KR20170001655A - Method for user authentication, and method for controlling service function chain by using the same - Google Patents

Abstract

Disclosed are a user authentication method based on virtual local area network information (VLAN) in an L2 network and a service function chain control method using the same. According to the present invention, the user authentication method comprises the following steps of: identifying a first network device connected to a terminal and a second network device connected to the first network device based on location information of a user terminal; allocating a first VLAN identification (ID) to the first network device and allocating a second VLAN ID to the second network device; informing the terminal of information for appointing a port of the first network device to be connected to the terminal; receiving an authentication request including the first and the second VLAN ID, from a third network device receiving a packet tagging the first and the second VLAN ID to a PC receiving from the terminal through the appointed port of the first network device to identify a user by a combination of the first and the second VLAN ID; and transmitting the authentication request with respect to the terminal and receiving a result with respect to the authentication request.

Description

Technical Field [0001] The present invention relates to a method for authenticating a user in an L2 network and a method for controlling the same,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to network function virtualization (NFV) and service function chaining (SFC) technology, and more particularly, And to a method for creating and controlling a virtualized service function and a service function path.

In a wired / wireless network, a network address translation (NAT), a firewall, a Dynamic Host Configuration Protocol (DHCP), a Broadband (BRAS) Remote Access Server) are required.

Internet users want to get different network services. To do this, they have to perform user authentication and network access authorization. The user's network traffic is controlled according to the user authentication result.

In the wired and wireless network, user authentication technologies such as Point-to-Point Protocol Over Ethernet (PPPoE), IEEE 802.1x, and IPoE (IP over Ethernet) are used to confirm a user's access right to a network.

The PPPoE-based user authentication technology is a technique for performing user authentication by transmitting a user ID and a password to an authentication server such as a Radius server before receiving an IP address in the L2 network. A dedicated program that provides PPPoE technology must be installed in the user terminal, and user ID and password can be input through the PPPoE technology. If user authentication is successful, the user terminal is assigned an IP address through Internet Protocol Control Protocol (IPCP) or the like.

The user authentication technology based on IEEE 802.1x (EAP, Extensible Authentication Protocol) is a logical port-based authentication technique, such as PPPoE technology, which can be performed in an L2 network without being assigned an IP address. AP (Access Point) manages virtual logical ports for determining whether or not the lower access terminal is allowed to access / block, and encapsulates the EAP protocol into a Radius protocol.

Meanwhile, unlike authentication technologies such as PPPoE and IEEE 802.1x, IPoE-based user authentication technology operates in the L3 network. That is, the user terminal is first allocated an IP address through DHCP or the like, and performs user authentication through HTTP authentication or the like. HTTP authentication, like user authentication technology based on L2 network, receives user ID and password, and performs authentication procedure through it.

On the other hand, there is a traffic path asymmetry in the L3 network. Therefore, a technology capable of performing user authentication without inputting a user ID and a password in order to confirm a network access right in the L2 network is needed. Also, in order to provide various network services to the user, frequent replacement of user terminals such as customer premises equipment (CPE) may be required, and new network service servers may need to be added.

SUMMARY OF THE INVENTION It is an object of the present invention to provide a terminal authentication method on an L2 network.

It is a second object of the present invention to provide an SFC control method for an authenticated terminal on an L2 network.

According to an aspect of the present invention, there is provided a method for authenticating a terminal on an L2 network, the method comprising: receiving a network control server (NCS) Identifying a first network device to which the terminal is connected and a second network device connected to the first network device; Assigning a first VLAN ID to the first network device and a second VLAN ID to the second network device; (UMS) informing a user of the terminal of information specifying a port of the first network device to which the terminal should connect; From a third network device that receives a packet tagged with the first VLAN ID and the second VLAN ID in a packet received from the terminal through a designated port of the first network device, Receiving an authentication request including a VLAN ID and the second VLAN ID, identifying the user by a combination of the first VLAN ID and the second VLAN ID; And transmitting the authentication request to the UMS by the NCS and receiving a result of the authentication request from the UMS.

Here, the location information of the user terminal may be included in the information on the user provided by the UMS, and the information on the user may further include an identifier of the user.

Here, the NCS may identify the first network device and the second network device based on network topology information managed by the NCS.

Wherein the first VLAN ID is a unique identifier in the first network device and is assigned to a specific port of the first network device, the second VLAN ID is a unique identifier in the second network device, And may be assigned to a port of the second network device directly connected to the network device.

Here, the NCS may notify the UMS of the allocation result of the first VLAN ID and the allocation result of the second VLAN ID, respectively.

Here, the packet tagged with the first VLAN ID and the second VLAN ID may follow the Q-in-Q format defined in the IEEE802.1ad standard.

Here, the third network device may be a network device that terminates the L2 network.

Here, the authentication request for the terminal may include the identifier of the user.

Here, the result of the authentication request includes information for specifying a service to be provided to the user, and the NCS can determine a service function path (SFP) for providing the service.

At this time, the SFP may include information on at least one service function (SF) for providing the service.

According to an aspect of the present invention, there is provided an operation method of an SFC controller for controlling a service function chain (SFC) for an authenticated terminal on an L2 network, The controller informs the SFC classifier about the first VLAN ID, the second VLAN ID, and information on the service function path (SFP) allocated to the terminal for L2 network authentication for the terminal Passing a mapping table; And the SFC controller sends to the at least one service function forwarder (SFF) present on the service function path forwarding information including information about at least one service function (SF) on the SFP and the SFP wherein the mapping table refers to the SFC classifier that has received the tagged packet with the first VLAN ID and the second VLAN ID and transmits the received packet to the SFF on the SFP, And the forwarding table may be referenced to the SFF on the SFP and configured to forward the received packet to the at least one SF on the SFP.

Here, the packet tagged with the first VLAN ID and the second VLAN ID may follow the Q-in-Q format defined in the IEEE802.1ad standard.

Here, the authentication on the L2 network with respect to the terminal may be performed by a network control server (NCS), based on the location information of the terminal, with the first network device to which the terminal is connected and the first network device Identifying a connected second network device; Assigning the first VLAN ID to the first network device and the second VLAN ID to the second network device; (UMS) informing a user of the terminal of information specifying a port of the first network device to which the terminal should connect; From a third network device that receives a packet tagged with the first VLAN ID and the second VLAN ID in a packet received from the terminal through a designated port of the first network device, Receiving an authentication request including a VLAN ID and the second VLAN ID, identifying the user by a combination of the first VLAN ID and the second VLAN ID; And transmitting the authentication request to the UMS by the NCS and performing the authentication of the UMS by the UMS.

Here, the location information of the user terminal may be included in the information on the user provided by the UMS, and the information on the user may further include an identifier of the user.

Here, the NCS may identify the first network device and the second network device based on network topology information managed by the NCS.

Wherein the first VLAN ID is a unique identifier in the first network device and is assigned to a specific port of the first network device, the second VLAN ID is a unique identifier in the second network device, And may be assigned to a port of the second network device directly connected to the network device.

Here, the third network device may be a network device that terminates the L2 network.

Here, the SFP may be configured to provide the service based on information for specifying a service to be provided to the user included in the result of the authentication request.

According to another aspect of the present invention, there is provided a method of operating an SFC classifier for controlling a service function chain (SFC) for a terminal authenticated on an L2 network, The SFC classifier performs a mapping including information on a first VLAN ID, a second VLAN ID, and information on a service function path (SFP) allocated to the terminal for L2 network authentication for the terminal Receiving a table from an SFC controller; And the SFC classifier receives a packet in which the first VLAN ID and the second VLAN ID are tagged and transmits the received packet to a service function forwarder (SFF) on the SFP by referring to the mapping table And transmitting the information.

Here, the packet tagged with the first VLAN ID and the second VLAN ID may follow the Q-in-Q format defined in the IEEE802.1ad standard.

Here, the authentication on the L2 network with respect to the terminal may be performed by a network control server (NCS), based on the location information of the terminal, with the first network device to which the terminal is connected and the first network device Identifying a connected second network device; Assigning the first VLAN ID to the first network device and the second VLAN ID to the second network device; (UMS) informing a user of the terminal of information specifying a port of the first network device to which the terminal should connect; From a third network device that receives a packet tagged with the first VLAN ID and the second VLAN ID in a packet received from the terminal through a designated port of the first network device, Receiving an authentication request including a VLAN ID and the second VLAN ID, identifying the user by a combination of the first VLAN ID and the second VLAN ID; And the NCS transmits an authentication request for the terminal to the UMS, and the UMS performs AAA authentication for the terminal.

Here, the location information of the user terminal may be included in the information on the user provided by the UMS, and the information on the user may further include an identifier of the user.

Here, the NCS may identify the first network device and the second network device based on network topology information managed by the NCS.

Wherein the first VLAN ID is a unique identifier in the first network device and is assigned to a specific port of the first network device, the second VLAN ID is a unique identifier in the second network device, And may be assigned to a port of the second network device directly connected to the network device.

Here, the third network device may be a network device that terminates the L2 network.

Here, the SFP may be configured to provide the service based on information for specifying a service to be provided to the user including a result of the authentication request.

The virtual LAN (VLAN) information based user authentication method in the L2 network according to the present invention and the SFC control method using the same can provide the convenience of the authentication procedure to the Internet user, and the accuracy of the user authentication information Can be improved.

In addition, through this, it is possible to provide a base for quickly and conveniently providing a variety of new services meeting the needs of users.

In addition, network investment cost (CAPEX) and operating expense (OPEX) can be greatly reduced due to the launch of new services.

FIG. 1 is a block diagram for explaining an IETF SFC standard-based service function chaining system to which a user authentication method and a service function chain (SFC) control method according to the present invention are applied.
FIG. 2 is a diagram for explaining the concept of virtualization and service chaining of a CPE terminal network function to which a user authentication method and a service function chain (SFC) control method according to the present invention are applied.
3 is a system configuration diagram for performing a user authentication method in an L2 network according to an embodiment of the present invention.
4 is a flowchart illustrating a method for authenticating a user in an L2 network according to an embodiment of the present invention.
5 is a conceptual diagram illustrating a system configuration to which a user authentication method in an L2 network is applied according to an embodiment of the present invention.
6 is a conceptual diagram illustrating a packet format in which a first VLAN ID and a second VLAN ID are tagged for a user authentication method in an L2 network according to an embodiment of the present invention.
7 is a flowchart illustrating an SFC control method for a terminal authenticated on an L2 network according to an embodiment of the present invention.
8 is a conceptual diagram for explaining a part of an IETF SFC-based packet format used in an SFC control method for an authenticated terminal on an L2 network according to an embodiment of the present invention.
9 is a diagram illustrating a mapping table for explaining an SFC control method for a terminal authenticated on an L2 network according to an embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

The terms first, second, A, B, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

Hereinafter, the main components of the service function chaining (SFC) will be described.

First, SFC classifier, SFC controller, Service Function Forwarder (SFF), and Service Function (SF) are the main components of the SFC. Is as follows.

SFC classifier - Performs the function of identifying the service of the input traffic according to the policy based on the information of the customer, the network, and the subscribed service. That is, a forwarding policy suitable for the input traffic flow, a user, and a network profile are identified. The SFC classifier node is a component that performs the functions of the SFC classifier. Typically, the SFC classifier may be a Broadband Network Gateway (BGN) device in a wired network or a Packet Data Network Gateway (PGW) device in a mobile network.

Service Function Forwarder (SFF): This is a component that delivers traffic received in the SFC domain to the SF or other SFFs connected to it based on the information of the NSH (Network Service Header) header. One SFF may be connected to one or more SFs. Typically, the SFF can be the Top Of Rack of the data center and the virtual switch (vSwitch) of the virtualization server.

Service Function (SF): This is a component that receives a traffic packet transmitted from the SFF and performs a specified process on the received traffic packet. SF can operate on various layers of the protocol stack. One function may operate on a physical device, and several logical functions may operate on one physical device. There may also be duplicate SF instances in the same SFC domain. Typically, the SF is a firewall, a network filter, a network address translation (NAT), a private branch exchange (IP-PBX), a network cache, a network storage, a deep packet inspection ), And the like.

SFC Encapsulation: SFC Encapsulation provides the minimum identification (SFPID) for the Service Function Path (SFP). It is used in SFC-aware components such as SFF and SFC aware SF and is not used for packet transmission in general network domain. In addition to the SFPID, data plane context information is transmitted as metadata.

Service Function Chain (SFC): Specifies the sequence of SFs and the set of abstract SFs. When packets pass through the SFC domain, the SFs specified in the SFC must be routed in the specified order.

Service Function Path (SFP): The SFC has an abstract form of SF, while the SFP defines which SF / SFF of the real network the SFC will go through.

SFC controller: manages the service topology and defines the forwarding settings for the SFF. The SFC controller may be present in the SFC control plane as described below. An SFC controller may be an entity within the control plane, but may exist as multiple entities. That is, the term SFC controller refers to an entity that serves as an SFC control plane. In the following description, 'SFC control plane' and 'SFC controller' can be used in combination.

SFC Proxy - Removes and inserts SFC Encapsulation information on behalf of SFs that do not recognize SFCs (ie, legacy SFs).

FIG. 1 is a block diagram for explaining an IETF SFC standard-based service function chaining system to which a user authentication method and a service function chain (SFC) control method according to the present invention are applied.

1, an SFC system includes an SFC controller 110, an SFC classifier 120, at least one SFF (SFF # 1 121, SFF # 2 122, SFF # 3 123) SF 131-1, ..., 131-N, a non-SFC SF (133), and an SFC proxy (132).

First, the SFC classifier 120 analyzes input traffic flows, determines which network services are required for a given traffic, and selects a single traffic path. The SFF is connected to one or more SFs, identifies the traffic path information encapsulated in the traffic flow, and delivers the traffic flow to the SFs. The SF performs network services such as deep packet inspection (DPI), firewall, and network address translation (NAT) for the incoming traffic flow.

That is, when the packet is transmitted to the SFC classifier 120, the SFC classifier 120 identifies the subscriber of the corresponding packet through the IP address, MAC address, and port number of the packet, And determines the ID of the service.

Next, the SFC classifier 120 transmits the determined service ID to the SFC controller 110, and the SFC controller 110 determines a service function path (SFP) for the flow of the packet of the corresponding subscriber This process is referred to as "SFC Encapsulation"

The SFP is identified by the SFPID (Service Function Path ID), and is transmitted from the SFC controller 110 to the SFC classifier 120 as metadata including the SF, SFF, and Encapsulation information used by the corresponding subscriber. The packet is then passed through the SFC-enabled domain according to this SFP.

In addition to the various SFs constituting the domain, the SFF is also necessary for forwarding traffic, and the traffic sent from the SFF to the specific SF is maintained in the order of returning to the corresponding SFF after processing in the SF. For example, the traffic transferred from SFF # 1 to SF1 is processed in SF1 and then transferred to SFF # 1.

FIG. 2 is a diagram for explaining the concept of virtualization and service chaining of a CPE terminal network function to which a user authentication method and a service function chain (SFC) control method according to the present invention are applied.

2, a customer premises equipment (CPE) is an in-house device directly connected to a network of a communication service provider, and may be provided by a communication service provider or installed by a user. For example, the CPE 210 may be a variety of terminals such as a wireless router, a home gateway, and a femto cell.

The network service virtualization of the CPE terminal according to the embodiment of the present invention does not perform the network service in the in-house CPE device but performs the network services of the CPE in the server such as the data center and the server of the communication service provider server. That is, the virtualized CPE (vCPE) is a set of virtualized servers of network services of the CPE and is composed of vNAT 211, vDHCP 212, vVPN 213, vFW 214, and the like.

For example, if the network service element of the conventional CPE 210 is configured as NAT, DHCP, BRAS, firewall, etc., then these network service elements may be referred to as virtualized service functions vNAT 211, vDHCP v212, vVPN 213, vFW 214 -.

First, the vNAT 211 converts a private IP address and a port into a public IP address and a port to enable communication between the private IP network and the public IP network. In this way, the user internal network can be protected from the external network constituted by the public IP network by configuring it as a private IP network.

The vDHCP 212 performs a role of assigning a private IP address to the lower-level terminals or network devices connected to the CPE. A specific terminal can be assigned a public IP address through a DHCP server of the communication company without being assigned a private IP address through the DHCP function of the CPE.

The vFW 214 functions as a firewall function to block and control aggressive traffic and harmful traffic from the external network. The vVPN 213 performs a function of configuring a virtual private network with an external host through a public network, which is an external network.

Finally, in the case of CPE virtualization, the CPE 210 is configured to have only a few basic network functions, such as L2 switching. The controller 220 functions to set and manage a corresponding policy according to which network function of a vCPE is used by a specific user. In addition, the CPE 210 communicates with the vCPE through a transport network.

3 is a system configuration diagram for performing a user authentication method in an L2 network according to an embodiment of the present invention.

Referring to FIG. 3, a system for performing a method for authenticating a user on an L2 network according to an embodiment of the present invention includes authentication target terminals 300 and 301, a data plane 310, and a control plane 320 .

First, the data plane 310 includes network devices 311-1, ..., 311-n, at least one heterogeneous network device 312, service virtualization servers 313-1, ..., 313- n, and at least one heterogeneous service virtualization server 314.

The control plane 320 includes a user management server (UMS) 321, a network control server (NCS) 322, a service management server 323, a heterogeneous network control server 324, A service management server 325, and the like.

Network control, and service control for the authentication target terminal 300 or 301 by interlocking the data plane 310 and the control plane 320 described above.

FIG. 4 is a flowchart illustrating a method for authenticating a user in an L2 network according to an embodiment of the present invention. FIG. 5 illustrates a system configuration in which a user authentication method in an L2 network is applied according to an embodiment of the present invention FIG.

Referring to FIG. 4, a procedure for a user management server (UMS) 321 and a network control server (NCS) 322 to perform authentication for an authentication target terminal 300 on an L2 network will be described.

First, the UMS 321 transmits the user UA information of the authentication target terminal 300 to the NCS 322 (S410). At this time, the user information transmitted to the NCS 322 by the UMS 321 may include information such as an identifier (i.e., a user ID) of the user UA and a user location.

Next, the NCS 322 confirms the location of the user UA based on the user information received from the UMS 321, and determines the network topology required for the terminal 300 of the user UA to receive the network service (topology) information. That is, the NCS 322 can grasp the network connection information of the terminal 300 through the network topology information collected / managed by the NCS 322.

In the embodiment of FIG. 4, the terminal 300 sequentially passes through the first network device 311-1, the second network device 311-2, and the third network device 311-3. Through the network topology information thus confirmed, the NCS 322 sets a first VLAN ID (i.e., a Customer VLAN (C-VLAN) ID) for the first network device 311-1 (S411). At this time, one C-VLAN value is assigned to a specific port (e.g., port 1) of the first network device 311-1. The value of the first VLAN ID (C-VLAN) may be a unique identifier within the first network device. In the embodiment of FIG. 4, it can be seen that 100 is set as the first VLAN ID.

Next, the NCS 322 confirms that the first VLAN ID (C-VLAN) is normally set up, and then transmits the setting result of the first VLAN to the UMS 321 (S420). The setting result information of the first VLAN may include port information (i.e., port 1) of the first network device 311-1 to which the user terminal 300 should connect, and the like.

After the above-described steps S411 and S420 are completed, the NCS 322 transmits the network topology information to the second network device 311-2, which is the upper network device of the first network device 311-1, . Accordingly, the NCS 322 sets the second VLAN ID (i.e., the Service VLAN (S-VLAN) ID) to the second network device 311-2 (S430). At this time, a second VLAN ID is allocated to a port of a second network device directly connected to the first network device. The value of the second VLAN ID (S-VLAN) may be a unique identifier in the second network device.

Next, the NCS 322 confirms that the setting of the second VLAN ID (S-VLAN) is normally completed, and then transmits the setting result of the second VLAN to the UMS 321 (S440). The configuration result information of the second VLAN may include port information of the second network device 311-2 to which the user terminal should pass.

The UMS 321 confirms that the setting of the first VLAN ID and the second VLAN ID is completed through the NCS 322 and then informs the user UA of the connection position of the terminal 300 (I.e., the port of the first network device 311-1) (S450). In this embodiment, the terminal 300 of the user can access the terminal using the port 1 of the first network device 311-1. The user can access the terminal 300 from the first port 311-1 of the first network device 311-1.

When a packet is generated in the user terminal 300 (S460), the packet is tagged additionally to the original packet via the first network device 311-1 (S461). Then, the second VLAN ID is additionally tagged via the second network device 311-2 to the packet (S462). The packets finally entering the third network device 311-3 include both the first VLAN ID and the second VLAN ID. At this time, the packet structure including both the first VLAN ID and the second VLAN ID may conform to the standard defined in the IEEE 802.1ad standard.

The third network device 311-3 is a network device that terminates an L2 network constituted by the first network device 311-1 and the second network device 311-2, ) As an authenticator.

Upon receiving the user packet, the third network device 311-3 requests the AAA authentication request to the NCS 322 (S470). The identification information for the user UA includes VLAN information included in the user packet do. That is, the first VLAN ID (C-VLAN) and the second VLAN ID (S-VLAN) are identification information for the user (UA). That is, one user can be identified by a combination of one first VLAN ID and a second VLAN ID. Accordingly, when the NCS 322 receives the authentication request from the third network device 311-3, the NCS 322 identifies the first VLAN ID / second VLAN ID information and identifies the user as a UA.

Next, the NCS 322 requests the UMS 321 to authenticate the user UA (S471). The authentication request information includes a user ID and the like for the user (UA).

The UMS 321 performs AAA authentication on the authentication request received from the NCS 322 and may transmit the authentication result to the NCS 322 (S480). The authentication result information includes information for specifying a service to be provided to the user (UA). In this embodiment, the service name to be provided to the corresponding user is SA, and one service name may be composed of a plurality of network services (i.e., service functions). For example, a service (SA) includes network services such as NAT, FW, DHCP, and VPN.

The NCS 322 determines a corresponding service path PA for the service SA received from the UMS 321. The NCS 322 transmits the determined service path information to the third network device 311-3 (S481). 1, the service path determined by the NCS 322 may be a service function path (SFP) including information on SFs.

The above-described procedures of Fig. 4 can be more clearly described with reference to Fig.

5, the UMS 321 manages information on the user UA, and the NCS 322 receives a first VLAN ID (i.e., a C-VLAN) corresponding to the user UA and a second VLAN ID (I.e., S-VLAN).

The network devices 311-1 and 311-2 respectively tag the first VLAN ID (e.g., 100) and the second VLAN ID (e.g., 100) received from the NCS 322 to the packet received from the terminal, The third network device 311-3 receiving the first VLAN ID and the second VLAN ID tagged packet performs the authentication procedure for the user UA in cooperation with the NCS 322 and the UMS 321, From the NCS 322, a service path (PA) for a service (SA) for the user equipment (UA).

6 is a conceptual diagram illustrating a packet format in which a first VLAN ID and a second VLAN ID are tagged for a user authentication method in an L2 network according to an embodiment of the present invention.

Referring to FIG. 6, the packet format 610 in which the first VLAN ID 611 is tagged may conform to the IEEE 802.1Q standard. That is, the packet format 610 is a format of a data packet transmitted from the first network device 311-1 to the second network device 311-2 in FIG. 4 and FIG. In this packet format, the first VLAN ID (C-VLAN) is included in the 802.1 q Tag information 611.

The packet format 620 in which both the first VLAN ID 622 and the second VLAN ID 621 are tagged may be a Q-in-Q (Q-in-Q) format conforming to the IEEE 802.1ad standard. That is, the packet format 620 is a format of a data packet transmitted from the second network device 311-2 to the third network device 311-3 in FIG. 4 and FIG. In this traffic format, a second VLAN ID (S-VLAN) is included in 802.1q Tag (Outer) information 621 and a first VLAN ID (C-VLAN) is included in 802.1q Tag (Inner) .

7 is a flowchart illustrating an SFC control method for a terminal authenticated on an L2 network according to an embodiment of the present invention.

7, the SFC classifier 120 may be a device such as a BNG (Broadband Network Gateway) in a wired network, a PGW (Packet Data Network GateWay) in a mobile network, and the SFFs 121 to 123 Data center Top of Rack, virtual server vSwitch, and so on. The SFs 131 may be network service servers such as FW, NAT, DHCP, and VPN.

7, the SFC controller 110 transmits service function paths sequentially in the order of SFP # 1, SFP # 2, and SFP # 3 to terminals that have been authenticated using the first VLAN ID and the second VLAN ID To provide an SFC control method.

First, the SFC controller 110 notifies the SFC classifier 120 of a mapping table including information on the first VLAN ID, the second VLAN ID, and the SFP allocated in the L2 network authentication process for the service target terminal table (S710). In step S710, if the first VLAN ID and the second VLAN ID are 100/100, a mapping table is provided so that the service is controlled by the SFP # 1 (i.e., part 910 of FIG. 9). The SFC classifier 120 can classify the user packets using the mapping table.

The SFC controller 110 transmits a forwarding table including SFP # 1, SF, etc. to the SFF (S711). In the present embodiment, the SFP # 1 is an SFP for forwarding a packet to a SF that performs a virtualized Broadband Remote Access Server (vBRAS) function. SFF can forward user packets using the forwarding table.

The SFC controller 110 may be informed of the result of the SF execution (S712). In FIG. 7, it is illustrated that the SFC controller 110 directly receives the result of performing the SF from the SF. However, the execution result of the SF may be notified from the SFF connected to the corresponding SF. For example, the user authentication result can be notified from the SF performing the vBRAS function.

In accordance with the SFP # 1, the SFC controller 110 receiving the user authentication result from the SF responsible for the vBRAS function confirms that the service execution according to the SFP # 1 is completed, and sends the changed mapping table to the SFC classifier 120 (S720). In step S720, the mapping table illustrated in FIG. 9 (i.e., part 920 of FIG. 9) may be provided. That is, when the first VLAN ID and the second VLAN ID are 100/100, the mapping table is provided so that the service is controlled by the SFP # 2. The SFP # 2 is an SFP that can perform service chaining of the SF # 1 performing the vNAT function and the SF # 2 performing the vDPI function in order.

The SFC controller 110 transmits a forwarding table including SFP # 2, SF, etc. to the SFF (S721). The SFC controller 110 is informed of the execution result from the SF # 2 performing the vDPI function (S722). At this time, if the specific packet flow is the aggressive packet, it is confirmed that the SF # 3 performing the additional FW function is needed .

Finally, the SFC controller 110 confirms that the service execution according to the SFP # 2 is completed and the service execution according to the SFP # 3 is required, and provides the SFC classifier 120 with the changed mapping table ( S730). In step S730, the mapping table 930 illustrated in FIG. 9 may be provided. That is, when the first VLAN ID and the second VLAN ID are 100/100, the mapping table is provided so that the service is controlled by the SFP # 3. The SFP # 3 is an SFP that enables the SF # 1 performing the vNAT function and the SF # 3 performing the vFW function to be executed in order by service chaining.

The SFC controller 110 delivers the forwarding table including the SFP # 3, SF, etc. to the SFF (S731). The SFC controller 110 is informed of the execution result from the SF # 3 performing the vFW function (S732), and confirms that the user packet is protected from the aggressive packet.

8 is a conceptual diagram for explaining a part of an IETF SFC-based packet format used in an SFC control method for an authenticated terminal on an L2 network according to an embodiment of the present invention.

The format illustrated in FIG. 8 corresponds to the format of an NSH (Network Service Header) of an IETF SFC-based packet. The NSH format basically includes a base header 810, a service path header 820, and a context header 830.

First, the base header 810 includes a multi-flag field including version information, Operation / Administration / Management (OAM) information, critical TLV information, a length field 812, an MD field 813, A next protocol field 814, and the like. Detailed description of each field is omitted.

Next, the service path header 820 may be configured to include a service path ID (SPI) 821 and a service index (SI) 822. Here, the SPI 821 is an identifier that uniquely identifies the SFP, and SI is reduced index information one by one when service functions are sequentially performed by service chaining.

9 is a diagram illustrating a mapping table for explaining an SFC control method for a terminal authenticated on an L2 network according to an embodiment of the present invention.

Referring to FIG. 9, the mapping table for SFC control may include a sequence, a first VLAN ID (C-VLAN), a second VLAN ID (S-VLAN), SPI, SI, have. That is, the mapping table can be used for specifying the SFP to be performed based on the first VLAN ID and the second VLAN ID of the packet received from the SFC classifier.

First, the first part 910 of the mapping table corresponds to the mapping table transferred from the SFC controller 110 to the SFC classifier 120 by the step S710 described above with reference to FIG. According to the first part 910 of the mapping table, the service according to the SFP # 1 is performed on packets corresponding to the combination of the first VLAN ID and the second VLAN ID. In SFP # 1, if SF is 1, SF is vBRAS, and SF (next hop) to be performed next to vBRAS SF is an end of path of SFP # 1 path.

Next, the second portion 920 of the mapping table is transferred from the SFC controller 110 to the SFC classifier 120 by the step S720 described above with reference to FIG. 7, so that the SFC classifier 120 This is the part for changing the mapping table to manage. According to the second portion 920 of the mapping table, a service according to the SFP # 2 is performed on a packet corresponding to the combination of the first VLAN ID and the second VLAN ID. In SFP # 2, the SF performed when SI is 2 is vNAT, and the SF to be performed after vNAT SF (SF performed when SI is 1) is vDPI. Also, it can be seen that SF (next hop) to be performed next to the vDPI SF is an end of path of the SFP # 2 path.

Finally, the third portion 930 of the mapping table is passed from the SFC controller 110 to the SFC classifier 120 by the step S730 described above in FIG. 7, so that the SFC classifier 120 This is the part for changing the mapping table to manage. According to the third part 930 of the mapping table, the service according to the SFP # 3 is performed on packets corresponding to the combination of the first VLAN ID and the second VLAN ID. In SFP # 3, the SF performed when SI is 3 is vNAT, and the SF to be performed after vNAT SF (SF performed when SI is 1) is vFW. Also, it can be seen that SF (next hop) to be performed next to the vFW SF is an end of path of the SFP # 3 path.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the present invention as defined by the following claims It can be understood that

300, 301: user terminal
310: Data plane
311-1, 311-2, 311-n, 312: Network device
313-1, 313-2, 313-n, 314: a service virtualization server
320: control plane
321: User Management Server
322: Network control server
323: Service Management Server
324: Heterogeneous network control server
325: heterogeneous service management server

Claims (26)

A terminal authentication method on an L2 network,
A network control server (NCS) identifying a first network device to which the terminal is connected and a second network device connected to the first network device, based on the location information of the user terminal;
Assigning a first VLAN ID to the first network device and a second VLAN ID to the second network device;
(UMS) informing a user of the terminal of information specifying a port of the first network device to which the terminal should connect;
From a third network device that receives a packet tagged with the first VLAN ID and the second VLAN ID in a packet received from the terminal through a designated port of the first network device, Receiving an authentication request including a VLAN ID and the second VLAN ID, identifying the user by a combination of the first VLAN ID and the second VLAN ID; And
Wherein the NCS transmits an authentication request for the terminal to the UMS and receives a result of the authentication request from the UMS. The method according to claim 1,
Wherein the location information of the user terminal is included in the information on the user provided by the UMS and the information on the user further includes an identifier of the user. A terminal authentication method on a network. The method according to claim 1,
Wherein the NCS identifies the first network device and the second network device based on network topology information managed by the NCS. The method according to claim 1,
Wherein the first VLAN ID is a unique identifier in the first network device and is assigned to a specific port of the first network device and the second VLAN ID is a unique identifier in the second network device, Wherein the second network device is assigned to a port of the second network device directly connected to the second network device. The method according to claim 1,
Wherein the NCS notifies the UMS of the allocation result of the first VLAN ID and the allocation result of the second VLAN ID, respectively. The method according to claim 1,
Wherein a packet tagged with the first VLAN ID and the second VLAN ID conforms to a Q-in-Q format defined in the IEEE 802.1ad standard. The method according to claim 1,
Wherein the third network device is a network device that terminates the L2 network. The method of claim 2,
Wherein the authentication request for the terminal includes an identifier of the user. The method according to claim 1,
Wherein the result of the authentication request includes information for specifying a service to be provided to the user, and the NCS determines a service function path (SFP) for providing the service. The terminal authentication method on the L2 network. The method of claim 9,
Wherein the SFP includes information on at least one service function (SF) for providing the service. A method of operating an SFC controller for controlling a service function chain (SFC) for terminals authenticated on an L2 network,
The SFC controller informs the SFC classifier of the information about the first VLAN ID and the second VLAN ID and the service function path (SFP) allocated to the terminal for L2 network authentication for the terminal Transmitting a mapping table containing the mapping table; And
Wherein the SFC controller sends at least one service function forwarder (SFF) on the service function path forwarding (SFP) information including information on at least one service function (SF) on the SFP forwarding < / RTI > table,
The mapping table refers to the SFC classifier that has received the tag with the first VLAN ID and the second VLAN ID and transmits the received packet to the SFF on the SFP, SFF to forward the received packet to the at least one SF on the SFP. The method of claim 11,
Wherein the packet tagged with the first VLAN ID and the second VLAN ID conforms to a Q-in-Q format defined in the IEEE 802.1ad standard. The method of claim 11,
The authentication on the L2 network for the terminal,
A network control server (NCS) identifying a first network device to which the terminal is connected and a second network device connected to the first network device based on the location information of the terminal;
Assigning the first VLAN ID to the first network device and the second VLAN ID to the second network device;
(UMS) informing a user of the terminal of information specifying a port of the first network device to which the terminal should connect;
From a third network device that receives a packet tagged with the first VLAN ID and the second VLAN ID in a packet received from the terminal through a designated port of the first network device, Receiving an authentication request including a VLAN ID and the second VLAN ID, identifying the user by a combination of the first VLAN ID and the second VLAN ID; And
Wherein the NCS transmits an authentication request for the terminal to the UMS, and the UMS performs authentication for the terminal. 14. The method of claim 13,
Wherein the location information of the user terminal is included in the information on the user provided by the UMS and the information on the user further includes an identifier of the user. How the controller works. 14. The method of claim 13,
Wherein the NCS identifies the first network device and the second network device based on network topology information managed by the NCS. 14. The method of claim 13,
Wherein the first VLAN ID is a unique identifier in the first network device and is assigned to a specific port of the first network device and the second VLAN ID is a unique identifier in the second network device, And the second network device is directly connected to the port of the second network device. 14. The method of claim 13,
Wherein the third network device is a network device that terminates the L2 network. 14. The method of claim 13,
Wherein the SFP is configured to provide the service based on information for specifying a service to be provided to the user included in the result of the authentication request. A method of operating an SFC classifier for controlling a service function chain (SFC) for a terminal authenticated on an L2 network,
The SFC classifier performs a mapping including information on a first VLAN ID, a second VLAN ID, and information on a service function path (SFP) allocated to the terminal for L2 network authentication for the terminal Receiving a table from an SFC controller; And
The SFC classifier receives a packet in which the first VLAN ID and the second VLAN ID are tagged, and transmits the received packet to a service function forwarder (SFF) on the SFP by referring to the mapping table The method comprising the steps of: The method of claim 19,
Wherein a packet tagged with the first VLAN ID and the second VLAN ID conforms to a Q-in-Q format defined in the IEEE 802.1ad standard. The method of claim 19,
The authentication on the L2 network for the terminal,
A network control server (NCS) identifying a first network device to which the terminal is connected and a second network device connected to the first network device based on the location information of the terminal;
Assigning the first VLAN ID to the first network device and the second VLAN ID to the second network device;
(UMS) informing a user of the terminal of information specifying a port of the first network device to which the terminal should connect;
From a third network device that receives a packet tagged with the first VLAN ID and the second VLAN ID in a packet received from the terminal through a designated port of the first network device, Receiving an authentication request including a VLAN ID and the second VLAN ID, identifying the user by a combination of the first VLAN ID and the second VLAN ID; And
Wherein the NCS transmits an authentication request for the terminal to the UMS, and the UMS performs AAA authentication for the terminal. 23. The method of claim 21,
Wherein the location information of the user terminal is included in the information on the user provided by the UMS and the information on the user further includes an identifier of the user. How the classifier works. 23. The method of claim 21,
Wherein the NCS identifies the first network device and the second network device based on network topology information managed by the NCS. 23. The method of claim 21,
Wherein the first VLAN ID is a unique identifier in the first network device and is assigned to a specific port of the first network device and the second VLAN ID is a unique identifier in the second network device, Wherein the second network device is assigned to a port of the second network device that is directly connected to the second network device. 23. The method of claim 21,
Wherein the third network device is a network device that terminates the L2 network. 23. The method of claim 21,
Wherein the SFP is configured to provide the service based on information for specifying a service to be provided to the user including a result of the authentication request.

Images