KR102554413B1 - Node device, method for processing packet of the node device, and network system which comprises node device and control device for managing control information associated with the packet-processing - Google Patents

Abstract

According to the present embodiment, a node device including one or more virtual machines to which different physical addresses are assigned includes: a packet receiver configured to receive a first packet from a first node device connected to a first network; a control information requesting unit transmitting a signal requesting control information related to processing of the first packet to a control device connected to the first network; a control information receiver configured to receive a response of the signal from the control device and determine whether to receive the packet according to control information included in the response signal of the signal; Discloses a node device comprising a; packet processing unit for receiving the packet according to whether or not the packet is received, and transmitting the packet to a virtual machine to which a destination address is assigned.

Description

A network system comprising a node device, a method for processing packets of the node device, and a control device for managing control information related to packet processing of the node device COMPRISES NODE DEVICE AND CONTROL DEVICE FOR MANAGING CONTROL INFORMATION ASSOCIATED WITH THE PACKET-PROCESSING}

The present invention relates to a network system including a node device, a method for processing a packet of the node device, and a control device for managing control information related to packet processing of the node device.

In telecommunications, a switch is a network device that selects a path or circuit to send a unit of data to its next destination. A switch may also include a route, or more specifically, a router function, which is a device that can determine which of the adjacent network points data should be sent to. Switches are much simpler and faster-acting devices than routers, which generally require knowledge about the network and how to determine routes. Switches are usually associated with layer 2, the data link layer, in the OSI reference model. However, some newer switches also perform routing functions at layer 3, the network layer. As the number of devices connected to the switch increases, broadcast traffic also increases, which may cause network performance degradation.

In addition, in providing cloud services, as one physically separated node device used to provide cloud services is added, it is necessary to set a switch for managing network information of the added node device. also,

The foregoing background art is technical information that the inventor possessed for derivation of the present invention or acquired during the derivation process of the present invention, and cannot necessarily be said to be known art disclosed to the general public prior to filing the present invention.

Embodiments of the present invention provide a node device that determines whether to receive a packet by receiving control information related to transmitting and receiving a packet between one or more node devices including a plurality of virtual machines from a control device.

In addition, embodiments of the present invention provide a network system that determines whether to block a packet by receiving firewall information related to blocking a packet received from a terminal device not connected to a network from a control device.

In addition, the embodiments of the present invention are a network that does not require the addition of a network device (switch, etc.) for managing even the installed node devices through one network when it is necessary to additionally install node devices as the number of users increases. provide the system.

In addition, embodiments of the present invention dynamically allocate virtual machines to users in order to share packets among virtual machines allocated to the same user, and transfer the virtual machines allocated to the first user to other users only by changing control information. Provides a network system that allocates to

A node device including one or more virtual machines to which different physical addresses are assigned according to an embodiment of the present invention includes: a packet receiver configured to receive a first packet from a first node device connected to a first network; a control information requesting unit transmitting a signal requesting control information related to processing of the first packet to a control device connected to the first network; a control information receiver configured to receive a response to the signal from the control device and to determine whether to receive the packet according to control information included in the response to the signal; It may include; a packet processing unit which receives the packet according to whether the packet is received and transmits the packet to a virtual machine to which a destination address is assigned.

A node device including one or more virtual machines to which different physical addresses are assigned according to an embodiment of the present invention may further include a backup unit for backing up the control information. At this time, when the packet processing unit continuously receives the first packet and the second packet from the first node device by the packet receiving unit, it does not request control information related to packet processing to the control device, and the backup unit According to the stored control information, the second packet may be transmitted to a virtual machine to which a destination address is assigned.

When the control information requesting unit receives a third packet from a terminal device connected to a second network different from the first network by the packet receiving unit, it transmits a signal requesting firewall information related to the processing of the third packet to the control device. The control information receiving unit receives a response of the signal from the control device, determines whether or not to block the packet according to firewall information included in the response signal of the signal, and the packet processing unit determines whether or not the packet is blocked. According to the above, the packet may be received and the packet may be transmitted to a virtual machine to which a destination address is assigned.

A network system according to an embodiment of the present invention includes a plurality of virtual machines to which different physical addresses are assigned, and includes a packet receiver configured to receive a first packet from a first node device connected to a first network; a control information requesting unit transmitting a signal requesting control information related to processing of the first packet to a control device connected to the first network; a control information receiver configured to receive a response to the signal from the control device and to determine whether to receive the packet according to control information included in the response to the signal; A first node device including a packet processing unit for receiving the packet according to whether the packet is received and transmitting the packet to a virtual machine to which a destination address is assigned, and a physical address of one or more virtual machines connected to the first network. and a control information processing unit that generates and stores control information related to packet processing based on the relationship between the packets.

When the first virtual machine and the second virtual machine connected to the first network are allocated to the first user, the control information processing unit determines the number of packets between the physical address of the first virtual machine and the physical address of the second virtual machine. Control information set to enable transmission and reception may be generated.

The control device includes a firewall information processing unit for generating and storing firewall information arranged in order of size of IP addresses or subnet masks included in network information to be blocked, in order to process packets received from networks other than the first network; can include

The control information processing unit of the control device allocates a physical address of a second virtual machine included in the second node device, and the physical address of the second virtual machine and the physical address of one or more virtual machines allocated to the first user. Control information according to the relationship between addresses may be generated.

A packet processing method of a node device including one or more virtual machines to which different physical addresses are assigned according to an embodiment of the present invention includes receiving a first packet from another node device connected to the node device through a first network. ; transmitting, by the node device, a signal requesting control information related to processing of the first packet to a control device connected to the first network; Receiving, by the node device, a response to the signal from the control device, and determining whether to receive the packet according to control information included in the response to the signal; receiving, by the node device, the packet according to whether the packet is received, and transmitting the packet to a virtual machine to which a destination address is assigned; It may include; generating and storing, by the control device, control information pairwise connecting the source address and the destination address of the packet received by the node device.

A packet processing method of a node device including one or more virtual machines to which different physical addresses are assigned according to an embodiment of the present invention further includes, by the node device, backing up the control information, and the node device When a second packet is received from the first node device as a follow-up to the first packet, the control device does not request control information related to packet processing to the control device, and the second packet according to the control information stored in the backup unit. The method may further include transmitting the packet to a virtual machine to which the destination address is assigned.

The requesting of the control information may include, when the node device receives a third packet from a terminal device connected to a second network different from the first network, requesting firewall information related to processing of the third packet to the control device. Transmitting the signal and receiving the control information may include receiving a response of the signal from the control device, determining whether or not to block the packet according to firewall information included in the response signal of the signal, and transmitting the signal to the virtual machine. In the transmitting step, the packet may be received according to whether the packet is blocked or not, and the packet may be transmitted to a virtual machine to which a destination address is assigned.

A computer program according to an embodiment of the present invention may be stored in a medium in order to execute any one of methods of processing packets according to an embodiment of the present invention using a computer.

In addition to this, another method for implementing the present invention, another system, and a computer readable recording medium recording a computer program for executing the method are further provided.

Other aspects, features and advantages other than those described above will become apparent from the following drawings, claims and detailed description of the invention.

According to the present invention, by receiving control information related to transmission and reception of packets between one or more node devices including a plurality of virtual machines from a control device, it is possible to determine whether to receive the packet.

Also, according to the present invention, it is possible to determine whether to block a packet by receiving firewall information related to blocking a packet received from a terminal device not connected to a network from a control device.

In addition, in the present invention, when it is necessary to additionally install node devices as the number of users increases, it may not be necessary to add a network device (switch, etc.) for managing even the installed node devices through one network.

In addition, the present invention dynamically allocates virtual machines to users in order to share packets among virtual machines assigned to the same user, and allocates a virtual machine assigned to a first user to another user only by changing control information. can

1 is a diagram showing an overall system including a network system and a terminal device according to embodiments of the present invention.
2 is a block diagram showing the structure of a control device and a node device.
3 is a block diagram showing the structure of the storage medium of the control device.
4 is a block diagram showing the structure of a storage medium of a node device.
5 is a block diagram showing the structure of a packet control unit.
6 to 7 are diagrams illustrating a method of processing a packet in a node device.
8 is a diagram illustrating an example of control information generated by a control device according to embodiments of the present invention.

Since the present invention can apply various transformations and have various embodiments, specific embodiments will be illustrated in the drawings and described in detail in the detailed description. Effects and features of the present invention, and methods for achieving them will become clear with reference to the embodiments described later in detail together with the drawings. However, the present invention is not limited to the embodiments disclosed below and may be implemented in various forms.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, and when describing with reference to the drawings, the same or corresponding components are assigned the same reference numerals, and overlapping descriptions thereof will be omitted. .

In the following embodiments, terms such as first and second are used for the purpose of distinguishing one component from another component without limiting meaning.

In the following examples, expressions in the singular number include plural expressions unless the context clearly dictates otherwise.

In the following embodiments, terms such as include or have mean that features or elements described in the specification exist, and do not preclude the possibility that one or more other features or elements may be added.

When an embodiment is otherwise implementable, a specific process sequence may be performed differently from the described sequence. For example, two processes described in succession may be performed substantially simultaneously, or may be performed in an order reverse to the order described.

In the following embodiments, “circuit” refers to, for example, hardwired circuitry, programmable circuitry, state machine circuitry, and/or firmware that store instructions executed by the programmable circuitry, alone or in any combination. can include An application may be implemented as code or instructions executable on programmable circuitry, such as a host processor or other programmable circuitry. As used in any of the embodiments herein, a module may be implemented as a circuit. The circuit may be implemented as an integrated circuit such as an integrated circuit chip.

In the following embodiments, when a part "includes" a certain component, it means that it may further include other components, not excluding other components unless otherwise stated. In addition, terms such as “… unit”, “… unit”, and “module” described in the specification mean a unit that processes at least one function or operation, which may be implemented as hardware or software or a combination of hardware and software. there is.

1 is a diagram showing a network system 10 according to embodiments of the present invention.

Referring to FIG. 1 , a network system 10 according to embodiments of the present invention includes a control device 100 and a plurality of node devices 201 and 202 (hereinafter referred to as 200) connected through a first network. The network system 10 may be connected to a plurality of terminal devices 401, 402, 400 and a second network 300 different from the first network.

The network system 10 is a server that is connected to a first network and provides one cloud service, and can provide storage space to a plurality of users. At this time, as the space used by the users increases, the virtual machines of the physically separated node devices 200 may be set to be allocated to one user, and the different physical machines existing in the physically separated node devices 200 You can also set the user's storage area to be shared. In order to perform such a function, conventionally, a switch device in charge of processing and controlling packets received by the node devices 200 was included, and the node devices 200 managed through limited resources of the switch device, virtual The number of machines and the number of users were limited. However, the network system 10 according to embodiments of the present invention processes and controls packets through the control device 100 implemented in software without physically adding a switch device in charge of processing and controlling packets. can be in charge of In addition, generation and change of control information may be possible through software setting and storage without changing the setting of the switch device.

In addition, when a plurality of virtual machines are assigned to one user due to an increase in storage area due to already set virtual machines, overlapping control information for the plurality of virtual machines is required. However, the network system 10 according to embodiments of the present invention may dynamically create a virtual machine in consideration of the size of an area provided to a user, without setting the virtual machine in advance. In addition, control information of a conventional network system can be created by an administrator, whereas control information and/or firewall information of the network system 10 according to embodiments of the present invention are created and changed by a user using a service. It can be.

The control device 100 and the plurality of node devices 200 may include a plurality of virtual machines allocated to a plurality of users. The control device 100 stores and manages control information for operating as one cloud server. Each of the node devices 200 creates one or more virtual machines and allocates the virtual machines to users. Here, the virtual machines are physically included in one device, but refer to logically independent devices. A virtual machine may be created by an application or program that creates a virtual machine (drive, etc.). In order to distinguish each virtual machine, the control device 100 assigns a distinct physical address to each virtual machine. One or more virtual machines assigned to the first user may be included in the physically separated node devices 200. In this case, for smooth data sharing, the control device 100 may include the first virtual machine and the second virtual machine. Controls the node devices 200 to transmit and receive packets between virtual machines.

Conventionally, the number of virtual machines included in each node device connected to the first network is fixed, and one virtual machine has to be allocated to one user. However, the node devices 200 according to embodiments of the present invention are not fixed, and include variously divided virtual machines, and each node device 200 is a virtual machine that can be assigned to various numbers of users. will include That is, each node device 200 may include virtual machines of various capacities set by the user. In addition, as the virtual machines included in the node device 200 are allocated to users, a statically managed control information area is included. In addition, as the control device 100 generates control information allowing communication between virtual machines not assigned to the same user according to a user's request, communication between virtual machines not assigned to the same user is possible. let it

The control device 100 controls packet processing between a plurality of node devices 200 connected to a first network. To this end, the control device 100 may generate control information for determining whether to receive the packet. Each node device 200 may include one or more virtual machines, and the control device 100 generates a relationship between a first virtual machine and a second virtual machine included in different node devices 200 as control information. can do. The control device 100 may generate control information for connecting physical addresses allocated to the first virtual machine and the second virtual machine that are allocated to the same user and need to share packets. Here, the method of connecting the physical addresses may be set so that parts of the physical addresses of the first virtual machine and the physical addresses of the second virtual machine match, and the connection relationship, the ownership relationship between the first virtual machine and the second virtual machine may be set. Physical addresses can also be created and stored as one record. The control device 100 may retrieve and transmit control information related to the address of each node device 200 according to a request from each node device 200 .

The control device 100 controls processing of external packets received by the node device 200 from the external terminal device 400 . To this end, the control device 100 may generate firewall information for determining whether or not to block the external packet. The control device 100 controls a packet from an external terminal device 400 to be received by the node device 200 . The control device 100 and the node device 200 are connected to a closed network that is not connected to an external network. The control device 100 may specifically refer to a control device to which openflow technology is applied, and may include a device for storing a flow table and a device for controlling openflow packets.

The control device 100 may generate or change control information and/or firewall information through packets for setting control information and/or firewall information. The control device 100 may generate or change control information and/or firewall information through a packet received from the user's terminal device 400 .

Here, the first network serves to connect the control device 100 and the node device 200. That is, the first network refers to a communication network that provides an access path so that the plurality of node devices 200 can transmit and receive data after accessing the control device 100 . The first network is, for example, a wired network such as LANs (Local Area Networks), WANs (Wide Area Networks), MANs (Metropolitan Area Networks), ISDNs (Integrated Service Digital Networks), wireless LANs, CDMA, Bluetooth, satellite communication, etc. It may cover a wireless network, but the scope of the present invention is not limited thereto.

The plurality of node devices 200 may include a computer (eg, desktop, laptop, tablet, etc.), a media computing platform (eg, cable, satellite set-top box, digital video recorder), a handheld computing device (eg, , PDA, e-mail client, etc.), any type of cell phone, or any type of other kind of computing or communication platform, but the invention is not limited thereto.

The second network 300 serves to connect the plurality of terminal devices 400 and the node device 200. That is, the second network 300 means a communication network that provides an access path so that the plurality of terminal devices 400 can transmit and receive data after accessing the plurality of terminal devices 400 . The second network 300 may be, for example, a wired network such as LANs (Local Area Networks), WANs (Wide Area Networks), MANs (Metropolitan Area Networks), ISDNs (Integrated Service Digital Networks), wireless LANs, CDMA, Bluetooth, satellite It may cover a wireless network such as communication, but the scope of the present invention is not limited thereto.

The plurality of terminal devices 400 refer to communication terminals capable of using web services in a wired/wireless communication environment. Here, the plurality of terminal devices 400 may be a user's personal computer or a user's portable terminal.

Describing this in more detail, the plurality of terminal devices 400 include a computer (eg, desktop, laptop, tablet, etc.), a media computing platform (eg, cable, satellite set-top box, digital video recorder), handheld It may include any form of computing device (eg, PDA, email client, etc.), cell phone, or other kind of computing or communication platform, but the invention is not limited thereto.

2 is a block diagram showing the structure of a control device 100 according to embodiments of the present invention.

Referring to FIG. 2 , a control device 100 according to embodiments of the present invention may include a communication interface 110 , a processor 120 , and a storage medium 130 .

The communication interface unit 110 may be a device including hardware and software necessary for transmitting and receiving a signal such as a control signal or a data signal with a plurality of node devices 200 connected to the first network. The communication interface unit 110 may control not to transmit/receive data through the second network other than the first network.

The processor 120 typically controls the overall operation of the control device 100 . For example, the processor 120 may control the control software loaded in the storage medium 130 as well as the control information processing unit 131 and the firewall information processing unit 132 to be executed.

The processor 120 may refer to a data processing device embedded in hardware having a physically structured circuit to perform functions expressed by codes or instructions included in a program, for example. As an example of such a data processing device built into hardware, a microprocessor, a central processing unit (CPU), a processor core, a multiprocessor, an application-specific integrated (ASIC) circuit), field programmable gate array (FPGA), etc., but the scope of the present invention is not limited thereto.

The storage medium 130 refers to a storage device included in the control device 100 or electrically connected to the control device 100 . The storage medium 130 may store a plurality of modules for the operation of the control device 100 .

The storage medium 130 is a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (eg SD or XD memory, etc.), RAM (RAM, Random Access Memory) SRAM (Static Random Access Memory), ROM (ROM, Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Read-Only Memory), magnetic memory, magnetic It may include at least one type of storage medium among a disk and an optical disk.

3 is a block diagram showing the structure of the control device 100.

Referring to FIG. 3 , the control device 100 may include a control information processing unit 131 and a firewall information processing unit 132 .

The control information processing unit 131 performs a function of generating and changing control information for processing packet transmission and reception between the node devices 200 connected to the first network. The control information is information for establishing a relationship between one or more virtual machines included in the first network, and may be generated using a physical address assigned to the same user to identify the virtual machine. For example, the control information may be generated by connecting two or more physical addresses of virtual machines assigned to the first user.

The control information processing unit 131 may store and manage MAC/IP information of virtual machines in order to block packets that are targets of attacks such as malicious codes and viruses by the node devices 200 . The control information processing unit 131 may drop a packet whose network address corresponding to the destination is modulated by using the MAC/IP addresses of the stored virtual machines. The control information processing unit 131 automatically requests control information for processing when a packet whose netword address is modulated is introduced, and compares information related to modulated packets registered in advance to check whether communication is possible. Information related to the modulated packet may include MAC/IP address information. The control information processing unit 131 may generate and store control information (drop rule) for packets in which network information is modulated.

The firewall information processing unit 132 performs a function of generating and changing firewall information for processing packet transmission and reception from the second network 300 received by the node devices 200 . The firewall information is network information of a packet to be blocked, and may include information related to a packet for which network information has been tampered with. Since packets in which network information has been altered are highly likely to contain malicious codes and/or viruses, it is possible to determine whether or not to block based on whether or not the packets have been tampered with. In addition, the firewall information may include IP information corresponding to the destination of a packet to be blocked, a subnet mask, and the like. The control device 100 may control the information to be sorted according to each type of information so as to more quickly search whether or not the received packet is blocked.

The control device 100 according to embodiments of the present invention transmits control information and firewall information related to packet processing to the node device 200 according to a request from the node devices 200 connected to the first network. do. Through this, the control device 100 according to embodiments of the present invention may manage packet transmission and reception between node devices 200 connected to a closed network.

4 is a block diagram showing the structure of the node device 200.

Referring to FIG. 4, the node device 200 includes a packet control unit 231 that performs functions such as receiving or blocking packets received through the communication interface unit 210, one or more virtual machines 232a, 232b or less, 232) may be included.

The packet control unit 231 may perform functions such as receiving or blocking packets received through the communication interface unit 210, and may also perform an error control function of detecting errors in packets or recovering detected errors. there is. In addition, the packet control unit 231 may perform a function of controlling a flow in order to solve a speed difference between a sending device and a receiving device, and may perform a function of synchronizing packets and frames. In addition, the packet control unit 231 may perform a function of enabling packets to be successfully transmitted from the first node device 200 as a source to the second node device 200 as a destination. A detailed description of the packet controller 231 will be given in the description of FIG. 5 .

The node device 200 may include one or more virtual machines 232 that are physically one computing device but are logically separated. The virtual machine 232 may be created by a manager through a predetermined program or application. Even if the virtual machine 232 is included in one node device 200, the one or more virtual machines 232 may be assigned to each distinct physical address.

The network system 10 including the control device 100 and the node devices 200 according to embodiments of the present invention may require a wider storage space while providing a cloud service. In this case, the node device and go through the process of configuring one or more virtual machines on the node device. A provider providing a cloud service creates virtual machines allocated to each user in order to provide storage space for users using the cloud service. In addition, a provider providing a cloud service may allocate a plurality of virtual machines allocated to different node devices to one user. 5 is a block diagram showing the structure of the packet control unit 231.

Referring to FIG. 5 , a process of requesting and receiving control information by the packet control unit 231 of the node device 200 according to embodiments of the present invention will be described. The packet control unit 231 may include a reception control unit 2311, a control information request unit 2312, a control information reception unit 2313, a packet processing unit 2314, and a backup unit 2315.

When the node device 200 according to embodiments of the present invention receives a packet, it does not process itself in relation to the processing of the packet, but requests information related to control from the control device 100 connected to the first network. and determines whether to receive or block the packet according to the information received as a response to the request. In the case of conventional node devices providing cloud services, network information included in a predetermined range, such as a physical address and a subnet mask, is allocated to virtual machines assigned to the same user that share packets from the time of creation. , The node device 200 according to embodiments of the present invention receives and processes control information individually from the control device 100 so that packets can be shared with each other. Through this, the node device 200 may dynamically allocate virtual machines to users. More specifically, the control device 100 may allocate a virtual machine allocated to the first user to a user other than the first user by changing only control information on the virtual machine.

The reception control unit 2311 considers the source IP address included in the packet received through the communication interface unit 210, and determines whether the originating device of the packet is connected to the first network or to a network other than the first network. You can determine whether or not they are connected.

When the received packet is received from the node device 200 connected to the first network, the information request unit 2312 generates a first signal requesting control information and transmits the first signal to the control device 100. do.

When the received packet is received from the terminal device 400 not connected to the first network, the information requesting unit 2312 generates a second signal requesting firewall information and transmits the second signal to the control device. .

The information receiver 2313 receives control information or firewall information related to the received packet from the control device 100 .

The packet processing unit 2314 determines whether or not the received packet is received according to the control information received through the information receiving unit 2313, and receives the packet according to whether or not the received packet has been received. Also, the packet processing unit 2314 blocks the received packet according to the firewall information received through the information receiving unit 2313.

The backup unit 2315 performs a function of backing up and storing control information or firewall information for packets received through the information receiving unit 2313 . Through the backup unit 2315, the node device 200 according to embodiments of the present invention transmits a signal requesting control information or firewall information in order to process packets received from the same source device as previously received packets. There is no need to send duplicates. The node device 200 according to embodiments of the present invention receives or blocks the current packet in the same way as the previously received packet.

6 and 7 are flowcharts of a packet processing method according to embodiments of the present invention.

The flowchart of FIG. 6 relates to a method for processing packets between node devices connected to a first network. When the first node device 201 transmits the first packet to the second node device 202 (S601), that is, the packet from the first node device 201 connected to the first network to the second node device 202 When transmission/reception occurs, the destination second node device 202 transmits a signal requesting control information to the control device 100 in order to process the first packet (S602). The control device 100 searches for control information based on the source address and destination address included in the signal requesting control information for the first packet, and if there is the searched control information, the control information is transmitted to the second node device. It is transmitted to (202) (S603). The second node device 202 receives the first packet according to the control information. More specifically, the second node device 202 receives the first packet according to the presence or absence of control information for the first packet, that is, if the control information exists, and does not receive the first packet if the control information does not exist. may not be Alternatively, the second node device 202 analyzes the physical addresses included in the control information for the first packet to determine whether the virtual machines 232 corresponding to the source address and destination address of the first packet are allocated to the same user. Based on whether or not the first packet is received, it may be determined (S604). That is, the second node device 202 analyzes the physical addresses included in the control information for the first packet, and the virtual machines 232 corresponding to the source address and destination address of the first packet are the same user or shared Control to receive the first packet when it is allocated to a user having a space Alternatively, the control information may include whether or not the first packet is modulated. Node devices 200 may determine whether to modulate based on the network information of the first packet. By acquiring network information on which modulated packets are generated from the control device 100, the node devices 200 can determine whether to drop the packet. Following step S604, the control device 100 generates or changes control information related to the processing of the first packet and stores it. That is, the control device 100 generates and stores control information in which the source address and the destination address of the first packet are connected in pairs.

The flowchart of FIG. 7 relates to a method in which the node device 200 processes packets received from the terminal device 400 connected to a network other than the first network.

When the terminal device 400 transmits the second packet to the node device 200 (S701), the received node device 200 generates a signal for querying firewall information for the second packet to control the control device 100 ) is transmitted (S702). The control device 100 searches for firewall information based on network information corresponding to the terminal device 400, which is the originating device of the second packet, and network information of the terminal device 400, for example, an IP address and a subnet. If there is firewall information corresponding to at least one network information of a mask and a physical address, the firewall information is transmitted to the node device 200 (S703). The node device 200 blocks the second packet according to the received firewall information (S704). Following step S704, the control device 100 creates or changes firewall information related to the processing of the second packet and stores it. That is, the control device 100 may generate and store the network information of the second packet as firewall information. 8 is a diagram for explaining dynamic allocation of virtual machines of a network system according to embodiments of the present invention.

As shown in Figure 8, including a control device 100, a first node device 201, a second node device 202, a third node device 203, the cloud to the first user to the third user Assume that there is a network system 10 providing a service. Here, the first node device 201 includes a first virtual machine (VM1), a second virtual machine (VM2), and a third virtual machine (VM3), and the second node device 202 is a fourth virtual machine ( VM4), and the third node device 203 includes a fifth virtual machine (VM5) and a sixth virtual machine (VM6). Like C1, the first virtual machine (VM1) and the fourth virtual machine (VM4) are initially allocated to the first user, the second virtual machine (VM2) to the second user, and the third virtual machine (VM3) to the third user. ) is allocated, the control device 100 generates control information (FC1) connecting the physical address (VM1_phy_addr) of the first virtual machine and the physical address (VM4_phy_addr) of the fourth virtual machine allocated to the first user. save and manage In this way, the node devices 200 included in the network system 10 may have different numbers of assigned virtual machines. While the node devices included in the conventional network system have a fixed number of virtual machines, the network system 10 according to the embodiments of the present invention additionally exists in the unallocated area present in each node device 200. You can create virtual machines without restrictions.

Since the network system 10 according to the embodiments of the present invention can add a virtual machine or allocate it to another user by changing or newly adding only the control information of the control device 100, time elapses like C2. Later, the fifth virtual machine VM5 may be assigned to the first user, and the sixth virtual machine VM6 may be assigned to the third user. When a situation such as C2 is reached, the control device 100 is configured to connect the first virtual machine VM1 and the fourth virtual machine VM4 with the fifth virtual machine VM5 newly assigned to the first user. Control information linking physical addresses between the 1st virtual machine (VM1) and the fifth virtual machine (VM5) and control information (FC2) linking the physical addresses between the fourth virtual machine (VM4) and the fifth virtual machine (VM5). ) can be created. In addition, the control device 100 connects the third virtual machine VM3 with the sixth virtual machine VM6 newly assigned to the third user, so that the third virtual machine VM3 and the sixth virtual machine VM6 are connected. It is possible to generate control information (FC3) connecting the physical address of .

Embodiments according to the present invention described above may be implemented in the form of a computer program that can be executed on a computer through various components, and such a computer program may be recorded on a computer-readable medium. At this time, the medium is a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, an optical recording medium such as a CD-ROM and a DVD, a magneto-optical medium such as a floptical disk, and a ROM hardware devices specially configured to store and execute program instructions, such as RAM, flash memory, and the like. Furthermore, the medium may include an intangible medium implemented in a form transmittable on a network, and may be, for example, a medium implemented in the form of software or an application and capable of transmission and distribution through a network.

Meanwhile, the computer program may be specially designed and configured for the present invention, or may be known and usable to those skilled in the art of computer software. An example of a computer program may include not only machine language code generated by a compiler but also high-level language code that can be executed by a computer using an interpreter or the like.

Specific implementations described in the present invention are examples and do not limit the scope of the present invention in any way. For brevity of the specification, description of conventional electronic components, control systems, software, and other functional aspects of the systems may be omitted. In addition, the connection of lines or connecting members between the components shown in the drawings are examples of functional connections and / or physical or circuit connections, which can be replaced in actual devices or additional various functional connections, physical connection, or circuit connections. In addition, if there is no specific reference such as "essential" or "important", it may not necessarily be a component necessary for the application of the present invention.

In the specification of the present invention (particularly in the claims), the use of the term "above" and similar indicating terms may correspond to both singular and plural. In addition, when a range is described in the present invention, it includes an invention in which individual values belonging to the range are applied (unless there is a description to the contrary), and each individual value constituting the range is described in the detailed description of the invention Same as Finally, unless an order is explicitly stated or stated to the contrary for the steps constituting the method according to the present invention, the steps may be performed in any suitable order. The present invention is not necessarily limited according to the order of description of the steps. The use of all examples or exemplary terms (eg, etc.) in the present invention is simply to explain the present invention in detail, and the scope of the present invention is limited due to the examples or exemplary terms unless limited by the claims. it is not going to be In addition, those skilled in the art can appreciate that various modifications, combinations and changes can be made according to design conditions and factors within the scope of the appended claims or equivalents thereof.

10: network system
100: control device
200: node device
300: second network
400: terminal device

Claims (11)

In the node device including one or more virtual machines to which different physical addresses are assigned,
A packet receiving unit for receiving a first packet from a first node device connected to the first network;
a control information requesting unit transmitting a signal requesting control information related to processing of the first packet to a control device connected to the first network;
a control information receiver configured to receive a response to the signal from the control device and to determine whether to receive the packet according to control information included in the response to the signal;
A packet processing unit that receives the packet according to whether or not the packet is received and transmits the packet to a virtual machine to which a destination address is assigned; including a node device.
According to claim 1,
Further comprising a backup unit for backing up the control information;
The packet processing unit
When a second packet is successively received with the first packet from the first node device by the packet reception unit, control information related to packet processing is not requested from the control device, and according to the control information stored in the backup unit Transmitting the second packet to the virtual machine to which the destination address is assigned, the node device.
According to claim 1,
The control information request unit
When a third packet is received from a terminal device connected to a second network different from the first network by the packet receiving unit, a signal requesting firewall information related to processing of the third packet is transmitted to the control device;
The control information receiver
Receiving a response of the signal from the control device, determining whether to block the packet according to firewall information included in the response signal of the signal;
The packet processing unit
A node device that receives the packet according to whether the packet is blocked and transmits the packet to a virtual machine to which a destination address is assigned.
A packet receiving unit including a plurality of virtual machines to which different physical addresses are assigned and receiving a first packet from a first node device connected to a first network;
a control information requesting unit transmitting a signal requesting control information related to processing of the first packet to a control device connected to the first network;
a control information receiver configured to receive a response to the signal from the control device and to determine whether to receive the packet according to control information included in the response to the signal;
A second node device including a packet processing unit receiving the packet according to whether the packet is received and transmitting the packet to a virtual machine to which a destination address is assigned; and
and a control information processing unit configured to generate and store control information related to packet processing based on a relationship between physical addresses of one or more virtual machines connected to the first network.
According to claim 4,
The control information processing unit
When the first virtual machine and the second virtual machine connected to the first network are allocated to the first user, packet transmission and reception between the physical address of the first virtual machine and the physical address of the second virtual machine is enabled. A network system that generates control information to be used.
According to claim 4,
The control device
In order to process packets received from networks other than the first network, a firewall information processing unit that generates and stores firewall information arranged in the order of the size of the IP address or subnet mask included in the network information to be blocked; network system.
According to claim 5,
The control information processing unit of the control device
Allocating a physical address of a second virtual machine included in the second node device, and controlling information according to a relationship between the physical address of the second virtual machine and the physical address of one or more virtual machines assigned to the first user. creating a network system.
A packet processing method of a node device including one or more virtual machines to which different physical addresses are assigned,
Receiving, by the node device, a first packet from another node device connected to a first network;
transmitting, by the node device, a signal requesting control information related to processing of the first packet to a control device connected to the first network;
Receiving, by the node device, a response to the signal from the control device, and determining whether to receive the packet according to control information included in the response to the signal;
receiving, by the node device, the packet according to whether the packet is received, and transmitting the packet to a virtual machine to which a destination address is assigned;
Generating and storing, by the control device, control information pairwise connecting the source address and the destination address of the packet received by the node device;
Including, packet processing method.
According to claim 8,
Further comprising; backing up the control information by the node device;
When the node device receives a second packet from the other node device as a follow-up to the first packet, the control device does not request control information related to packet processing from the control device, and according to the backed-up control information, the second packet The packet processing method further comprising transmitting the packet to a virtual machine to which the destination address is assigned.
According to claim 8,
The step of requesting the control information is
When the node device receives a third packet from a terminal device connected to a second network different from the first network, transmits a signal requesting firewall information related to processing of the third packet to the control device,
The step of receiving the control information is
Receiving a response of the signal from the control device, determining whether to block the packet according to firewall information included in the response signal of the signal;
The step of transmitting to the virtual machine is
Receiving the packet according to whether the packet is blocked, and transmitting the packet to a virtual machine to which a destination address is assigned.
A computer program stored in a recording medium to execute the method of any one of claims 8 to 10 using a computer.

Images