KR101963143B1 - Method, apparatus and computer program for distributing traffic to in-line virtual network function in software defined networking environment - Google Patents

Abstract

To a method, apparatus and computer program for distributing traffic in an IN-LINE VNF in a software defined networking environment. The present invention relates to a method for distributing traffic to an in-line VNF (Virtual Network Function) network device having an auto-extend function in a software defined networking environment, comprising the steps of: receiving a packet from any node; Obtaining a hash value by hashing the source information or destination information of the packet according to whether the packet is a request packet or a response packet, transmitting the packet to a VNF connected to the output port through an output port corresponding to the hash value And a control unit. According to the present invention, it is possible to effectively distribute traffic to an inline VNF having an automatic expansion function in a software defined networking environment.

Description

METHOD, APPARATUS AND COMPUTER PROGRAM FOR DISTRIBUTING TRAFFIC TO IN-LINE VIRTUAL NETWORK FUNCTION IN SOFTWARE DEFINED NETWORKING ENVIRONMENT FOR DISTRIBUTING TRAFFIC TO IN-LINE VIRTUAL NETWORK FUNCTION IN SOFTWARE-

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method, apparatus and computer program for distributing traffic to a virtual network function (VNF), and more particularly to a method for distributing traffic to an IN-LINE VNF in a software defined networking environment, Device and a computer program.

Network functionality is a component of the network infrastructure that provides well-defined functional behavior, such as intrusion detection and routing. Traditionally, network functionality has been implemented by combining software with specific physical devices. Network devices that perform network functions must be manually installed in the network, which has made it difficult to cope with sudden network changes.

To solve this problem, network functional virtualization technology is changing all over the hardware-oriented network architecture. Network function Virtualization is a concept that executes network functions in a virtual machine (VM) server, hardware equipped with a general-purpose processor, or a cloud computing computer by separating the network component hardware and software and virtualizing the functions of the physical network equipment .

According to this, various network devices such as routers, load balancers, firewalls, intrusion prevention, and virtual private networks can be implemented in software, which makes it possible to replace expensive dedicated equipment with general purpose hardware and dedicated software.

That is, a virtual network function (hereinafter referred to as VNF) includes a virtual object (for example, a firewall, a Deep Packet Inspection (DPI), a load balancer, or the like) Can be understood as meaning.

On the other hand, the auto scaling (auto scaling) function, which reduces and increases the computing resources automatically, can also be applied to VNF. According to the VNF automatic expansion function, the number of VNFs can be automatically adjusted (expanded) according to a preset reference. Since the target type VNF (or proxy VNF) is set with a packet passing through a specific VNF, traffic distribution is not a problem. For example, a packet entering a proxy-based web firewall (WAF) has its destination set to the address of the VNF, so it does not have to worry about distributing traffic to the extended VNF.

In addition, if the load balancer is connected to the front of the extended VNF as shown in FIG. 1, the load balancer checks the state of each VNF in the packet transmitted from the external network to the load balancer, and transmits the traffic to each VNF There is no problem because of distribution.

However, for inline VNFs such as firewalls, intrusion prevention systems (IPS), and inline web firewalls, it is difficult to apply the existing autoscaling capabilities. The inline VNF is arbitrarily inserted between two nodes to perform the function of each VNF, because it is difficult to specify which VNF packet should be transmitted only by the destination information included in the packet. Therefore, when the VNF is automatically extended, the network equipment connected to the VNF suffers difficulty in traffic distribution.

In particular, inline devices often have to track sessions, which means that server-to-client transport packets must pass through the same VNF in both directions. According to the prior art, when the VNF is auto-scaled, it is impossible to specify any one of the plurality of VNFs located between the two nodes. Therefore, there is a need for a way to effectively distribute traffic to an autoscaled inline VNF in a software defined networking environment.

It is an object of the present invention to provide a method for efficiently distributing traffic to an inline VNF having an automatic expansion function in a software defined networking environment in order to solve the above problems.

It is also an object of the present invention to provide an open flow protocol based packet processing specification that can be referred to by a network equipment for delivering packets to an inline VNF having an automatic extension function.

In order to achieve the above object, the present invention provides a method for distributing traffic to an in-line VNF (Virtual Network Function) having an automatic expansion function in a software defined networking environment, Obtaining a hash value by hashing the source information or the destination information of the packet according to whether the packet is a request packet or a response packet, and transmitting the hash value to the VNF connected to the output port through the output port corresponding to the hash value And transmitting the packet.

According to the present invention as described above, it is possible to effectively distribute traffic to an inline VNF having an automatic expansion function in a software defined networking environment.

In addition, according to the present invention, a network equipment can forward a packet to an inline VNF having an automatic extension function by referring to an open flow protocol-based packet processing rule.

1 is a diagram for explaining a method of distributing traffic to a target type VNF having an automatic expansion function,
2 is a flowchart illustrating a traffic distribution method according to an embodiment of the present invention.
FIG. 3 is a flowchart illustrating a method of acquiring a hash value according to an embodiment of the present invention. FIG.
FIG. 4 is a diagram for explaining an embodiment in which a moving direction of a packet is used in the traffic distribution method of the present invention;
FIG. 5 is a flowchart illustrating a method of acquiring a hash value according to an embodiment of the present invention. FIG.
6 is a view for explaining an embodiment in which input ports are classified according to traffic characteristics in the traffic distribution method of the present invention;
FIG. 7 is a flowchart illustrating a method of acquiring a hash value according to an embodiment of the present invention. FIG.
8 is a diagram for explaining an embodiment in which traffic can be classified into IP subnets in the traffic distribution method of the present invention.
9 is a diagram for explaining an embodiment in which a network device can not identify a traffic characteristic in the traffic distribution method of the present invention and supports a specific function;
10 is a flowchart for explaining a traffic distribution method according to an embodiment in a case where characteristics of traffic can not be identified;
11 is a view for explaining an embodiment in which traffic characteristics can not be identified in the traffic distribution method of the present invention.

The above and other objects, features, and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings, which are not intended to limit the scope of the present invention. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.

In the drawings, the same reference numerals are used to designate the same or similar components, and all combinations described in the specification and claims can be combined in any manner. It is to be understood that, unless the context requires otherwise, references to singular forms may include more than one, and references to singular forms may also include plural forms.

The terminology used herein is for the purpose of describing particular illustrative embodiments only and is not intended to be limiting. Singular representations as used herein may also be intended to include a plurality of meanings, unless the context clearly dictates otherwise. The terms "and / or" " and / or "include any and all combinations of the items listed therein. The terms "comprises," "comprising," "including," "having," "having," "having," and the like have the implicit significance, Steps, operations, elements, and / or components, and does not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / Steps, processes, and operations of the methods described herein should not be construed as necessarily enforcing their performance in such specific order as discussed or illustrated unless specifically concluded the order of their performance . It should also be understood that additional or alternative steps may be used.

In addition, each of the components may be implemented as a hardware processor, the components may be integrated into one hardware processor, or a combination of the components may be implemented as a plurality of hardware processors.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

The term " flow rule " in the context of the present invention should be understood to refer to a network policy applied by a controller in a software defined networking environment in the context of a skilled artisan. Further, the term " flow rule " can be interpreted to mean a flow entry according to the network policy for a software defined network switch.

In the specification of the present invention, the terms " origin information " and " destination information " include all types of identification information that can identify the origin and destination, such as source and destination IP addresses, TCP / UDP port, It was used as an inclusive meaning.

In the software defined networking environment, the controller 50 functions to manage the network equipment 100, and centrally manages and controls the plurality of network equipment 100 and the VNF 200.

The network device 100 may process a packet under the control of the controller 50. Examples of the network device 100 include a mobile communication base station, a base station controller, a gateway device, a switch of a wired network, The apparatus 100 includes a software defined network switch (hereinafter referred to as SDN switch) that supports an open flow protocol or an OVSDB protocol in a software defined networking environment. For convenience of description, the case where the network equipment 100 is an SDN switch will be described below.

The SDN switch 100 may be implemented as an SDN switch that supports only protocols that implement software defined networking (e.g., Open Flow protocol, OVSDB protocol), a virtual SDN switch that supports a software defined network implementation protocol, a software defined network implementation And a general L2 switch supporting the protocol.

In a software defined networking environment, the controller 50 and the SDN switch 100 exchange information with each other, and the widely used protocol for this is the OpenFlow protocol. That is, the open flow protocol is a standard that allows the controller 50 and the SDN switch 100 to communicate with each other. Although the present disclosure describes the invention with reference to an embodiment in which an open flow protocol is used, the invention is not limited by any particular protocol. An embodiment of the present invention can be implemented with other protocols besides open flow.

The SDN switch 100 may have one or more flow tables that define and process packets and include statistical information related to the packets. The flow table is composed of a flow rule that defines packet processing. The flow rule is added by a flow mode message (Flow-Mod Message) generated by the controller 50 and transmitted to the SDN switch 100, Modified or deleted. The SDN switch 100 processes the packet with reference to the flow table.

The flow table includes a match field including match information for a packet defining a flow such as an ingress port of a packet and packet header information, operation information for defining processing of a packet, and the like can do.

The operation information may include various types of packet processing rules, among which group actions may be included. The group action allows a packet to be processed by referring to a group table stored separately from the flow table. In an embodiment of the present invention, a packet is processed using a group table, and therefore, a more specific example will be described with reference to the drawings.

In this specification, the SDN switch 100 can be understood to execute each step of the traffic distribution method by referring to the flow rule according to the above-described open flow protocol even if there is no specific description, and the flow rule Can be understood as being generated by the controller 50.

2 is a flowchart illustrating a traffic distribution method according to an embodiment of the present invention. Referring to FIG. 2, the network device receives a packet from an arbitrary node (S100), obtains a hash value by hashing the source information or the destination information of the packet according to whether the packet is a request packet or a response packet (S200) , And transmits the packet to the VNF connected to the output port through an output port corresponding to the hash value (S300).

Referring to FIG. 3, in step 200, the network device determines whether the received packet is a request packet (S213). If it is determined that the packet is a forward packet, that is, a forward packet, The hash value can be obtained (S217). If it is determined in step 213 that the packet is a response packet, that is, a packet moving in the reverse direction, the hash value may be obtained by hashing the destination information of the packet (S215). Herein, the forward / reverse direction can determine forward direction when the node that originally transmitted the packet is the departure direction, in the direction in which one of the two nodes that receive and transmit the packet is set as the reference direction.

The embodiment of FIG. 3 will be described in more detail with reference to FIG. When the SDN switch 100a receives a packet from an arbitrary node, the open flow SDN switch 100a can obtain the hash value by hashing the source information (src_ip) of the packet if it is determined that the packet is a request packet And transmits the packet to the extended VNF through the output port corresponding to the hash value.

In the example of FIG. 4, the SDN switch 100a transmits packets having the hash values of the source information of 1 and 2 to the VNF 200a through the output port 1 and the output port 2, respectively, and the hash value of the source information is 4 Can be transmitted to the VNF 200b through the fourth output port.

In FIG. 4, each VNF 200a, 200b, 200c, 200d, and 200e is an extended VNF, and each VNF can receive a packet by registering a port from the controller 50 to the SDN switch.

When the response packet is received in the SDN switch 100b, the SDN switch 100b can hash the destination information of the packet, and the destination information of the response packet will be the same as the source information of the request packet. The hash value of the destination information of the response packet will be the same as the hash value when the SDN switch 100a hashes the source information and each hash value corresponds to the output port so that the SDN switch 100b is connected to the SDN switch 100a ) Can send a packet using an output port having the same number as the port to which the packet was sent. This means that it is possible to use the same VNF as the VNF passed in the forward movement of the corresponding traffic. Therefore, according to the traffic distribution method of the present invention, the session is maintained even if the VNF is automatically extended.

FIG. 5 illustrates an exemplary embodiment of a step 200 in which a packet received by a network equipment is different depending on whether the packet is a request packet or a response packet.

In step 200 according to the embodiment of FIG. 5, the network device identifies an input port that received the packet (S233), and determines whether the input port is an input port corresponding to the request packet (S235). If the input port is the input port corresponding to the request packet in step 235, the source information of the packet is hashed (S239). If the input port is the input port corresponding to the response packet, the destination information of the packet can be hashed (S237).

Steps 235 to 239 can be executed with reference to the flow rules received from the controller 50, and more specifically, can be implemented using the group table of the open flow protocol.

The embodiment of FIG. 5 will be described in more detail with reference to FIG. FIG. 6 is a diagram illustrating a case where an input port is classified according to traffic characteristics in a traffic distribution method, and a packet input to a network equipment is a replicated packet received from a tapping equipment.

Referring to FIG. 6, the tap apparatus 10 replicates a packet moving between (1) and (2) and transmits it to the SDN switch 100c. The replicated packet may be for monitoring and may be delivered to monitoring device 300 via VNF 200 and SDN switch 100d.

In the embodiment of FIG. 6, the copied packets are divided into ports and received by the SDN switch 100c. Traffic from (1) to (2) is transmitted to the first port of the SDN switch 100c, The traffic traveling to the base station 1 may be set to enter the second port of the SDN switch 100c.

In the example of FIG. 6, the packet moving from (1) to (2) is copied at the tap device 10 and enters port 1 of the SDN switch 100c, and the packet moving from (2) to Tap device 10 and enters the port 10 of the SDN switch 100c.

The SDN switch 100c hashs the source information when the input port of the packet is once, obtains the hash value by hashing the destination information if the input port of the packet is ten, and outputs the hash value through the output port corresponding to the hash value And sends the packet to the VNF connected to the port.

More specifically, the flow rule stored in the SDN switch 100c may include a predetermined group identifier for each input port, and the group table corresponding to each input port may include a group entry as shown in Table 1 below.

Group identifier
(Group Identifier) Group type
(Group Type) counter Action bucket One select
{hash (src_ip)} - hash (src_ip) = 1, output: 1
hash (src_ip) = 2, output: 2
hash (src_ip) = 3, output: 3

FIG. 7 is an embodiment of step 200 when traffic can be divided into IP subnets. In step 200, the network device can identify the source network address of the received packet (S253), and determine whether the source network address is a first network address (S255). If the source network address corresponds to the first network address, the network device hashes the source information of the packet (S259). If the source network address corresponds to the second network address, the network device hashys the destination information of the packet (S257) Value can be obtained.

The embodiment of FIG. 7 will be described in more detail with reference to FIG.

The embodiment of FIG. 8 shows a case where the tap apparatus 10 replicates a packet moving between (1) and (2) and transmits it to the SDN switch 100e, similarly to the embodiment of FIG. The replicated packet may be for monitoring and may be delivered to monitoring device 300 via VNF 200 and SDN switch 100f. However, the embodiment of FIG. 8 differs from the embodiment of FIG. 6 in that the packet copied from the tap device 10 is a packet moving from (1) to (2) SDN switch 100e without regard to whether or not the port number is entered.

In this case, the SDN switch 100e according to the embodiment of the present invention can determine the hash target by checking the network address of the source. That is, a part of the 32-bit IP address indicates a network address and a part indicates a host address. By identifying the network address of the duplicated packet, the source of the packet can be identified.

In the example of FIG. 8, the IP address of the client A (1) may be 1.1.xx and the IP address of the server B (2) may be 2.2.xx, It is impossible to identify the packet by the port number of the input port whether the packet is a request packet moving from (1) to (2) or a response packet moving from (2) to (1). However, if it is determined that the network address (16 bits) of the source of the packet is 1.1 or 2.2, it can be discriminated whether the packet is moving from (1) to (2) or from (2) to (1). Therefore, the SDN switch 100e can identify the network address of the source information so that the source address is hashed if the network address is 1.1, and the hash value can be obtained by hashing the destination information if the network address is 2.2.

In the example of FIG. 8, the hash values of hashes of the addresses of the clients A and B are set in advance so as to correspond to 1, and thus the traffic moving between the client A and the server B is transmitted to the VNF 200a, Session tracking between client A and server B is maintained.

The above example is merely an example, and if there is a subnet, the SDN switch 100 can identify the source of the packet using both the network address and the subnet address (16 bits or more).

9 to 11 illustrate a case where the duplication traffic is not received by the network device 100 without port identification but the source of the packet can not be identified even if the source network address and / or the subnet address of the packet are all checked. Yes.

However, FIG. 9 is an example of a case where the network device 100 supports a symmetric hash function of an open flow protocol. In the embodiment of FIG. 9, the SDN switch 100g can hash the source information and the destination information using the symmetric hash function symmetric hash (source information, destination information) of the replication traffic received from the tap device 10 without discrimination at all . Therefore, the hash value has the same value if only the combination of the source information and the destination information is the same.

For example, a packet having a source information of 1.1 and a destination information of 2.2, a packet having a source information of 2.2 and a destination information of 1.1 may have the same hash value by a symmetric hash function. That is, the traffic between the client A and the server B passes through the same VNF regardless of the direction of the movement, so the session can be maintained.

10 and 11 are views showing a traffic distribution method capable of maintaining a session through an extended inline VNF when the network equipment 100 does not support a symmetric hash function according to an embodiment of the present invention.

When the traffic replicated from the tap device 10 flows without any distinction and the network equipment 100 does not support the symmetric hash function, two network devices 100i and 100j are connected in parallel to the automatically expanded VNF Traffic can be distributed.

Referring to FIG. 10, when the first network equipment receives a packet from an arbitrary node (S1000), the first network equipment obtains a first hash value by hashing the source information of the packet (S1200) To the second network equipment (S1300).

The second network device may receive the packet through the input port corresponding to the output port (S1400), and may obtain the second hash value by hashing the destination information of the packet (S1500). Next, the second network device determines the final output port using the input port and the second hash value (S1600), and transmits the packet to the VNF connected to the final output port through the final output port (S1700).

In step 1600 of determining a final output port, the second network device may execute a group action corresponding to the input port and execute a first action corresponding to the second hash value among the action buckets corresponding to the group action.

The embodiment of Fig. 10 will now be described in more detail with reference to Fig. Referring to FIG. 10, the traffic replicated in the tap device 10 flows into the SDN switch 100i without port discrimination according to the direction of traffic movement.

In order to maintain session tracking, packets coming and going between two nodes in a session must pass through the same VNF irrespective of the direction of movement of the packet. In order to implement the above function with an SDN switch that does not support a symmetric hash function Two SDN switches can be configured in parallel as in the embodiment of FIG. As a result, the traffic replicated in the tap device 10 is pulled into the SDN switch 100i, but the output of the packet to the VNF can be made in the SDN switch 100j.

The SDN switch 100i hashes the source information of the packet and outputs the packet to the output port corresponding to the hash value, and the SDN switch 100j can receive the packet through the input port corresponding to the output port. That is, the packet moving from (1) to (2) is transmitted to port 1 of the SDN switch 100j according to the hash result of the source information, and the packet moving from (2) to (1) Lt; RTI ID = 0.0 > 10j < / RTI >

As a result, from the viewpoint of the SDN switch 100j, it can be seen that the port is divided and entered according to the source information of the copied packet. The SDN switch 100j can determine a final output port according to a flow rule defined to refer to different group tables for each input port.

In the example of FIG. 11, assume that the group table corresponding to input port 1 is 1, and the group table corresponding to input port 10 is 10. The SDN switch 100j executes a group action corresponding to the input port, and the group action can be executed with reference to the group table. Table 2 is a diagram for explaining each group table and the final output port.

Group identifier
(Group Identifier) Group type
(Group Type) counter Action bucket One select
{hash (dst_ip)} - hash (dst_ip) = 1, output: 1
hash (dst_ip) = 2, output: 1
hash (dst_ip) = 3, output: 2 10 select
{hash (dst_ip)} hash (dst_ip) = 1, output: 6
hash (dst_ip) = 2, output: 1
hash (dst_ip) = 3, output: 1

Referring to Table 2, the SDN switch 100j according to an exemplary embodiment of the present invention uses a select type to selectively refer to an action that satisfies a predetermined condition among one or more actions included in an action bucket, Can be processed.

Here, the port number of the final output port is set by a combination of the port number of the input port and the destination information hash value of the packet executed in the SDN switch 100j, which may vary depending on user setting.

However, since it is desirable to distribute the traffic to the extended VNF in a balanced manner, it is necessary to set the output port so that the combination of the input port and the destination information hash value can be distributed.

When the sum of the number IN of input ports and the second hash value HN is N + 1-k or N + 1 + k, when the number of VNFs is N, k can be set to have the same final output port value in the case of k = M and k = NM (1? M? N / 2, 0? k <N, M, k being integers).

For example, assume that the number of VNFs is 10, and the number of input ports and output ports of SDN switch 100j are 10, respectively. For convenience of explanation, it is assumed that a hash value (HN) is also calculated as an integer value from 1 to 10 so as to correspond one-to-one to the output port.

If the input port number IN is an integer between 1 and 10 and the hash value HN is also an integer between 1 and 10, then the combination of the input port number IN and the hash value HN is (1,1 ), (1,2), ..., (10, 10) can be combined into 100 combinations (Table 3). In order to uniformly match a packet corresponding to each combination to 10 VNFs, various settings are possible. In this specification, a method of selecting a final output port by using the sum of an input port number (IN) and a hash value (HN) Explain.

IN
HN One 2 3 4 5 6 7 8 9 10 One 2 3 4 5 6 7 8 9 10 11 2 3 4 5 6 7 8 9 10 11 12 3 4 5 6 7 8 9 10 11 12 13 4 5 6 7 8 9 10 11 12 13 14 5 6 7 8 9 10 11 12 13 14 15 6 7 8 9 10 11 12 13 14 15 16 7 8 9 10 11 12 13 14 15 16 17 8 9 10 11 12 13 14 15 16 17 18 9 10 11 12 13 14 15 16 17 18 19 10 11 12 13 14 15 16 17 18 19 20

The sum of the input port number (IN) and the hash value (HN) is shown in Table 3, and the number of each result value is counted as shown in Table 4 below.

synthesis Count 2 20 One 3 19 2 4 18 3 5 17 4 6 16 5 7 15 6 8 14 7 9 13 8 10 12 9 11 10

The number of each result value means the frequency at which the corresponding result value can be derived. That is, when the sum of the input port number (IN) and the hash value (HN) is 2 or 20, the input port number (IN) and the hash value (HN) Will appear.

Therefore, if any one of the combinations of the input port number (IN) and the hash value (HN) is 2 and 20 and the combination of 10 and 12 is matched to one output port, The number of packets output to the output port is constant. This means that the number of incoming packets to each extended VNF is equal, which means that the traffic can be effectively distributed to the inline VNF that is automatically extended by the present invention.

Although not shown in the figure, the SDN switch 100 includes a communication unit for communicating with a controller. Upon receiving a packet from an arbitrary node, the SDN switch 100 determines whether the packet is a request packet or a response packet, And a control unit for processing the packet according to the flow rule defined to acquire the hash value and to transmit the packet to the VNF connected to the output port through the output port corresponding to the hash value.

The control unit performs each function performed by the SDN switch 100 in the description of the traffic distribution method described above, and can process a packet using a hash function and a group table supported by the open flow protocol.

The methods described herein may be implemented by one or more computer programs executed by one or more processors. Computer programs include processor-executable instructions stored on a non-transitory type computer readable medium. The computer programs may also include stored data. Non-limiting examples of non-transitory tangible computer readable media are non-volatile memory systems, magnetic storage, and optical storage.

Certain embodiments of the techniques described above include processing steps and instructions described herein in an algorithmic form. The processing steps and instructions described above may be implemented in software, firmware, or hardware, and when implemented in software, may be downloaded to reside on other platforms used in real-time network operating systems And it can be operated from there.

The present invention also relates to an apparatus for performing the operations herein. Such a device may be specially constructed for a desired purpose or may comprise a general purpose computer selectively activated or reconfigured by a computer program stored on a computer readable medium that can be accessed by a computer. Such a computer program may be stored on a computer-readable storage medium of a type, such as, for example, floppy disks, optical disks, CD-ROMs, magneto-optical disks (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits ASICs), or any type of medium suitable for storing electronic instructions and each coupled to a computer system bus, but are not so limited. Moreover, the computers referred to herein may include a single processor, or may be architectures that use multiple processor designs to enhance computing capabilities.

The algorithms and operations presented herein are not inherently related to any particular computer or other devices. Various general purpose systems may also be used with the programs according to the teachings herein or it may prove convenient to construct devices that are more specifically designed to perform the steps of the desired method. The structure required for a variety of these systems, along with their equivalent variants, will be apparent to those skilled in the art. Additionally, the present disclosure is not described in connection with any particular programming language. It should be understood that various programming languages may be used to implement the teachings of the present disclosure as described herein, and that any reference to a particular language is intended to be illustrative of the embodiments and best mode of the present invention.

Some embodiments omitted in this specification are equally applicable if their implementation subject is the same. It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to be exemplary and explanatory only and are not restrictive of the invention, The present invention is not limited to the drawings.

50: Controller
100: Network equipment (SDN switch)
200: Virtual network function (VNF)

Claims (11)

CLAIMS 1. A method for distributing traffic in a software defined networking environment to an in-line VNF (Virtual Network Function) having an auto-
Receiving a packet from an arbitrary node;
Identifying whether the packet is a request packet or a response packet, hashing the source information of the packet if the packet is a request packet, and hashing the destination information of the packet if the packet is a response packet;
And transmitting the packet to a VNF connected to the output port through an output port corresponding to the hash value.
delete The method according to claim 1,
If the input port on which the packet is received is different depending on whether the packet is a request packet or a response packet,
The hash value acquiring step includes:
Identifying an input port from which the packet was received;
And hashing the source information or the destination information of the packet according to the identified input port.
The method of claim 3,
Wherein the hashing comprises:
Hashing the source information of the packet if the identified input port is an input port corresponding to a request packet and hashing the destination information of the packet if the identified input port is an input port corresponding to a response packet, Distribution method.
The method according to claim 1,
The hash value acquiring step includes:
Hashing the source information of the packet if the source network address of the packet corresponds to a predetermined first network address;
And hashing the destination information of the packet if the source network address of the packet corresponds to a predetermined second network address.
The method according to claim 1,
Wherein the hash value acquiring step includes hashing the source information and the destination address of the packet using a symmetric hash function.
CLAIMS 1. A method for distributing traffic in a software defined networking environment to an in-line VNF (Virtual Network Function) having an auto-
The first network equipment receiving a packet from any node;
The first network equipment hashes the source information of the packet to obtain a first hash value and transmits the packet to the second network equipment through an output port corresponding to the first hash value;
The second network equipment receiving the packet via an input port corresponding to the output port;
The second network device hashes the destination information of the packet to obtain a second hash value and executes a first action corresponding to the second hash value among the action buckets included in the group action corresponding to the input port Determining a final output port;
And the second network equipment sending the packet via the final output port to the VNF associated with the final output port.
8. The method of claim 7,
The first action defining a packet output to the final output port,
Wherein the port number of the final output port is set according to a combination of a port number of the input port and the second hash value.
8. The method of claim 7,
If the number of VNFs is N,
K = M and k = NM (1? M? N / 2, k) when the sum of the input port number IN and the second hash value HN is N + 1-k or N + Where 0? K < N, M, k is an integer), the final output port is set to be the same.
A switch for processing packets in a software defined networking environment,
A communication unit for communicating with the controller;
The method includes the steps of: receiving a packet from an arbitrary node, identifying whether the packet is a request packet or a response packet, hashing the source information of the packet when the packet is a request packet, hashing the destination information of the packet if the packet is a response packet, And processing the packet according to a flow rule defined to transmit the packet to a VNF connected to the output port through an output port corresponding to the hash value.
12. A traffic distribution application stored on a computer readable medium for carrying out a method of any one of claims 1 and 3 to 9.

Images