US20150124595A1 - Communication system, access control apparatus, switch, network control method, and program - Google Patents

Communication system, access control apparatus, switch, network control method, and program Download PDF

Info

Publication number
US20150124595A1
US20150124595A1 US14/397,524 US201314397524A US2015124595A1 US 20150124595 A1 US20150124595 A1 US 20150124595A1 US 201314397524 A US201314397524 A US 201314397524A US 2015124595 A1 US2015124595 A1 US 2015124595A1
Authority
US
United States
Prior art keywords
control information
packets
control apparatus
forwarding node
forwarding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/397,524
Other languages
English (en)
Inventor
Masaya Yamagata
Yoichiro Morita
Takayuki Sasaki
Masayuki Nakae
Kentaro Sonoda
Yoichi Hatano
Hideyuki Shimonishi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Assigned to NEC CORPORATION reassignment NEC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HATANO, YOICHI, MORITA, YOICHIRO, NAKAE, MASAYUKI, SASAKI, TAKAYUKI, SHIMONISHI, HIDEYUKI, SONODA, KENTARO, YAMAGATA, MASAYA
Publication of US20150124595A1 publication Critical patent/US20150124595A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • H04W72/0486
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W72/00Local resource management
    • H04W72/50Allocation or scheduling criteria for wireless resources
    • H04W72/52Allocation or scheduling criteria for wireless resources based on load
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/02Arrangements for optimising operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • H04W40/02Communication route or path selection, e.g. power-based or shortest path routing
    • H04W40/12Communication route or path selection, e.g. power-based or shortest path routing based on transmission quality or channel quality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W72/00Local resource management
    • H04W72/02Selection of wireless resources by user or terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W72/00Local resource management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W72/00Local resource management
    • H04W72/04Wireless resource allocation

Definitions

  • the present invention relates to a communication system, an access control apparatus, a switch, a network control method, and a program.
  • a communication system including a controller that controls switches in a centralized manner; an access control apparatus; a switch; a network control method; and a program.
  • OpenFlow adopts a centralized-control-type network architecture in which a control apparatus called an OpenFlow controller controls behavior of switches called OpenFlow switches. More specifically, the OpenFlow controller can perform fine-grained path control by setting flow entries that define matching conditions specifying ingress ports and headers in layers 2 to 4 and that define processing contents in OpenFlow switches.
  • NMS network management system
  • policy server a policy server
  • Patent Literature 1 discloses a management method used for a network managed in a centralized manner by a network manager.
  • Paragraphs 0031 to 0032 in Patent Literature 1 describe that switches in the network operate in the same way as the above OpenFlow switches.
  • the end of paragraph 0031 describes that a packet matching multiple flow header entries is assigned to the highest priority flow entry. Namely, the end of paragraph 0031 describes that a rule such as longest match can be used.
  • control apparatus may not be able to provide intended performance.
  • TLS/SSL Transport Layer Security/Secure Sockets Layer
  • the above tendency becomes more significant, which could result in packet delay, for example.
  • An object of the present invention is to provide a communication system, an access control apparatus, a forwarding node, a network control method, and a program capable of suppressing an increase in the load on a control apparatus and a switch and allowing the control apparatus and the switch to provide intended performance even if a large amount of packet communication or fine-grained access control is performed.
  • a communication system comprising: a control apparatus setting control information in a forwarding node(s); a forwarding node(s) forwarding packets by using first control information set by the control apparatus and second control information for forwarding packets that do not match a matching condition(s) in the first control information set by the control apparatus from a predetermined port of the forwarding node(s); and an access control apparatus comprising a determination unit determining whether to generate control information for the packets forwarded from the predetermined port of the forwarding node(s) and requesting the control apparatus to generate control information.
  • an access control apparatus arranged in a communication system comprising: a control apparatus setting control information in a forwarding node(s); and a forwarding node(s) forwarding packets by using first control information set by the control apparatus and second control information for forwarding packets that do not match a matching condition(s) in the first control information set by the control apparatus from a predetermined port of the forwarding node(s) and comprising a determination unit determining whether to generate control information for the packets forwarded from the predetermined port of the forwarding node(s) and requesting the control apparatus to generate control information.
  • a forwarding node connected to a control apparatus setting control information in the forwarding node, wherein first control information set by the control apparatus and second control information are set, the second control information being for forwarding packets that do not match a matching condition(s) in the first control information set by the control apparatus from a predetermined port of the forwarding node; and wherein the forwarding node forwards, when receiving packets that match a matching condition(s) in the second control information, the packets after adding a predetermined header to each of the packets.
  • a network control method comprising: determining whether to generate control information for packets forwarded in accordance with second control information from a forwarding node(s) that forwards packets by using first control information set by a control apparatus and the second control information for forwarding packets that do not match a matching condition(s) in the first control information set by the control apparatus from a predetermined port of the forwarding node(s); and requesting the control apparatus to generate control information based on a result of the determination.
  • This method is associated with a certain machine, namely, with a computer that receives packets from the forwarding node(s) and determines whether to generate control information.
  • a program causing a computer, which is arranged in a communication system comprising a control apparatus setting control information in a forwarding node(s) and a forwarding node(s) forwarding packets by using first control information set by the control apparatus and second control information for forwarding packets that do not match a matching condition(s) in the first control information set by the control apparatus from a predetermined port of the forwarding node(s), to perform processing for: determining whether to generate control information for the packets forwarded from the predetermined port of the forwarding node(s); and requesting the control apparatus to generate control information based on a result of the determination.
  • This program can be recorded in a computer-readable (non-transient) storage medium.
  • the present invention can be embodied as a computer program product.
  • FIG. 1 illustrates a configuration according to an exemplary embodiment of the present disclosure.
  • FIG. 2 illustrates a configuration of a communication system according to a first exemplary embodiment of the present disclosure.
  • FIG. 3 illustrates a configuration of a switch according to the first exemplary embodiment of the present disclosure.
  • FIG. 4 illustrates a flow entry (second control information) set in the switch according to the first exemplary embodiment of the present disclosure.
  • FIG. 5 illustrates access policies stored in a controller according to the first exemplary embodiment of the present disclosure.
  • FIG. 6 is a sequence diagram illustrating an operation according to the first exemplary embodiment of the present disclosure.
  • FIG. 7 illustrates a flow entry set in the switch according to the first exemplary embodiment of the present disclosure in step S 08 in FIG. 6 .
  • FIG. 8 is a diagram in which packet forwarding paths are added to FIG. 2 .
  • FIG. 9 illustrates a configuration of a communication system according to a second exemplary embodiment of the present disclosure.
  • FIG. 10 illustrates flow entries (second control information) set in a switch according to the second exemplary embodiment of the present disclosure.
  • FIG. 11 illustrates a configuration of a communication system according to a third exemplary embodiment of the present disclosure.
  • FIG. 12 illustrates a configuration of a switch according to the third exemplary embodiment of the present disclosure.
  • FIG. 13 illustrates a configuration of a communication system according to a fourth exemplary embodiment of the present disclosure.
  • an exemplary embodiment of the present disclosure can be realized by a configuration that includes a control apparatus 30 setting control information in a forwarding node(s) 10 , one or plurality of forwarding nodes 10 forwarding packets by using control information set by the control apparatus 30 , and an access control apparatus 20 .
  • control apparatus 30 sets first control information for forwarding packets between predetermined external nodes (for example, between a client and a server in FIG. 1 ) and second control information for forwarding packets that do not match a matching condition(s) in the first control information from a predetermined port in the forwarding node(s) 10 .
  • the forwarding node(s) 10 forwards received packets by using the first and second control information.
  • the access control apparatus 20 includes a determination unit 22 that determines whether to generate control information for packets received from the predetermined port of the forwarding node(s) 10 (packets forwarded in accordance with the second control information). If necessary, the determination unit 22 requests the control apparatus to generate control information. Packets for which a control information generation request is not transmitted are dropped by the determination unit 22 .
  • the packets are forwarded to the access control apparatus 20 (see a thick arrow in FIG. 1 ).
  • the determination unit 22 of the access control apparatus 20 drops packets for which a control information generation request is not transmitted.
  • the control apparatus 30 generates only the control information needed and sets the generated control information in the forwarding node(s) 10 .
  • FIG. 2 illustrates a configuration of a communication system according to the first exemplary embodiment of the present disclosure.
  • the communication system includes a plurality of switches 11 arranged in a network, a controller 60 controlling these switches 11 , and clients 41 and 42 and a server 50 connected to the network in which the switches 11 are arranged.
  • the switches 11 process packets in accordance with flow entries set by the controller 60 .
  • FIG. 3 illustrates a configuration of one of the switches according to the first exemplary embodiment of the present disclosure.
  • each of the switches 11 according to the present exemplary embodiment includes a control message processing unit 111 , a packet processing unit 112 , and a flow table 113 .
  • ports P 1 to Px in FIG. 3 are connected to other switches and the server 50 .
  • a port PP is connected to a control target packet extraction unit 61 of the controller 60 .
  • the flow table 113 stores flow entries set by the controller 60 .
  • matching conditions (Match Fields) that are matched against received packets are associated with a processing content (Instructions).
  • the packet processing unit 112 When receiving a packet, the packet processing unit 112 searches the flow table 113 for a flow entry having a matching condition(s) that matches the received packet. If, as a result of the search, the packet processing unit 112 finds a flow entry having a matching condition(s) that matches the received packet, the packet processing unit 112 performs a processing content (Instructions) set in the flow entry.
  • a processing content Instructions
  • the control message processing unit 111 exchanges control messages with the controller 60 .
  • the control message processing unit 111 performs addition, modification, and deletion of flow entries in the flow table 113 in accordance with control messages from the controller 60 .
  • FIG. 4 illustrates a flow entry (second control information) set by default in a switch 11 .
  • a wildcard ANY
  • Src IP source IP address
  • Dst IP destination IP address
  • TCP/UDP Transmission Control Protocol/User Datagram Protocol
  • a processing content Instructions for forwarding packets to the control target packet extraction unit 61 of the controller 60 is set.
  • a statistical information (Counters) field is included in the flow entry in FIG. 4 so that statistical information can be recorded per flow entry.
  • the statistical information can be provided to the controller 60 via the control message processing unit 111 .
  • the statistical information can be used for determining abnormal traffic.
  • Such flow entry illustrated in FIG. 4 may be preset in the switch 11 or may be set by the controller 60 when the switch 11 is connected to the network.
  • Non-Patent Literatures 1 and 2 an OpenFlow switch in Non-Patent Literatures 1 and 2 can be used.
  • the above packet processing unit 112 and the flow table can have a hardware configuration by using an ASIC (Application Specific Integrated Circuit) so that flow entry search and various processing can be performed at high speed.
  • ASIC Application Specific Integrated Circuit
  • the clients 41 and 42 communicate with the server 50 .
  • other communication devices may additionally be included.
  • devices used as the clients 41 and 42 may include functions equivalent to those of the above switches 11 . In such cases, when packets are outputted from applications in these devices, the equivalent functions are allowed to operate to process the packets in the same way as the switches 11 .
  • the controller 60 includes the control target packet extraction unit 61 , a determination unit 62 , a flow entry generation unit 63 , and a switch control unit 64 .
  • the control target packet extraction unit 61 operates in the same way as a promiscuous mode of a network card and receives all packets forwarded from the switches 11 on the basis of a default flow entry (second control information) as described above.
  • the control target packet extraction unit 61 refers to header information of the received packets, extracts control target packets, and outputs the extracted control target packets to the determination unit 62 .
  • Selection criteria for control target packets are defined on the basis of assumed traffic contents and capabilities of the controller 60 . For example, only packets whose VLAD ID value is within a predetermined range may be forwarded to the determination unit 62 . Alternatively, all packets may be forwarded to the determination unit 62 except those having a feature(s) that may cause abnormal traffic or unauthorized access.
  • the determination unit 62 determines whether to generate a flow entry for a packet forwarded from the control target packet extraction unit 61 . As a result of the determination, if the determination unit 62 determines that a flow entry needs to be generated, the determination unit 62 transmits the received packet or information extracted from the received packet to the flow entry generation unit 63 and requests the flow entry generation unit 63 to generate a flow entry. In contrast, if, as a result of the determination, the determination unit 62 determines that a flow entry does not need to be generated, the determination unit 62 drops the received packet.
  • FIG. 5 illustrates access policies to which the determination unit 62 refers to determine whether to generate a flow entry.
  • the determination unit 62 since access authority represents “allow” for packets whose source IP address is 192.168.100.1 and whose destination IP address is 192.168.0.1, the determination unit 62 determines that a flow entry needs to be generated for these packets. In contrast, since access authority represents “deny” for packets whose source IP address is 192.168.100.2 and whose destination IP address is 192.168.0.1, the determination unit 62 determines that a flow entry does not need to be generated for these packets. In the example in FIG. 5 , only the IP addresses are used for the determination. However, for example, header information or protocol information in layer 2 or 4 may be used for the determination.
  • the flow entry generation unit 63 When receiving a flow entry generation request from the determination unit 62 , the flow entry generation unit 63 refers to a network topology configured by the switches 11 , calculates a path for forwarding the received packet from a source address to a destination address, and generates flow entries to cause relevant switches 11 to forward the received packet on the calculated path. For example, when receiving a flow entry generation request from the client 42 in FIG. 1 for a packet addressed to the server 50 , the flow entry generation unit 63 generates flow entries that causes relevant switches 11 to forward the packet addressed to the server 50 from the client 42 to the next hop on the forwarding path.
  • the switch control unit 64 sets these flow entries generated by the flow entry generation unit 63 in the respective switches 11 .
  • the switch control unit 64 may be configured to store a flow entry database or the like that manages flow entries set in each of the switches 11 and to determine whether to set flow entries generated by the flow entry generation unit 63 in the respective switches 11 .
  • the above controller 60 can be realized by adding functions equivalent to those of the control target packet extraction unit 61 and the determination unit 62 to the OpenFlow controller in Non-Patent Literatures 1 and 2.
  • Each unit (processing means) in the access control apparatus, the controller, and the switches illustrated in FIGS. 1 to 3 can be realized by a computer program that causes a computer mounted in these components to use hardware of the computer and to perform each of the above processes.
  • FIG. 6 is a sequence diagram illustrating an operation according to the first exemplary embodiment of the present disclosure.
  • the client 42 transmits packets to the server 50.
  • the client 42 transmits a packet addressed to the server 50 (step S 01 ).
  • a switch 11 refers to its own flow table 113 and processes the packet in accordance with a flow entry that matches the received packet (step S 02 ).
  • the flow entry (second control information) illustrated in FIG. 4 matches the received packet.
  • the switch 11 forwards the packet to the control target packet extraction unit 61 of the controller 60 in accordance with the content of the flow entry (second control information).
  • the control target packet extraction unit 61 of the controller 60 determines whether the packet is a control target packet (step S 03 ).
  • the following description assumes that the control target packet extraction unit 61 determines that the packet addressed to the server 50 from the client 42 is a control target packet.
  • the packet addressed to the server 50 from the client 42 is transmitted to the determination unit 62 (Yes in step S 03 ). If the control target packet extraction unit 61 determines that the packet is not a control target packet in step S 03 (No in step S 03 ), the control target packet extraction unit 61 drops this packet (step S 04 ).
  • the determination unit 62 of the controller 60 determines whether to generate a flow entry (step S 05 ).
  • the following description assumes that the determination unit 62 determines that a flow entry needs to be generated for the packet addressed to the server 50 from the client 42 in accordance with the access policies in FIG. 5 .
  • the determination unit 62 of the controller 60 requests the flow entry generation unit 63 to generate a flow entry (Yes in step S 05 ). If the determination unit 62 determines that a flow entry does not need to be generated in step S 05 (No in step S 05 ), the determination unit 62 drops this packet (step S 06 ).
  • the flow entry generation unit 63 of the controller 60 calculates a forwarding path for the packet, generates a flow entry to be set in each of the switches including the switch 11 on the forwarding path, and transmits the flow entries to the switch control unit 64 (step S 07 ).
  • the switch control unit 64 of the controller 60 sets the generated flow entries in the respective switches on the forwarding path (step S 08 ).
  • the switch control unit 64 instructs the switch 11 to transmit the received packet to a next hop or to search the flow table again. In this way, the packet received in step S 01 is forwarded to the next hop.
  • FIG. 7 illustrates a flow entry (first control information) set in the above step S 08 .
  • the switch 11 searches the flow table 113 sequentially from the top entry. If the switch 11 finds a flow entry having a matching condition(s) that matches a received packet, the switch 11 selects the flow entry.
  • a flow entry in a higher position has a higher priority.
  • a priority information field may be set in each flow entry. In this way, the priorities of flow entries having a matching condition(s) that matches a received packet are compared with each other, and a flow entry having the highest priority is selected.
  • step S 11 when the client 42 transmits subsequent packets to the switch 11 (step S 11 ), the switch 11 forwards these packets in accordance with the flow entry set in step S 08 (first control information).
  • the subsequent forwarding operation is performed at high speed without requiring the access control apparatus 20 and the controller 60 .
  • a flow entry for allowing communication of reply packets from the server 50 to the client 42 is set in accordance with a procedure similar to the above procedure.
  • the switch 11 forwards the packet to the access control apparatus 20 as in the above flow.
  • the access control apparatus 20 causes the control target packet extraction unit 61 or the determination unit 62 to drop the packet (namely, the control target packet extraction unit 61 determines that the packet is not a control target packet or the determination unit 62 determines that a flow entry does not need to be generated).
  • the control target packet extraction unit 61 determines that the packet is not a control target packet or the determination unit 62 determines that a flow entry does not need to be generated.
  • FIG. 8 illustrates packet forwarding paths realized by the above flow entry setting procedure. Packets between the client 42 and the server 50 are forwarded on a path indicated by a thick arrow in FIG. 8 in accordance with the flow entry (first control information; the flow entry for packet forwarding from the server 50 to the client 42 is omitted) illustrated in FIG. 7 . In contrast, packets from the client 41 are forwarded to the control target packet extraction unit 61 or the determination unit 62 as indicated by a thin arrow in the FIG. 8 and are dropped in accordance with the flow entry (second control information) illustrated in FIG. 4 and in the lower section of FIG. 7 .
  • first control information the flow entry for packet forwarding from the server 50 to the client 42 is omitted
  • the controller 60 includes the control target packet extraction unit 61 and the determination unit 62 .
  • the control target packet extraction unit 61 and the determination unit 62 may be arranged in a different information processing apparatus (an access control apparatus), which is arranged separately from the controller (the control apparatus). In this way, by increasing the number of information processing apparatuses (the access control apparatuses), load balancing can be achieved.
  • a second exemplary embodiment will be described.
  • a plurality of information processing apparatuses access control apparatuses
  • FIG. 9 illustrates a configuration of a communication system according to the second exemplary embodiment of the present disclosure.
  • the second exemplary embodiment differs from the exemplary embodiments illustrated in FIGS. 1 and 2 in that a plurality of access control apparatuses 20 A to 20 C are arranged, each of which includes the control target packet extraction unit 61 and the determination unit 62 and receives packets from the switches 11 . Since each operation of the access control apparatuses 20 A to 20 C is the same as that of the control target packet extraction unit 61 and the determination unit 62 of the controller 60 in the first exemplary embodiment, description thereof will be omitted.
  • FIG. 10 illustrates flow entries (second control information) set in a switch 11 according to the present exemplary embodiment. These flow entries differ from the flow entry (second control information) illustrated in FIG. 4 in that a plurality of flow entries (second control information) are set for switching access control apparatuses, to which packets are transmitted, in accordance with a feature(s) of a received packet.
  • a flow entry second control information
  • the packets are forwarded to the access control apparatus 20 A.
  • packets transmitted from other clients match a flow entry (second control information) that instructs packet forwarding to an access control apparatus (packets that do no match any first control information)
  • the packets are forwarded to the access control apparatus 20 B.
  • the load required for processing a large number of packets forwarded from the switches 11 can be distributed to and shared by the plurality of access control apparatuses 20 A to 20 C.
  • each switch 11 is connected to each of the access control apparatuses 20 A to 20 C by a single link.
  • each switch 11 and the access control apparatus 20 A to 20 C can be connected by ring aggregation integrating a plurality of links.
  • high-performance access control apparatuses connected by ring aggregation may be configured to process flows that are predicted to require large amounts of packet processing.
  • switches 11 and an access control apparatus are connected to each other via another network. Even in this configuration, packets (packets that do no match any first control information) can be forwarded to the access control apparatus.
  • FIG. 11 illustrates a configuration of a communication system according to the third exemplary embodiment of the present disclosure.
  • switches 11 A and an access control apparatus 20 D are arranged away from each other, for example, a mechanism for forwarding packets (packets that do no match any first control information) addressed to the server 50 to the access control apparatus is needed.
  • a modification has been made to each of the switches.
  • FIG. 12 illustrates a configuration of a switch 11 A according to the third exemplary embodiment of the present disclosure.
  • Each switch 11 A differs from each switch 11 according to the first exemplary embodiment illustrated in FIG. 3 in that the switch 11 A includes a header addition processing unit 114 for adding an additional header to each packet that is transmitted to the access control apparatus 20 D.
  • the header addition processing unit 114 adds a header including a data path ID (DPID; an identifier of the switch 11 A) and information about an address of the access control apparatus 20 D to each packet forwarded from the packet processing unit 112 and outputs the packet to the port PP.
  • DPID data path ID
  • the header addition processing unit 114 adds a header including a data path ID (DPID; an identifier of the switch 11 A) and information about an address of the access control apparatus 20 D to each packet forwarded from the packet processing unit 112 and outputs the packet to the port PP.
  • packet packets that do no match first control information
  • the access control apparatus 20 D can identify the switch that has transmitted the packets (packets that do no match first control information).
  • control target packet extraction unit is included in the access control apparatus 20 or the controller.
  • a control target packet extraction unit may be configured by a forwarding node (a second forwarding node) 12 such as an OpenFlow switch in Non-Patent Literatures 1 and 2 (a fourth exemplary embodiment).
  • a control apparatus or a controller sets control information (a flow entry) for extracting the control target packets in the forwarding node (the second forwarding node) so that the forwarding node (the second forwarding node) 12 can serve as the control target packet extraction unit.
  • each switch may use a single channel to transmit packets (packets that do not match any first control information) and control messages between the switch and the controller.
  • a secure channel arranged between an OpenFlow switch and the OpenFlow controller in Non-Patent Literatures 1 and 2 may also be used.
  • the determination unit 62 determines whether to generate a flow entry in accordance with an access policy.
  • a packet analysis function may be added to the determination unit 62 .
  • the packet analysis function analyzes packets forwarded from the control target packet extraction unit 61 . If the number of forwarded packets having the same source IP address reaches a predetermined threshold (N) or more in a predetermined period, the determination unit 62 determines that these packets are unauthorized packets transmitted by a DDoS attack (Distributed Denial of Service attack).
  • N predetermined threshold
  • DDoS attack Distributed Denial of Service attack
  • the determination unit 62 transmits the received packet or information extracted from the received packet to the flow entry generation unit 63 and requests the flow entry generation unit 63 to generate a flow entry for dropping the packets having the same source IP address. In this way, the number of packets to be forwarded to the control target packet extraction unit 61 can be reduced.
  • the access control apparatus further comprises a control target packet extraction unit extracting control target packets that are transmitted to the determination unit from the packets forwarded from the predetermined port of the forwarding node(s).
  • the forwarding node(s) further comprises a header addition processing unit adding a header for forwarding to the access control apparatus to each of the packets to be forwarded from the predetermined port.
  • the communication system comprising: a plurality of access control apparatuses each of which corresponds to the access control apparatus; wherein a plurality of items of control information for sorting packets into the plurality of access control apparatuses are set as the second control information.
  • the determination unit determines whether to generate control information on the basis of a predetermined access policy.
  • the determination unit requests the control apparatus to generate control information for causing the forwarding node(s) to drop the packets having the feature(s).
  • control target packet extraction unit is configured by a second forwarding node controlled by the control apparatus.
  • Constituent elements or steps of the access control apparatus, forwarding node, network control method and the computer program can be similarly extended to modes 2 to 7, as in the communication system according to mode 1.
  • Patent Literature and Non-Patent Literatures are incorporated herein by reference thereto. Modifications and adjustments of the exemplary embodiments and examples are possible within the scope of the overall disclosure (including the claims) of the present invention and based on the basic technical concept of the present invention. Various combinations and selections of various disclosed elements (including the elements in each of the claims, exemplary embodiments or examples, drawings, etc.) are possible within the scope of the claims of the present invention. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the overall disclosure including the claims and the technical concept.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
US14/397,524 2012-05-01 2013-04-26 Communication system, access control apparatus, switch, network control method, and program Abandoned US20150124595A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2012-104664 2012-05-01
JP2012104664 2012-05-01
PCT/JP2013/062462 WO2013164988A1 (ja) 2012-05-01 2013-04-26 通信システム、アクセス制御装置、スイッチ、ネットワーク制御方法及びプログラム

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/062462 A-371-Of-International WO2013164988A1 (ja) 2012-05-01 2013-04-26 通信システム、アクセス制御装置、スイッチ、ネットワーク制御方法及びプログラム

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/131,464 Continuation US10244537B2 (en) 2012-05-01 2016-04-18 Communication system, access control apparatus, switch, network control method, and program

Publications (1)

Publication Number Publication Date
US20150124595A1 true US20150124595A1 (en) 2015-05-07

Family

ID=49514387

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/397,524 Abandoned US20150124595A1 (en) 2012-05-01 2013-04-26 Communication system, access control apparatus, switch, network control method, and program
US15/131,464 Active US10244537B2 (en) 2012-05-01 2016-04-18 Communication system, access control apparatus, switch, network control method, and program

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/131,464 Active US10244537B2 (en) 2012-05-01 2016-04-18 Communication system, access control apparatus, switch, network control method, and program

Country Status (4)

Country Link
US (2) US20150124595A1 (zh)
JP (1) JP6248929B2 (zh)
CN (1) CN104272676A (zh)
WO (1) WO2013164988A1 (zh)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150181499A1 (en) * 2013-12-20 2015-06-25 Ricoh Company, Ltd. Communication apparatus, communication method, and communication system
US20160294871A1 (en) * 2015-03-31 2016-10-06 Arbor Networks, Inc. System and method for mitigating against denial of service attacks
US20160294874A1 (en) * 2015-04-06 2016-10-06 Nicira, Inc. Distributed network security system
US20170034005A1 (en) * 2014-04-16 2017-02-02 Huawei Technologies Co., Ltd. Flow Entry Management Method and Device
US20180167325A1 (en) * 2015-08-10 2018-06-14 Huawei Technologies Co., Ltd. Flow table processing method and apparatus
US11102226B2 (en) * 2017-05-26 2021-08-24 Shenyang Institute Of Automation, Chinese Academy Of Sciences Dynamic security method and system based on multi-fusion linkage response

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667853B (zh) 2013-11-22 2021-06-01 华为技术有限公司 恶意攻击的检测方法和装置
JP6364255B2 (ja) * 2014-06-17 2018-07-25 株式会社エヌ・ティ・ティ・データ 通信制御装置、攻撃防御システム、攻撃防御方法、及びプログラム
JP6435695B2 (ja) * 2014-08-04 2018-12-12 富士通株式会社 コントローラ,及びその攻撃者検知方法
CN105306390B (zh) * 2015-09-30 2019-10-25 上海斐讯数据通信技术有限公司 一种数据报文转发控制方法及系统
JP6993580B2 (ja) * 2018-08-03 2022-01-13 日本電信電話株式会社 制御システム及び制御方法
JP2020072427A (ja) * 2018-11-01 2020-05-07 日本電気株式会社 ネットワークへの脅威の感染拡大を防ぐ制御装置、制御方法、システム、およびプログラム

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007104160A (ja) * 2005-10-03 2007-04-19 Sony Corp 通信システム、通信装置および方法、並びにプログラム
US20080189769A1 (en) * 2007-02-01 2008-08-07 Martin Casado Secure network switching infrastructure
EP2193630B1 (en) 2007-09-26 2015-08-26 Nicira, Inc. Network operating system for managing and securing networks
AU2008343847B2 (en) * 2008-01-02 2015-01-22 Nestec S.A. Edible compositions
JP5648639B2 (ja) 2009-09-10 2015-01-07 日本電気株式会社 中継制御装置、中継制御システム、中継制御方法及び中継制御プログラム
EP3720062A1 (en) 2009-10-07 2020-10-07 NEC Corporation Information system, control server, virtual network management method, and program
WO2011081104A1 (ja) * 2010-01-04 2011-07-07 日本電気株式会社 通信システム、認証装置、制御サーバ、通信方法およびプログラム
US8893300B2 (en) * 2010-09-20 2014-11-18 Georgia Tech Research Corporation Security systems and methods to reduce data leaks in enterprise networks
JP5557066B2 (ja) 2010-10-15 2014-07-23 日本電気株式会社 スイッチシステム、モニタリング集中管理方法
KR101634745B1 (ko) * 2011-12-30 2016-06-30 삼성전자 주식회사 전자장치, 이를 제어할 수 있는 사용자 입력장치 및 그 제어방법

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150181499A1 (en) * 2013-12-20 2015-06-25 Ricoh Company, Ltd. Communication apparatus, communication method, and communication system
US9661550B2 (en) * 2013-12-20 2017-05-23 Ricoh Company, Ltd. Communication apparatus, communication method, and communication system
US20170034005A1 (en) * 2014-04-16 2017-02-02 Huawei Technologies Co., Ltd. Flow Entry Management Method and Device
US10693731B2 (en) * 2014-04-16 2020-06-23 Huawei Technologies Co., Ltd. Flow entry management method and device
US20160294871A1 (en) * 2015-03-31 2016-10-06 Arbor Networks, Inc. System and method for mitigating against denial of service attacks
US20160294874A1 (en) * 2015-04-06 2016-10-06 Nicira, Inc. Distributed network security system
US9930010B2 (en) * 2015-04-06 2018-03-27 Nicira, Inc. Security agent for distributed network security system
US10142287B2 (en) 2015-04-06 2018-11-27 Nicira, Inc. Distributed network security controller cluster for performing security operations
US11570147B2 (en) 2015-04-06 2023-01-31 Nicira, Inc. Security cluster for performing security check
US20180167325A1 (en) * 2015-08-10 2018-06-14 Huawei Technologies Co., Ltd. Flow table processing method and apparatus
US10728154B2 (en) * 2015-08-10 2020-07-28 Huawei Technologies Co., Ltd. Flow table processing method and apparatus
US11102226B2 (en) * 2017-05-26 2021-08-24 Shenyang Institute Of Automation, Chinese Academy Of Sciences Dynamic security method and system based on multi-fusion linkage response

Also Published As

Publication number Publication date
WO2013164988A1 (ja) 2013-11-07
JPWO2013164988A1 (ja) 2015-12-24
US10244537B2 (en) 2019-03-26
JP6248929B2 (ja) 2017-12-20
CN104272676A (zh) 2015-01-07
US20160234848A1 (en) 2016-08-11

Similar Documents

Publication Publication Date Title
US10244537B2 (en) Communication system, access control apparatus, switch, network control method, and program
US9276852B2 (en) Communication system, forwarding node, received packet process method, and program
US9419910B2 (en) Communication system, control apparatus, and communication method
US9363182B2 (en) Communication system, control device, policy management device, communication method, and program
US20150372916A1 (en) Routing via multiple paths with efficient traffic distribution
EP2947826A1 (en) Control apparatus, communication apparatus, communication system, switch control method and program
US20160380899A1 (en) Method and apparatus for dynamic traffic control in sdn environment
EP2830265A1 (en) Control device, communication device, communication system, communication method, and program
JP2014516215A (ja) 通信システム、制御装置、処理規則設定方法およびプログラム
EP2698953A1 (en) Network, data transfer node, communication method, and program
US9461831B2 (en) Packet forwarding system, control apparatus, packet forwarding method, and program
US20150229574A1 (en) Communication system, communication method, information processing apparatus, communication control method, and program
EP2922250B1 (en) Control apparatus, communication system, control information creating method and program
KR101500251B1 (ko) 통신 시스템, 노드, 패킷 전송 방법 및 프로그램을 기록한 컴퓨터 판독가능 기록 매체
EP2830267A1 (en) Control apparatus, communication system, node control method and program
US20160112248A1 (en) Communication node, communication system, packet processing method, and program
US20150381775A1 (en) Communication system, communication method, control apparatus, control apparatus control method, and program
US20150085666A1 (en) Communication Apparatus, Control Apparatus, Communication System, Communication Method, Method for Controlling Communication Apparatus, and Program
US8948171B1 (en) System and method for IP multicast
US20150236953A1 (en) Control device, communication system, communication method and storage medium
US20150172176A1 (en) Control device, communication system, communication method and program
US10686712B2 (en) Communication apparatus, control apparatus, communication system, received packet processing method, communication apparatus control method, and program
JP6802763B2 (ja) 中継装置及び帯域制御方法
WO2014020902A1 (en) Communication system, control apparatus, communication method, and program

Legal Events

Date Code Title Description
AS Assignment

Owner name: NEC CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YAMAGATA, MASAYA;MORITA, YOICHIRO;SASAKI, TAKAYUKI;AND OTHERS;REEL/FRAME:034048/0765

Effective date: 20141007

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION