling middle boxes and traffic by distributing packet headers based on an extended SDN structure.

Other objects of the invention will be apparent to those skilled in the art from the following examples.

According to a preferred embodiment of the present invention, there is provided a controller apparatus for controlling a plurality of middle boxes, the controller apparatus comprising: a plurality of middle boxes, A policy management unit for managing at least one of the information; And a rule manager for managing traffic of a connected middle box, distributing a header required in each middle box with reference to the policy manager, and mediating information required by each middle box.

Wherein the rule management unit receives a common header extracted from the first packet from the first middle box when a first packet is input to the first middle box, generates a flow ID corresponding to the common header, The first middle packet and the second intermediate packet are transmitted to the first middle packet and the second intermediate packet through the interaction with the policy management unit, To the second middle box.

The rule management unit refers to the policy management unit, forms a tunnel between the plurality of middle boxes, sets a group for a plurality of middle boxes related to each other, and transmits a group formation message to a plurality of middleboxes .

The plurality of middleboxes may include at least one of a Network Address Translation (NAT), a proxy, an Intrusion Detection System (IDS), and a firewall.

When the NAT changes the IP header for the first packet, the rule management unit receives the flow ID and the changed IP header for the first packet from the NAT, and transmits information about the changed IP header to the firewall Lt; / RTI >

When the proxy receives the first packet, the rule management unit receives a request to determine whether the packet is allowed from the proxy, inquires the firewall for a decision on whether to allow the packet, And may receive a determination as to whether or not the received packet is allowed to generate a final decision.

When the packet is received from the proxy, the firewall may integrate the entire header into the packet and transmit the header to the external network.

Wherein each of the plurality of middleboxes comprises: an upscreen manager for determining a policy and a flow for the packet through analysis of the received packet; Encapsulating the packets for which the policy and the flow have been determined, and transmitting the packet to the next middle box; An interface agent in communication with the policy management unit; A local policy management unit for determining the flow rules and operations; And a middlebox flow table storing rules for traffic flow.

According to another aspect of the present invention, there is provided a method of controlling a plurality of middleboxes, the method comprising: managing at least one of arrangement and operation of the plurality of middleboxes and information about a header required in each of the plurality of middleboxes; Receiving a common header extracted from the first packet from the first middle box when a first packet is input to the first middle box; Generating a flow ID corresponding to the common header; Identifying a header required in one or more second middleboxes receiving the first packet; And transmitting the generated flow ID and a header required in each middle box to the first middle box and the plurality of second middle boxes.

According to another aspect of the present invention, there is provided a computer-readable recording medium on which a program for performing the above-described method is recorded.

According to the present invention, when the first packet is received in the middle box, the common header is separated and transmitted to the controller. Since the controller distributes the packet headers required in each middle box, There are advantages.

1 is a diagram showing a system configuration according to a preferred embodiment of the present invention.
2 is a diagram showing a configuration of a controller 100 according to a preferred embodiment of the present invention.
3 is a view showing a detailed configuration of a middle box according to a preferred embodiment of the present invention.
4 is a flowchart illustrating a middle box control process according to an exemplary embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

Hereinafter, embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram showing a system configuration according to a preferred embodiment of the present invention.

1, the system according to the present embodiment includes a controller 100 and a plurality of middle boxes 102-n (hereinafter, referred to as '102', which are separately described with respect to individual middle boxes) . ≪ / RTI >

Preferably, the controller 100 according to the present embodiment may be an extended SDN controller using a Soundbound API for controlling an SDN (Software Defined Network) switch.

The controller 100 according to the present embodiment stores the entire network information for policy management and a plurality of middle box 102 operations.

2 is a diagram showing a configuration of a controller 100 according to a preferred embodiment of the present invention.

2, the controller 100 according to the present embodiment may include a policy manager 200 and a rule manager 202.

The policy management unit 200 is a function for managing policy related settings, and stores and manages information about the arrangement and operation of the middle box 102 and the header required in each middle box.

Here, the policy may include routing, access control, traffic engineering, QoS management, power control, and the like.

The rule managing unit 202 manages traffic of the connected middle boxes 102 and distributes the header required in each of the middle boxes 102 and transmits information required by each of the middle boxes 102 to each of the middle boxes 102 ). ≪ / RTI >

More specifically, when a first packet is received in one middle box (first middle box), the rule management unit 202 receives a common header included in the packet from the first middle box, (Second middle box) to be processed.

The reception of the common header and the distribution of the header required in each middle box will be described in detail with reference to FIG.

Through such header distribution, control is performed so that unnecessary headers are not included in the transmission / reception of packets between middle boxes.

The middle box 102 is a device that performs service as an intermediary of a network having a specific intelligent function. The middle box 102 according to the present embodiment may include, but is not necessarily limited to, Network Address Translation (NAT), a proxy, a firewall, and an Intrusion Detection System (IDS).

In the current network, various types of middleboxes are operated to maintain security and improve performance. These middleboxes must operate correctly according to the purpose / policy of the communication carrier.

The middle box 102 according to the present embodiment operates under the control of the controller 100.

3 is a view showing a detailed configuration of a middle box according to a preferred embodiment of the present invention.

3, the middle box according to the present embodiment includes a middle box processing unit 300, an enhanced middlebox extension unit 302, and a middle box flow table 304 can do.

The middle box expansion unit 302 according to the present embodiment includes an upstream manager 310, a local policy manager 312, a controller middlebox interface agent 314 (hereinafter, referred to as a CMI agent) And a Downstream Manager 316. The Downstream Manager 316 may include a Downstream Manager

The upstream management unit 310 performs a function of finding an appropriate role in the flow by analyzing the input packet.

Here, a flow is defined as a set of packets passing through a specified point on the network for a specific time, which can be defined as data including the source and destination information of the packet.

The local policy management unit 312 determines and operates the flow rules in the middle box.

The CMI agent 314 transmits / receives a predetermined message to / from the controller 100.

The downstream management unit 316 encapsulates the packet with the policy and the flow, and transmits the encapsulated packet to the next middle box.

The middlebox flow table 304 stores rules for flows received from the controller 100. [

According to a preferred embodiment of the present invention, the controller 100 forms a tunnel with all the middleboxes according to the policy, and sets the related groups. In addition, the local policy management unit 312 of the middle box 102 informs that a plurality of middle boxes 102 have formed a group.

In addition, the middle box 102 downloads the local policy from the controller 100.

4 is a flowchart illustrating a middle box control process according to an exemplary embodiment of the present invention.

4 illustrates an example in which the middle box 102 is a NAT, a proxy, and a firewall, the first packet is received in the NAT, and the packet is transmitted to the external network through the firewall.

Referring to FIG. 4, upon receiving a first packet from an ingress switch (NAT) 102-1 (step 1), the NAT 102-1 separates a common header from the received packet and transmits it to the controller 100 (Step 2).

Here, the common header includes all of the headers required in each middle box.

4, the NAT 102-1 requires an IP layer packet header, the proxy 102-2 includes application layer packet headers, the firewall 102-3 includes IP and application layer packet headers .

When the common header is received, the rule management unit 202 of the controller 100 interacts with the policy management unit 200 so that the rule management unit 202 identifies a header required for each middle box, (Global middle box flow ID) (step 3).

Thereafter, the controller 100 distributes the generated flow ID and the header required in each of the middle boxes 102-1 to 102-3 to each of the middle boxes 102-1 to 102-3 (step 4).

4, when a tunnel is formed between the NAT 102-1, the proxy 102-2, and the firewall 102-3, when the first packet is received in the proxy 102-2, the proxy 102-2 The local policy management unit 312 of the controller 102-2 recognizes that the proxy 102-2 must inquire the firewall 102-3 for the flow of the flow, (Step 5). ≪ / RTI >

The controller 100 queries the firewall 102-3 for the flow entered into the proxy 102-2 (step 6).

Thus, the firewall 102-3 transmits its decision to the controller 100 (step 7).

The controller 100 analyzes the policy for making the final decision and sends the final decision to the proxy 102-2 (step 8).

The proxy 102-2 establishes a persistent rule and forwards the packet to the firewall 102-3. If the packet is allowed to pass, the firewall integrates the entire header into the packet and sends it to the external network (step 9).

According to one embodiment of the present invention, a tunnel may also be formed between the NAT 102-1 and the firewall 102-3, and if NAT 102-1 changes the IP layer packet header, the NAT 102 -1) recognizes that the firewall 102-3 needs a changed header, and transmits the flow ID and the changed header to the controller 100. [

At this time, the controller 100 transmits information about the changed header to the firewall 102-3.

The NAT 102-1 establishes a persistent rule and forwards the modified packet to the proxy 102-2 through the tunnel.

As described above, the present invention has been described with reference to particular embodiments, such as specific elements, and specific embodiments and drawings. However, it should be understood that the present invention is not limited to the above- And various modifications and changes may be made thereto by those skilled in the art to which the present invention pertains. Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .

Claims (10)

A controller device for controlling a plurality of middle boxes,
A policy management unit for managing at least one of information about the arrangement and operation of the plurality of middle boxes and the header required for each of the plurality of middle boxes; And
And a rule management unit for managing traffic of the linked middle box, distributing a header required in each middle box with reference to the policy management unit, and mediating information required by each middle box,
The rule management unit,
Receiving a common header extracted from the first packet from the first middle box when a first packet is input to the first middle box,
And generates a flow ID corresponding to the common header, identifies a header required in one or more second middleboxes receiving the first packet through an interaction with the policy management unit,
Transmits the generated flow ID and a header required in each middle box to the first middle box and the plurality of second middle boxes,
Wherein the plurality of middle boxes include at least one of a Network Address Translation (NAT), a proxy, an Intrusion Detection System (IDS), and a firewall,
When the NAT changes the IP header for the first packet, the rule management unit receives the flow ID and the changed IP header for the first packet from the NAT, and transmits information about the changed IP header to the firewall Controller device to transmit.
delete The method according to claim 1,
The rule management unit,
A controller for referring to the policy management unit to form a tunnel between the plurality of middleboxes, a group for a plurality of middleboxes related to each other, and a group formation message to a plurality of middleboxes set in the group.
delete delete The method according to claim 1,
When the proxy receives the first packet, the rule management unit receives a request to determine whether the packet is allowed from the proxy, inquires the firewall for a decision on whether to allow the packet, Receiving a determination as to whether or not the received packet is acceptable, and generate a final determination.
The method according to claim 6,
Wherein the firewall integrates the entire header into the packet when the packet is received from the proxy and transmits the packet to the external network.
The method according to claim 1,
Wherein each of the plurality of middle boxes includes:
An upscreen management unit for determining a policy and a flow for the packet through analysis of the received packet;
Encapsulating the packets for which the policy and the flow have been determined, and transmitting the packet to the next middle box;
An interface agent in communication with the policy management unit;
A local policy management unit for determining the flow rules and operations; And
A controller device comprising a middlebox flow table storing rules for traffic flow.
A method for controlling a plurality of middle boxes in a controller device,
Managing at least one of arrangement and operation of the plurality of middle boxes and information about a header required in each of the plurality of middle boxes; And
Receiving a common header extracted from the first packet from the first middle box when a first packet is input to the first middle box;
Generating a flow ID corresponding to the common header;
Identifying a header required in one or more second middleboxes receiving the first packet; And
And transmitting the generated flow ID and a header required in each middle box to the first middle box and the plurality of second middle boxes,
Wherein the plurality of middle boxes include at least one of a Network Address Translation (NAT), a proxy, an Intrusion Detection System (IDS), and a firewall,
When the NAT changes the IP header for the first packet, the controller device receives the flow ID for the first packet from the NAT and the modified IP header, and transmits information about the changed IP header to the firewall A middle box control method for transmitting.
A computer-readable recording medium on which a program for performing the method according to claim 9 is recorded.

KR1020150142294A 2015-02-06 2015-10-12 Apparatus and Method for controlling middleboxs KR101724922B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR20150018382 2015-02-06
KR1020150018382 2015-02-06

Publications (2)

Publication Number Publication Date
KR20160097115A KR20160097115A (en) 2016-08-17
KR101724922B1 true KR101724922B1 (en) 2017-04-07

Family

ID=56873802

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150142294A KR101724922B1 (en) 2015-02-06 2015-10-12 Apparatus and Method for controlling middleboxs

Country Status (1)

Country Link
KR (1) KR101724922B1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140119367A1 (en) * 2012-10-30 2014-05-01 Futurewei Technologies, Inc. Encoding Packets for Transport Over SDN Networks

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140119367A1 (en) * 2012-10-30 2014-05-01 Futurewei Technologies, Inc. Encoding Packets for Transport Over SDN Networks

Also Published As

Publication number Publication date
KR20160097115A (en) 2016-08-17

Similar Documents

Publication Publication Date Title
US10715634B2 (en) System and method for creating virtual interfaces based on network characteristics
US9948553B2 (en) System and method for virtual network-based distributed multi-domain routing control
US9654395B2 (en) SDN-based service chaining system
KR101473783B1 (en) Method and apparatus for control of dynamic service chaining by using tunneling
KR101703088B1 (en) Aggregated routing method based on sdn and system thereof
RU2651149C2 (en) Sdn-controller, data processing center system and the routed connection method
US8995266B2 (en) Performing path-oriented systems management
US10178017B2 (en) Method and control node for handling data packets
US20170085462A1 (en) Network Control Method and Apparatus
CN106789637B (en) Cross-domain service intercommunication path establishment method, controller and system
US9311123B2 (en) Distributed virtual security appliance and flow-based forwarding system using virtual machines
JP2017533641A (en) Service route generation method and apparatus
US20180241695A1 (en) Direct replying actions in sdn switches
US10165092B2 (en) Using a network service header to manage a network-as-a-system
WO2018036254A1 (en) Packet forwarding method and device
KR101746105B1 (en) Openflow switch capable of service chaining
US8675669B2 (en) Policy homomorphic network extension
KR101802037B1 (en) Method and system of transmitting oam message for service function chaining in software defined network environment
KR101724922B1 (en) Apparatus and Method for controlling middleboxs
CN105812274B (en) Service data processing method and related equipment
US9356876B1 (en) System and method for classifying and managing applications over compressed or encrypted traffic
Bifulco et al. CATENAE: A scalable service function chaining system for legacy mobile networks
US11258720B2 (en) Flow-based isolation in a service network implemented over a software-defined network
KR101739097B1 (en) Service chaining method in openflow switch
CN105765903A (en) Topology discovery method and device

Legal Events

Date Code Title Description
A201 Request for examination
E701 Decision to grant or registration of patent right
GRNT Written decision to grant