KR102288605B1 - Automatic Route Learning Method for Proxy Equipment with IP Network Transparency in Inline Network Topology and System Therefore - Google Patents

Abstract

Disclosed are an automatic route learning method for a proxy device having IP network transparency in an inline network topology, and a system thereof. In accordance with an embodiment of the present invention, the automatic route learning method comprises the steps of: receiving a first packet through an external interface; determining whether route information on the first packet exists in a forwarding information base (FIB) if the first packet is an IP packet; and automatically learning the FIB using the route information when the route information does not exist in the FIB, and updating time-to-live (TTL) of the first packet. Accordingly, network security can be improved.

Description

Automatic Route Learning Method for Proxy Equipment with IP Network Transparency in Inline Network Topology and System Therefore

The present invention relates to an automatic path learning technique for a proxy device having IP network transparency in an inline network topology, and more particularly, to a proxy device having IP network transparency in an inline network topology. It relates to an automatic path learning method and system capable of automatically learning a path for a packet (or traffic).

Some proxy devices have IP network transparency and monitor user traffic and apply policies to increase security and efficiency of internal resources such as blocking, logging, and caching set by the network administrator. In order to transparently process the traffic, path selection on the network is very important, and the more complex the network, the more diverse paths exist.

If these paths are not properly controlled and managed, the cost of installation, maintenance and repair will be in proportion to the network complexity when deploying equipment with transparency.

Embodiments of the present invention provide an automatic path learning method and system capable of automatically learning a path for an input or received packet (or traffic) for a proxy device having IP network transparency in an inline network topology.

An automatic path learning method according to an embodiment of the present invention is an automatic path learning method for a proxy device having IP network transparency, the method comprising: receiving a first packet through an external interface; determining whether path information of the first packet exists in a Forwarding Information Base (FIB) if the first packet is an IP packet; and automatically learning the information delivery base using the route information when the route information does not exist in the information delivery base, and updating Time to Live (TTL) of the first packet. include

Furthermore, the automatic path learning method according to an embodiment of the present invention may further include outputting the time-to-live updated first packet to a transparent proxy through an internal interface.

In the updating of the time-to-live, when the route information does not exist in the information delivery base and the information delivery base is empty, the information delivery base may be automatically learned by using the route information.

Furthermore, an automatic path learning method according to an embodiment of the present invention includes: receiving a second packet through an internal interface; determining whether the path information of the second packet exists in the automatically learned information transfer base; and updating the time-to-live of the second packet when the path information of the second packet exists in the automatically learned information transfer base.

Furthermore, the automatic path learning method according to an embodiment of the present invention may further include outputting the second packet having the time-to-live updated to one of the external interfaces.

Furthermore, the automatic path learning method according to an embodiment of the present invention may further include discarding the second packet when the path information of the second packet does not exist in the information delivery base.

An automatic route learning system according to an embodiment of the present invention is an automatic route learning system for a proxy device having IP network transparency, the automatic route learning system comprising: a receiver configured to receive a first packet through an external interface; a determination unit for determining whether path information of the first packet exists in a Forwarding Information Base (FIB) if the first packet is an IP packet; and a controller configured to automatically learn the information delivery base using the route information when the route information does not exist in the information delivery base, and to update Time to Live (TTL) of the first packet. include

The controller may output the time-to-live updated first packet to a transparent proxy through an internal interface.

When the route information does not exist in the information delivery base and the information delivery base is empty, the controller may automatically learn the information delivery base using the route information.

When the second packet is received through the internal interface, the determination unit determines whether the path information of the second packet exists in the automatically learned information transfer base, and the control unit determines whether the path information of the second packet is automatically If it exists in the learned information transfer base, the time-to-live of the second packet may be updated.

The control unit may output the second packet of which the time-to-live is updated to one of the external interfaces.

The controller may discard the second packet when the path information of the second packet does not exist in the information transfer base.

According to embodiments of the present invention, network security can be improved by automatically learning a path for an input or received packet (or traffic) for a proxy device having IP network transparency in an inline network topology.

This invention can be used for network security.

1 shows an exemplary diagram for explaining a one-arm mode connection method among connection methods for inputting and outputting traffic in a network.
2 is a diagram illustrating an example for explaining a two-arm mode connection method among connection methods for inputting and outputting traffic in a network.
3 is a flowchart illustrating an automatic path learning method according to an embodiment of the present invention.
4 is a flowchart illustrating an automatic path learning method according to another embodiment of the present invention.
5 shows an exemplary diagram for automatic path learning of the present invention.
6 shows the configuration of an automatic path learning system according to an embodiment of the present invention.

Advantages and features of the present invention and methods of achieving them will become apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be implemented in various different forms, and only these embodiments allow the disclosure of the present invention to be complete, and common knowledge in the art to which the present invention pertains It is provided to fully inform those who have the scope of the invention, and the present invention is only defined by the scope of the claims.

The terminology used herein is for the purpose of describing the embodiments, and is not intended to limit the present invention. As used herein, the singular also includes the plural unless specifically stated otherwise in the phrase. As used herein, "comprises" and/or "comprising" refers to the presence of one or more other components, steps, operations and/or elements mentioned. or addition is not excluded.

Unless otherwise defined, all terms (including technical and scientific terms) used herein may be used with the meaning commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless specifically defined explicitly.

Hereinafter, preferred embodiments of the present invention will be described in more detail with reference to the accompanying drawings. The same reference numerals are used for the same components in the drawings, and repeated descriptions of the same components are omitted.

Embodiments of the present invention are directed to improving network security by automatically learning a path for an input or received packet (or traffic) for a proxy device having IP network transparency in an inline network topology. .

That is, the present invention automatically learns a Forwarding Information Base (FIB), and packets receiving a transparent proxy service based on the learned FIB are output to the outside, thereby maintaining network security. .

In the inline network topology of the present invention, automatic path learning, that is, automatic learning of FIB, is a network infrastructure of a transparent proxy service that maintains security, and the present invention automatically learns a path, thereby providing a device with transparency For example, it is easier to deploy equipment such as transparent proxies.

Transparency of an IP network means that an intermediate proxy device IP spoofs newly created traffic for a specific purpose with the addresses of the source and destination as if the traffic was originally generated from the source. If this is absent, network devices in the subsequent path cannot fully identify the original source or destination of the newly generated traffic, and thus the policies of the devices cannot be applied correctly. For example, traffic is generated from A to B, and an intermediate proxy device logs the traffic and responds to A instead of B. And for security, the device creates new traffic with slightly changed content and sends it to B-direction without IP spoofing. At this time, the source address of the generated traffic is changed to the address A" of the device instead of the original address A, and is identified as traffic generated from A" to B in the network devices or the destination server of the subsequent path. Therefore, the devices cannot properly apply the policies originally set for the traffic, thereby creating a security hole. For this reason, a proxy device with transparency is necessary for security.

A proxy device with IP network transparency must input traffic from the outside, and the proxy device must select and output the correct route for newly created or input traffic. For this, there are two connection methods for inputting and outputting traffic from the network, for example, One-Arm Mode and Two-Arm Mode. Among them, Two-Arm Mode (In-line Mode) is mainly used for connection compatibility with the existing network environment.

1 shows an exemplary diagram for explaining a one-arm mode connection method among connection methods for inputting and outputting traffic in a network. As shown in FIG. 1, in One-Arm Mode, a proxy device and a router are directly connected. . In this method, not the proxy but the directly connected neighboring router handles the routing of the traffic, and the proxy and the router are directly connected to one interface each, so it looks as if only one arm is open. After that, routes are set so that the desired traffic can be output to the proxy through Policy Based Routing (PBR) in the router or input (or received) received from the device can be delivered to the destination. Because of this, when a route is newly created or lost, a maintenance issue arises that the network administrator must manually reflect this information to the router every time. In this way, if a device fails, the router needs to re-route the traffic, and adjacent network resources need to recognize and reconfigure the newly installed proxy device. It can be effectively used in a small network environment due to network connection compatibility, but it is difficult to apply in a medium/large scale due to difficulties in maintenance/maintenance.

FIG. 2 shows an exemplary diagram for explaining a two-arm mode connection method among connection methods for inputting and outputting traffic from a network. There is no need to recognize the device, and the proxy automatically learns the route of the traffic and determines the route based on it. At this time, the proxy is connected between both routers in the form of open arms. The proxy basically operates like an L2 switch and operates the proxy function only for traffic required for processing. In this way, you have to come up with an alternative to bypass the traffic when the equipment fails. Since network connection compatibility is relatively high, it is a structure that can handle all traffic by installing it on the road where traffic is concentrated at any site if only the traffic throughput is supported. Therefore, in order to use this method, the proxy must be able to automatically learn the route, or it must be a router directly. Since the latter method is no different from the One-Arm Mode, the automatic path learning of the present invention must be used.

3 is a flowchart illustrating an automatic path learning method according to an embodiment of the present invention, and shows a process of automatically learning a path based on an external packet input (or received) through an external interface.

Referring to FIG. 3 , in the method according to an embodiment of the present invention, when a first packet is input (or received) through one of the external interfaces, it is determined whether the inputted first packet is an IP packet, and the IP When it is not a packet, for example, when traffic of an unknown protocol is input, the other interface (eg, the second external interface) of the input interface (eg, the first external interface) is selected and output to the other interface By doing so, there is no interference with communication (S310, S320).

A route is expressed as an IP Routing Entry, and this route information is managed in the FIB. FIB is a table that manages four fields of L2 MAC, L3 IP, Output Interface, and Time to live (TTL) as one record.

On the other hand, if it is determined in step S320 that the first packet is an IP packet, it is determined whether the path information of the first packet exists in the FIB, and if it is determined that the path information of the first packet exists in the FIB, the After updating Time to Live (TTL), the first packet is output through the internal interface (S330, S360, and S370).

In this case, the first packet may be output to a transparent proxy through the internal interface.

As a result of the determination in step S330, if the path information of the first packet does not exist in the FIB, it is checked whether the FIB is full, and if the FIB is not full, the FIB is automatically learned by storing it in the FIB, and the TTL of the first packet is updated. Then, the first packet is output to the transparent proxy through the internal interface (S340 to S370).

On the other hand, when it is determined in step S340 that the FIB is full, by selecting the opposite interface (eg, the second external interface) of the input interface (eg, the first external interface) and outputting it to the other interface, communication is disturbed take care not to

4 is a flowchart illustrating an automatic path learning method according to another embodiment of the present invention, and shows a process of outputting a packet input (or received) through an internal interface based on the learned FIB.

Referring to FIG. 4 , in the method of the present invention, when the second packet is received through the internal interface, that is, when the second packet is received through the transparent proxy, it is determined whether the path information of the second packet exists in the learned FIB (S410). , S420).

As a result of the determination in step S420, if the path information of the second packet exists in the learned FIB, after updating the TTL of the second packet, any one of the external interfaces is selected based on the path information and the TTL is updated. 2 packets are output through the selected external interface (S430, S440).

On the other hand, if it is determined in step S420 that the path information of the second packet does not exist in the learned FIB, the second packet is discarded (S450).

FIG. 4 relates to traffic input through the internal interface, and traffic starting from inside the transparent proxy only needs to be output based on the learned FIB path. At this time, since Default Routing is not performed, all traffic of routes not in the FIB can be discarded.

As described above, the automatic path learning method of the present invention only needs to be performed on an external interface, that is, an interface connected to an external network. A transparent proxy exists for the purpose of maintaining the security of a managed network, and the present invention is a technology that can help configure such a system. The operation of FIGS. 3 and 4 will be described a little more with reference to FIG. 5 as follows.

5 shows an exemplary diagram for automatic path learning of the present invention, as shown in FIG. 5, the IP packet of A1 through the external interface, for example, the first external interface in A1, for example, the first When a packet is input and the FIB is not full and the path information of the first packet does not exist in the FIB, the FIB is automatically learned by storing the path information of the packet in the FIB, and then TTL is updated to update the internal interface ( internal interface) through the transparent proxy, for example, the first transparent proxy (Transparent Proxy #1).

Then, if the IP packet generated by the first transparent proxy, for example, the second packet is input through the internal interface, and the path information of the second packet exists in the learned FIB, after updating the TTL of the second packet, the second packet The second packet is transferred to B1 by selecting and outputting the external interface to which the packet is to be output, for example, the second external interface.

On the other hand, in the case of B3, the source path had a space in the FIB, so it was learned well, but when trying to learn the destination path, it was flooded due to lack of FIB space. It can be seen that heading towards This is a problem that occurs because both directions (forward/reverse or original/reply) in one traffic need to be automatically learned. Therefore, in the case of not an IP packet or when there is no FIB space, flooding is performed to bypass the packet for the purpose of correct communication.

As described above, the method according to an embodiment of the present invention automatically learns the FIB using a path for a packet (or traffic) input through an external interface for a proxy device having IP network transparency in an inline network topology, It is possible to configure a system including a transparent proxy that exists for the purpose of improving security and maintaining network security through this.

6 shows a configuration of an automatic path learning system according to an embodiment of the present invention, and shows a conceptual configuration of a system for performing the method of FIGS. 1 to 5 .

Referring to FIG. 6 , the automatic path learning system 600 according to an embodiment of the present invention includes a receiving unit 610 , a determining unit 620 , a control unit 630 , and a storage unit 640 .

The storage unit 640 is a means for storing all data related to the present invention, and may store an FIB for storing path information, as well as all data required for automatic path learning and an algorithm for the method of the present invention. can also be saved.

The receiver 610 receives traffic (or packets) input through an external interface.

In this case, the receiver 610 may receive traffic transmitted from the transparent proxy through the internal interface.

When the packet received through the external interface is an IP packet, the determination unit 620 determines whether path information of the IP packet exists in the FIB.

At this time, if it is determined that the path information of the IP packet does not exist in the FIB, the determination unit 620 may determine whether the FIB is full.

Furthermore, the determination unit 620 may determine whether path information of an IP packet input through the internal interface exists in the FIB.

When the path information of the IP packet input through the external interface does not exist in the FIB and the FIB is not full, the control unit 630 automatically learns the FIB using the path information of the corresponding IP packet, and the TTL of the corresponding IP packet. After updating , output as a transparent proxy through the internal interface.

At this time, if the packet input through the external interface is not an IP packet or an IP packet and the path information of the IP packet does not exist in the FIB but the FIB is full, the controller 630 outputs the corresponding packet through another external interface. By doing so, it is possible to process so as not to interfere with communication.

Furthermore, when the path information of the IP packet input through the internal interface does not exist in the FIB, the controller 630 may discard the corresponding IP packet.

Although the description is omitted from the system of FIG. 6 , each component constituting FIG. 6 may include all the contents described in FIGS. 1 to 5 , which is apparent to those skilled in the art.

The device described above may be implemented as a hardware component, a software component, and/or a combination of the hardware component and the software component. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array (FPA), It may be implemented using one or more general purpose or special purpose computers, such as a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that can include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

The software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or device, to be interpreted by or to provide instructions or data to the processing device. may be embodied in The software may be distributed over networked computer systems, and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and carry out program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like.

As described above, although the embodiments have been described with reference to the limited embodiments and drawings, various modifications and variations are possible from the above description by those skilled in the art. For example, the described techniques are performed in a different order than the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (12)

In the automatic path learning method for a proxy device having IP network transparency,
receiving a first packet through an external interface;
determining whether path information of the first packet exists in a Forwarding Information Base (FIB) if the first packet is an IP packet; and
automatically learning the information delivery base using the route information when the route information does not exist in the information delivery base, and updating Time to Live (TTL) of the first packet;
including,
Outputting the time-to-live updated first packet to a transparent proxy having IP network transparency through an internal interface
further comprising,
The step of updating the time-to-live is
When the route information does not exist in the information delivery base and the information delivery base is empty, by storing the route information in the information delivery base, the information delivery base is automatically learned using the route information, Automatic updating the time-to-live of one packet and performing flooding to bypass the first packet when the path information does not exist in the information transfer base and the information transfer base is full How to learn a path.
delete delete According to claim 1,
receiving a second packet through the internal interface;
determining whether the path information of the second packet exists in the automatically learned information transfer base; and
updating the time-to-live of the second packet when the path information of the second packet exists in the automatically learned information transfer base
Automatic path learning method, characterized in that it further comprises.
5. The method of claim 4,
outputting the second packet with the updated time-to-live to one of the external interfaces
Automatic path learning method, characterized in that it further comprises.
5. The method of claim 4,
Discarding the second packet when the path information of the second packet does not exist in the information delivery base
Automatic path learning method, characterized in that it further comprises.
In the automatic path learning system for a proxy device having IP network transparency,
a receiver for receiving the first packet through an external interface;
a determination unit for determining whether path information of the first packet exists in a Forwarding Information Base (FIB) if the first packet is an IP packet; and
When the route information does not exist in the information delivery base, the controller automatically learns the information delivery base by using the route information and updates Time to Live (TTL) of the first packet.
including,
the control unit
Outputs the first packet with updated time-to-live to a transparent proxy having IP network transparency through an internal interface,
the control unit
When the route information does not exist in the information delivery base and the information delivery base is empty, by storing the route information in the information delivery base, the information delivery base is automatically learned using the route information, Automatic updating the time-to-live of one packet and performing flooding to bypass the first packet when the path information does not exist in the information transfer base and the information transfer base is full path learning system.
delete delete 8. The method of claim 7,
the judging unit
When a second packet is received through the internal interface, it is determined whether the path information of the second packet exists in the automatically learned information transfer base;
the control unit
and updating the time-to-live of the second packet when the path information of the second packet exists in the automatically learned information transfer base.
11. The method of claim 10,
the control unit
The automatic path learning system, characterized in that the time-to-live updated second packet is outputted to one of the external interfaces.
11. The method of claim 10,
the control unit
The automatic path learning system, characterized in that the second packet is discarded when the path information of the second packet does not exist in the information delivery base.

Images