WO2011157704A2 - Système et méthode de gestion de flux sécurisés entre plusieurs sites distants - Google Patents
Système et méthode de gestion de flux sécurisés entre plusieurs sites distants Download PDFInfo
- Publication number
- WO2011157704A2 WO2011157704A2 PCT/EP2011/059834 EP2011059834W WO2011157704A2 WO 2011157704 A2 WO2011157704 A2 WO 2011157704A2 EP 2011059834 W EP2011059834 W EP 2011059834W WO 2011157704 A2 WO2011157704 A2 WO 2011157704A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- function
- wan
- flows
- module
- network
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Definitions
- the present invention relates to a system and method for managing secure flows between several remote sites, local or metropolitan networks.
- the invention relates to the field of telecommunication architectures of networks and in particular networks with strong constraints in terms of security.
- Such architectures may include both private sensitive networks interconnected with non-sensitive public networks.
- Sensitive networks have strong resilience capabilities for the delivery of sensitive flows for the benefit of users.
- Non-sensitive public networks ensure the flow of non-sensitive flows to other users.
- Sensitive flows are understood to mean confidentiality flows as well as routing or operational constraints. The confidentiality protection of the flows is ensured by the applications or by other means implemented in the networks of services (campuses) and which do not influence directly on the architecture of the system.
- the transport in the services (that is to say the LAN, Local Area Network for local networks and / or MAN, Metropolitan Area Network for metropolitan networks) sensitive and non-sensitive flows is characterized by the fact that all flows are carried on a single non-sensitive MAN network (non-sensitive flows are inherently larger and affect a larger number of users).
- WAN wide area network
- IPsec Internet Protocol Security
- Means with high resilience capabilities are high resource capacity terrestrial infrastructure means or satellite infrastructure facilities with lower resource capacity and quality of service constraints (also referred to as QoS for Quality of Service) for example in terms of latency, transit time, packet loss.
- QoS Quality of Service
- the communication between the users located in the services is constrained by the use of IPsec encryptors and it obeys rules of communications established generally in static ways, these rules define the having right to communicate (generally sub-networks) and the distant sites ⁇ IPsec security equipment) that these rights holders can achieve.
- This information is contained in a database called SPD (“Security Policy Database").
- the SPD database is not dynamically modifiable and requires manual configuration operations by an operator.
- the set of rules registered in the SPD database is called the "flow security policy”.
- the flows flowing between two remote local networks are of different natures, they are identified by a class of traffic, for example using the DiffServ classification mechanism, the DiffServ field being a field of the header of a packet IP.
- Network edge devices do not perform flow processing based on traffic class, but on a class of service, a class of service being a grouping of a set of traffic classes. This principle allows himitarian treatment on flows with identical technical constraints such as transit time for example.
- a known technique is to use two WAN extended networks in "backup" function, that is to say that the second WAN network will be used only if the first is in lack of connectivity. In the other cases and in particular in case of saturation of the WAN network, the flows continue to take the saturated WAN network.
- this solution uses a tunneling of flows by the use of GRE tunnels that can restore connectivity between red routers and develop the red routing plan by using a link state protocol such as IGP (OSPF for example).
- IGP link state protocol
- a flow management policy is very limited by the simple fact that there is limited visibility on the content of the packets (DSCP field) and not on the origin and destination of the flows. This involves making routing decisions upstream (red plane).
- the offset generated by the IPsec tunnels does not ensure a coherent SLA between the MAN (users) and WAN (transit) networks, which is why it is necessary to have a router (in some cases called a QoS router). ) between the WANs and the encryptors whose main objective is to ensure coherence between the flows coming from the WAN and towards the MANs and vice versa.
- variable elongation of the packet size (overhead) provided by the encryptor does not allow consistency on the QoS.
- the flow management policy is not carried out according to the type of operational flow.
- FIG. 1 shows an architecture of interconnected networks.
- An objective of such an architecture is to ensure the secure establishment of one or more communication links between a first local network S1, also called network enclave, and a second local network S2.
- These two remote network enclaves are interconnected by means of one or more public WAN_C or WAN_M private wired or satellite wide area networks.
- the streams transmitted between the two local networks S1, S2 are encrypted, respectively decrypted, by an encryption device Z_S1, Z_S2 arranged between each local network and the one or more extended networks.
- One or more red routers R1_S1, R2_S2 direct the flows to and from the network enclaves S1, S2.
- One or more black routers R2_S1, R2_S2 direct the encrypted streams through the at least one extended network to the remote network enclave.
- a first problem related to this type of architecture concerns the partitioning between the WAN wide area networks on the one hand and the local networks on the other hand because of the encryption of the data streams.
- Only data streams from one network enclave can reach another network enclave in accordance with the contents of the SPD database. In other words no data flow can flow between a network slot S1.S2 and a WAN wide area network.
- the authorized communications are necessarily between two pieces of encryption equipment.
- This lack of possible direct communication between a local area network and a wide area network poses a problem when it is desired to determine the type of wide area network to be used to establish a communication link according to the intrinsic characteristics of a data stream from a network. a network enclave.
- the transmitted streams can be classified according to a quality of service which is attributed to them for example in relation to their priority level (vital or non-vital flows), their bandwidth and throughput requirements or the constraints of delay, jitter and / or packet loss that they can support.
- a quality of service which is attributed to them for example in relation to their priority level (vital or non-vital flows), their bandwidth and throughput requirements or the constraints of delay, jitter and / or packet loss that they can support.
- the communication channel among the available WAN extended networks, the most suitable for the data streams to be transmitted, it is therefore necessary to establish communication between the network enclave and the wide area networks in order to communicate the identified needs. This type of communication is not possible with known architectures due to the presence of encryption equipment.
- a second problem related to known secure architectures relates to the routing of data flows across different wide area networks.
- the current routing protocols for example the OSPF protocol, make it possible to route the flows according to the cost of the links.
- a link state routing protocol between the remote local networks S1.S2 it is necessary to establish direct links between these networks making it possible to avoid the presence of the encryption equipment.
- Such a direct link is, for example, implemented using the GRE (Generic Routing Encapsulation) protocol.
- GRE Generic Routing Encapsulation
- the incidents that occur in the various WAN networks will be taken into account at the R1_S1, R1_S2 routers only on detection by the link state protocol of a malfunction.
- the malfunction observed by the router to change the routing is a break in the link, ie a rupture of the GRE tunnel.
- the link state protocol may route the streams to another WAN network. Load sharing between different WANs can be done provided that the link costs are the same.
- This type of operation does not intelligently route the flows taking into account criteria on both WAN wide area networks. It also does not allow to optimize the capacity in transit of the WAN networks. This amounts to using only the WANs below their transit capacity or to provision the resource by exceeding on one or the other of the WAN networks.
- a third problem of known secure architectures relates to the referral of flows to different WAN networks available according to the sensitivity of their content.
- sensitive flows must be directed to a secure private wide area network while non-sensitive flows can be directed to a public wide area network.
- To achieve this referral it is necessary to analyze the applications that are above the IP layer or to resort to a precise identification of the source and destination of the flows.
- Sites host users with administrative or operational functions, these users are considered either as vital users (in limited numbers) or non-vital users and they generate sensitive and non-sensitive flows. There is no correlation between vital users and sensitive flows, a non-vital user can generate sensitive flows.
- Streams from local area networks LAN and / or AN are encrypted for reasons of security level of these flows.
- the packet analysis can only be performed on the DSCP field ("Differentiated Services Code Point") of the IP packet, which benefits from a complete copy without alteration on the part of the encryption equipment.
- the referral of flows to one or the other of the WAN networks can be realized only from this field DSCP which is limiting to achieve an accurate analysis of the sensitivity of the flows.
- the three aforementioned problems are directly or indirectly related to the technical constraints introduced by the presence of encrypting equipment which limit the possible exchanges between the black part (local networks) and the red part (wide area networks) of the network.
- FIG. 2 illustrates a topology, similar to that of FIG. 1, of a secure network architecture according to the state of the art.
- Such an architecture includes users of the service of a first local network S1, which are respectively subscribers A1_S1 and subscribers A2_S2. These users have different IP addresses, identifiable by their prefix.
- the users of the site S2 also have different addresses between subscribers B1_S2 and B2_S2 and with respect to the local network S1.
- the flows between the users of the local area networks S1 and S2 are routed to the output routers R1_S1, R1_S2, or red routers, of each local network.
- Routers R1_S1 and R1_S2 are optional. They allow, for example, to manage the subscribers of the network enclaves in the form of several communities having different attributes. They also manage the available theoretical bandwidth by assigning priorities to subscribers.
- the system of Figure 2 also includes encryptors Z_S1, Z_S2.
- the encryptor Z_S1 provides protection for the streams coming from the router R1_S1 to the router R2_S1.
- the protection is for example implemented using the IPSec protocol in tunnel mode.
- the security policy assigned to each encryptor makes it possible to partition the streams coming from the local network S1 and to the users of the local network S2.
- the IPsec encapsulation makes it possible to hide the addresses of the local networks S1 and S2 from the WAN_C and WAN_M extended networks.
- the encryptor Z_S2 provides a role equivalent to the encryptor Z_S1 for the local network S2.
- the IP addresses on the black interface of the encryptors are the only addresses visible by WAN_ and WAN_C. These are the addresses that are used by these WAN networks to route the flows to and from routers R2_S1 and R2_S2.
- the black routers R2_S1, R2_S2 are located between the encryption devices Z_S1, Z_S2 and the extended networks. They allow the routing of flows to the extended networks according to their flow processing policy. Such a policy consists, for example, in routing sensitive flows to the private network WAN_M and non-sensitive flows to the public network WAN_C.
- the black routers R2_S1, R2_S2 adjust the value of the DSCP field of the packets according to the service classes offered by the WAN wide area networks. They also ensure the formatting of the packets to compensate for the redundancy introduced by the encryptors.
- the WAN_ private wide area network transports the flows between the local networks S1 and S2 according to a routing of its own.
- the WAN_C public wide area network performs the same routing functions according to its own parameters (topology, routing protocols, QoS, etc.).
- topology topology, routing protocols, QoS, etc.
- the system comprises only two WAN_, WAN_C extended networks, but it could also apply to a larger number of wide area networks.
- WAN_M and WAN_C WANs are transport service providers that have the following features:
- Pre-emption & Priority Management In the vast majority of cases, the internal problems at the WAN level result in a reduction in the equivalent bandwidth and very rarely in a frank cut in the transmission. The remaining bandwidth must therefore be managed at best. This feature allows for strict priority management, at the stream level and not at the packet level, and provides preemptive mechanisms to allocate the remaining bandwidth to the most vital stream.
- P & R Protection and Restoration
- Some applications require that there be no interruption in the transport of streams or more exactly that interrupts remain below 50ms. Moreover, this requirement is totally independent of the criticality of the application (vital or non-vital).
- the P & R makes it possible to express to the WAN_C or WAN_M the wish of a way of "back-up" of the type 1 for 1, 1 for N even P for N. It is also possible to implement this type of mechanism to overlay level. In other words, the nominal paths can be established on one WAN and the back-up paths on the other WAN.
- the network architectures according to FIG. 2 make it possible to partially solve the third problem described above concerning the switching of encrypted streams. Indeed, it is possible to set up a routing policy based on the couple IP address destination and value of the DSCP field.
- the encryptor hides the source and destination IP addresses of the subscribers but for obvious routing reasons adds in clear source and destination IP addresses corresponding to the sender and receiver encryptors. In other words, it's about creating a new network layer level header. In this new header, the value of the DSCP field corresponds to that presented as input.
- referral policies can only apply to all traffic from one encryptor to another, there is no more visibility on the subscribers or group of subscribers.
- FIG. 3 illustrates the routing of the flows in a network of the type of that of FIG. 2.
- Each autonomous system implements routing protocols
- IGP Interior Gateway Protocol
- EGP Exterior Gateway Protocol
- BGP Border Gateway Protocol
- OSPF OSPF
- the autonomous systems representing the enclaves S1, S2, S3, S4 implement the OSPF protocol in a routing domain which comprises the red routers R1_S1, R1_S2, R1_S3, R1_S4 but excludes the encryptors Z_S1, Z_S2, Z_S3, Z_S4. Encryptors do not implement the OSPF protocol and are not able to establish a routing topology from the source (themselves) to the recipients.
- the routing of the streams in the encryptors is carried out by the Security Policy (SP) and Security Association (SA) routing policy, information contained in the SPD database ("Security Policy Database").
- SP Security Policy
- SA Security Association
- the black routers R2_S1, R2_S2, R2_S3, R2_S4 implement the OSPF protocol to make it possible to take into account in the complex architectures an administratively independent entity of the main site, but using the resources common to the various WANs.
- the QoS routers being managed (Administration / Supervision) by the entity of the main site.
- the set of QoS routers of the sites of the same organizational unit form a federator of transit vis-à-vis the sites of service they connect and this for a given flow category (sensitive or non-sensitive).
- the BGP protocol is implemented between routers R2_S1, R2_S2, R2_S3, R2_S4 and the networks WAN_M and WAN_C. It makes it possible to communicate to the various WANs the prefixes of the sub networks present in the services.
- WAN networks implement a routing protocol (OSPF for example). It ensures the routing of flows between the different interconnected services. This protocol makes it possible to establish a routing topology by assigning costs to the borrowed paths. The choice of the road is that of lower cost.
- the prefixes indicated in the routing tables of the routers of the WAN networks are the prefixes of the black addresses of the encryptors, the addresses of the user plane being masked by the encryptors.
- the OSPF protocol is a link state protocol, to work, it requires that the routers that use this protocol are adjacent, which can be translated as "be connected by a direct link", but the encryptors do not allow to have a direct link between an unprotected entity and a protected entity.
- GRE tunnels are implemented overlay of the IPsec layer (ESP protocol) and they generate an overhead of 4 additional bytes. From then on it is possible to reconstruct an OSPF routing topology between the services through the GRE tunnels.
- ESP protocol IPsec layer
- QoS management is implemented in routers R2_S1, R2_S2, R2_S3, R2_S4. In each router, it must comply with the WAN, WAN_M and WAN_C quality of service policy as well as that of the R1_S1, R1_S2, R1_S3, R1_S4 routers installed on the site for the benefit of the administrative entities.
- the overall coherence of the quality of service for the benefit of a collective user who must convey sensitive and non-sensitive flows is only feasible by configuration operations independent of the QoS routers, each router has to process sensitive or non-sensitive flows. .
- An object of the invention is to solve at least one of the aforementioned problems.
- the proposed solution allows routing decisions to be made before encrypting the information and integrating into one product all the functions needed to interconnect MAN to WANs.
- the routing directives are set on the red side of the network and are applied on the black side.
- An advantage of the proposed solution is to be able to interconnect a MAN with WANs by providing operational resilience functions.
- the use of the router according to the invention for managing secure data flows notably comprises the following advantages:
- the invention particularly relates to a secure flow management system transmitted between a first local area network (S1) and at least one second local area network (S2) interconnected via a plurality of wide area networks WAN (WAN M, WAN C), characterized in that said system comprises at least:
- an observation module receiving the data streams transmitted from said first local network (S1) and going to at least one of said second local network (S2), said observation module (OB) being adapted to associate with each packet of said flow a tattooing to uniquely identify data streams,
- AN qualitative and quantitative analysis module of the data streams sent from said first local network (S1) making it possible to classify the streams according to their degree of priority and / or of security, this degree being determined at least starting from the source, destination, or user type of the feed,
- an interface module performing on the one hand the establishment and maintenance of point-to-point or point-to-multipoint data links between said first local network (S1) and at least one of said remote local network (S2), each link using the transmission means provided by one or more of said WAN wide area networks and providing communication characteristics in a predetermined operating range, and secondly the routing of the secure flows on these links according to rules consistent with the tattooing operations of said observation module (OB) and encryption of said encryption module (CH),
- DE decision module associating with each data stream, according to their degree of priority and / or security determined by the analysis module (AN), a predetermined data link among the data links established by said interface module (IN) and as a function of the probability of correct routing of a stream borrowing each data link established by said interface module (IN),
- said observation module (OB) performs the tattooing of the streams by modifying the value of the DSCP field of the IP packets contained in said streams.
- said encryption module (CH) implements the IPSec protocol in tunnel mode.
- said streams are associated with a data link using a private wide area network (WAN_M) or a public wide area network (WAN_M) depending on the nature of their source.
- WAN_M private wide area network
- WAN_M public wide area network
- the streams with the highest priority are associated with data links having the highest available data rate.
- the invention also relates to a secure flow management method transmitted between a first local network (S1) and at least one second local network (S2) interconnected via a plurality of wide area networks WAN (RW1.WAN M, WAN C), said local area networks (S1, S2) comprising at least one input / output interface 11, said WAN extended networks comprising at least one input / output interface I2, I3, said method being characterized in that it comprises at least the following steps for each local network ⁇ S1, S2):
- F1 being decomposed into subfunctions F1.1 to F1.n, where n is the number of WAN extended networks,
- the function F2 ensures the establishment of a plurality of point-to-point links between said hardware platforms connected to the input / output interfaces of each local network (S1, S2), where the function F3 provides the switching, according to their characteristics of the streams coming from and to the interface M of said local network (S1) by separating the flows in session mode from the other flows, where the function F4 ensures the processing of the flows in session mode, the function F5 handles the exchanges between the function F1 and the function F4, in particular by indicating to the function F1 the beginnings, endings and session numbers included in said flows, where the function F6 ensures the treatment of the congestions,
- the F7 function ensures interworking with the WAN wide area networks, retrieving the traffic engineering information (TE), synthesizing it and communicating it to the function F, where the functions F2, F3, F4 and F5 are functions network managed by the F8 function,
- o Function F9 provides the administration of security functions such as function F1.
- FIG. 1 an example of an architecture of a system according to the prior art
- FIG. 2 another illustration of the example architecture of FIG. 1,
- FIG. 3 an illustration of the routing of data flows in a network of the type of FIG. 1 or 2
- FIG. 4 a block diagram of the general architecture of the system according to the invention in a first embodiment
- FIG. 5 an exemplary implementation of a first function F1 of the method according to the invention in the first embodiment
- FIG. 6 an example of implementation of a second function F2 of the method according to the invention in the first embodiment
- FIG. 7 an example of implementation of a third function F3 of the method according to the invention in the first embodiment
- FIG. 8 an example of implementation of a fourth function F4 of the method according to the invention in the first embodiment
- FIG. 9 an example of implementation of a fifth function F5 of the method according to the invention in the first embodiment
- FIG. 10 an exemplary implementation of a sixth function F6 of the method according to the invention in the first embodiment
- FIG. 11 an example of implementation of a seventh function F7 of the method according to the invention in the first embodiment
- FIG. 12 an exemplary implementation of an eighth function F8 and a ninth function F9 of the method according to the invention in the first embodiment
- FIG. 13 a block diagram of the system architecture according to the invention in a second embodiment
- FIG. 4 illustrates the architecture of the system according to the invention in a first embodiment.
- the architecture of the system according to the invention implements a set of functions in order to solve the limitations of the known network architectures as illustrated in FIGS. 1 and 2.
- the invention makes it possible to ensure a secure interconnection between one or more LANs and one or more public or private WANs.
- the system according to the invention is interfaced on the one hand with a first local network S via an interface 11 and on the other hand with the available WAN extended networks, via a plurality of interfaces I2, 13, 11, for establishing a point-to-point connection between said first local area network S1 and one or more other local area networks S2.
- An F1 function provides secure protection, for example by means of the IPSec protocol, of the flows coming from the interfaces 11 and to the interfaces 12 and 13.
- the function F1 is decomposed into sub-functions F1.1 to F1.n, n representing the number of WAN wide area networks interfaced with the method.
- An Ix interface is assigned to an F1.x subfunction.
- a function F2 ensures the establishment of a plurality of point-to-point links of predetermined transfer characteristics between the system according to the invention connected to the first local network S1 and the remote systems connected to the other local networks S2.
- An F3 function ensures the routing and recognition of flows to and from the interface 11.
- the flow switching separates the flows in session mode from the other flows.
- An F4 function handles the processing of flows in session mode.
- An F5 function handles the relations between the F1 function and the F4 function. It allows in particular to indicate the function F1, the beginnings and endings of sessions as well as the N ° of the sessions.
- a function F6 handles the processing of congestion aspects and the processing of aspects related to the Traffic Engineering (TE) and controls the routing of the streams recognized by the function F3 on the links established by the function F2 as a function of the congestion states that she detects.
- TE Traffic Engineering
- An F7 function provides interworking with the black WANs by translating the flows through the F1 function to equate the point-to-point links established by the F2 function with paths managed by the extended WANs. It is also responsible for retrieving the TE information from the black WANs, synthesizing them and communicating them to the F1 function.
- An F8 function provides the administration of the network functions.
- the functions F2, F3, F4 and F5 are network functions.
- An F9 function handles the processing of the security functions.
- the F1 function is a security function.
- MIB databases are associated with these functions, they make it possible to store information specific to the network functions, security or information common to these two functions. These databases, called Management Information Base (MIB) databases, are as follows:
- a BD1 MIB database which is dedicated to administration and supervision operations of network functions, accessible for reading and writing by the F8 function.
- a BD2 MIB database which is dedicated to the administration and supervision of the security functions, accessible for reading and writing by the F9 function.
- FIG. 5 shows an exemplary implementation of the first function F1 of the method according to the invention.
- the local networks S1, S2 are each interconnected to the WAN_M, WAN_C extended networks via a system 501, 502 according to the invention which implements the aforementioned functions.
- the incoming and outgoing LAN / MAN LAN streams on the interfaces 11 require protection. This protection is ensured by the implementation of the F1 function.
- the F1 function is an IPsec function in tunnel mode. It is performed for each interface I2,! 3 between the system 501, 502 according to the invention and the extended networks.
- two functions F1, respectively denoted F1.1.F1.2 are carried out for each interface I2.I3.
- Tunnels are dynamically established between F1.1.F1.2 functions executed by remote 501, 502 systems.
- the F1 function implements a method of automatic discovery of remote processes. It provides remote process authentication, maintains IPsec tunnel connectivity between local and remote F1.1, F1.2 entities.
- FIG. 6 shows an exemplary implementation of the second function F2 of the method according to the invention.
- the use of IPsec tunnels established over WAN networks makes it necessary to position other GRE tunnels in superposition, or overlay, of these IPsec tunnels, this principle is not extensible on major network topologies.
- the proposed solution is to use an "under! Ay" function, that is, to work at a level lower than IPsec to establish the relationships between remote entities.
- This function designated F2 makes it possible to establish a point-to-point connection between two remote units, the protocol MPLS ("ulti-Protocol Label Switching") is one of the protocols which makes it possible to satisfy this function. Other techniques such as VLANs can also satisfy the F2 function.
- the links between the functions F2 are established on the interfaces 12 and 13. The information transmitted or received by this function F2 takes the interfaces 12 and 13.
- FIG. 7 shows an example of implementation of the third function F3 of the method according to the invention.
- the function F3 is in "fuJI duplex" relation with the interface 11, that is to say in simultaneous bidirectional communication.
- the fiuxes coming from the interface 11 are switched according to their characteristics to the function F4 or to the function F2.
- Session-mode flows such as the Session InitiationProtocol (SIP) protocol, are routed to the F4 function, the other flows are routed to the F2 function.
- SIP Session InitiationProtocol
- the function F3 also makes it possible to extend to the system according to the invention the partitioning characteristics between users, such as Virtual Local Area Network (VLAN) or Virtual Routing and Forwarding Table (VRF). . These characteristics can be routed by the local process to the remote processes.
- VLAN Virtual Local Area Network
- VRF Virtual Routing and Forwarding Table
- FIG. 8 shows an example of implementation of the fourth function F4 of the method according to the invention.
- Function F4 only receives session mode streams from function F3 (eg SIP).
- the function F4 interprets the protocol "session” and elie identifies in the protocol the field which carries the MLPP information indicating the priority of the session, this information has been forged in the field concerned (the RP field in the case of the SIP protocol) by functional entities of the LAN / MAN local area network.
- An RSVP Resource ReSerVation Protocol
- RSVP-TE Resource ReSerVation Protocol- Traffic Extension
- the F4 function implements an IGP ("Interior Gateway Protocol") type Internet routing protocol having the capacity to establish a link topology including bandwidth availability, bandwidth availability and other metrics.
- the OSPF-TE protocol is one of those protocols that may be suitable for this part of function.
- a better path calculation sub-function taking into account the metrics mentioned above makes it possible to define the best routes for joining remote secure flow management systems.
- the subfunction C-SPF is one of the functions to satisfy this calculation.
- the information from C-SPF is indicated as a parameter in the RSVP-TE request.
- Function F4 generates RSVP or RSVP-TE requests only to WAN networks that accept these requests.
- FIG. 9 shows an example of implementation of the fifth function F5 of the method according to the invention.
- the function F5 allows the dialogue between the functions F4 and each function F1.1.F1.2.
- This function is a control function that transmits and / or receives messages from or to functions F4 and F1.
- the messages are conveyed by the UDP protocol ("User Datagram Protocol").
- UDP protocol User Datagram Protocol
- the main messages make it possible to send and receive information on the communication sessions to be opened, to close or on the behavior to be maintained with respect to the communications based on parameters derived from the function F1 and in particular its part black interface ".
- the function F5 makes it possible to make the connection between the session number (for example, an LSP number) and an IPsec context (for example an SPI number, "Security Parameter Index"), information contained in the SDP.
- FIG. 10 shows an example of implementation of the sixth function F6 of the method according to the invention.
- Function F6 is related to functions F3, F4. It implements several means and mechanisms for managing congestion or influencing the processing of flows, the operations implemented by F4 and F6 functions being referred to as "flow processing policy".
- the F4 function has all the contexts of the sessions established and being established, as well as the priority levels of these sessions.
- the flows are routed to the WAN networks present in active-active mode, ie the routing chooses one of the WAN networks according to the types of flows to be routed and the constraints associated with these flows. This principle makes it possible to use all the capacities of the WAN networks at the same time without functioning of the "active-backup" type.
- congestion reported in function F6 the main methods used to influence the processing of flows are as follows, this list not being exhaustive:
- DiffServ mode the routing of the flows is done according to the DSCP field and according to a number of classes of service
- ECN Bit Mode Reported congestion on ECN bit positioning on a session or class of service of the type
- SAA mode The function implements tools to measure certain characteristics of flows across WAN networks. These tools make it possible to measure the jitter, the transit delay, the latency and this on each of the WAN networks. The analysis of the results may cause a change in the routing path of the flows involved in the analysis of the metrics, if they are in values outside the limits specified in the Service Level Agreement "SLA";
- FIG. 11 shows an example of implementation of the seventh function F7 of the method according to the invention.
- the incoming and outgoing flows to and from the WAN networks on the interfaces 12, 13 are conveyed to these interfaces by the function F7.
- the F7 function is duplicated in as many functions (F7.1 to F7.n) as there is a WAN network, this duplication makes it possible to make the actions and independent processing on the WAN networks.
- Function F7 provides several sub-functions including:
- the function F7 takes into account the overhead imposed by the IPsec encryption implicitly by a management command communicated by the function F6.
- the overhead is expressed in a number of additional bytes to be taken into account in the calculation of the quality of service.
- the F7 function expresses a bandwidth user need corresponding to the service level agreement (SLA) requested by the user, this requirement expression is according to the classes of services.
- SLA service level agreement
- a calculation is performed by the function F7 to check the coherence between the physical bit rates of the LAN / MAN local area network interfaces and those of the WAN wide area networks, and the requests expressed by the user in the classes of services expressed.
- FIG. 12 shows an exemplary implementation of the eighth function F8 and the ninth function F9 of the method according to the invention. All F1, F2, F3, F4, F5, F6 and F7 functions are impiemented on a common hardware and software basis.
- the NOC and SOC administration functions can cohabit more easily, which makes it possible to have MiB databases dedicated to an operating domain, a MiB network base and a security MIB database as well as a common MIB database containing "network" information and "non-sensitive security” information.
- Sensitive information such as cryptographic elements (keys) are contained in the MIB dedicated to security. As a result, the security information is always accessible and they do not require any additional equipment for their accessibilities.
- the system according to the invention groups all the functions. It is a single autonomous system (SA). Its administration is ensured by a WAN autonomous system or by a MAN autonomous system. To make it easier to track SLA service level agreements, information from the network and security administration MIB (common MIB database) can be read only by the autonomous system that is not responsible for the administration. of the process, to provide a vision of the quality of service to the autonomous system that does not provide this administration.
- MIB common MIB database
- Function F8 is related to functions F2, F3, F4, F5 and F6 to perform the administration (configuration) and supervision of these functions.
- Function F9 is related to function F1 and F7 to perform the administration (configuration) and supervision of this function.
- the function F8 is related to the database BD1.
- Database BD1 is in read and write mode.
- the function F9 is in relation with the database BD2 and the database BD2 is in read and write mode.
- the database BD3 receives information from the database DB1 and BD2, the database BD3 being in read only mode.
- MPLS is a candidate protocol for this function
- VLAN The 802.1Q protocol
- SPI the SPI number
- the switch to the F4 function concerns the flows in session mode;
- the distribution of functions F1 to F9 can also be performed with different hardware and software platforms.
- the communication protocol between these platforms is a level 2 protocol.
- the referral of flows to the function F4 concerns all flows in session mode and all flows in non-session mode.
- the information from the function F7 concerning Traffic Engineering information (TE) is transmitted to the function F6 via the function F1.
- TE Traffic Engineering information
- the administration of the network and security information is consolidated in a single database.
- the system 100 implements the secure flow management method described above.
- the system 100 allows, in particular, secure interconnection of a first local network S1 with a plurality of other remote local networks through public or private WANs.
- the system 100 comprises an observation module OB which receives the streams coming from the local network S1 and transmits them to an encryption device CH which performs the function of securing said streams, for example using the IPSec protocol.
- the encrypted streams are then forwarded to an IN interface module which routes the streams to one or more WAN wide area networks based on predetermined criteria.
- the system 00 also comprises an analysis module AN which receives a copy of each packet received by the observation module OB and which identifies flows and associates them with a degree of priority and / or security as well as requirements in terms of quality of service, and a decision module DE which receives information from the analysis module AN concerning each of the identified flows and information on the availability of point-to-point or point-to-multipoint links between the interface modules IN and predetermined characteristics through a lexical and syntactic analysis module ALS.
- an analysis module AN which receives a copy of each packet received by the observation module OB and which identifies flows and associates them with a degree of priority and / or security as well as requirements in terms of quality of service
- a decision module DE which receives information from the analysis module AN concerning each of the identified flows and information on the availability of point-to-point or point-to-multipoint links between the interface modules IN and predetermined characteristics through a lexical and syntactic analysis module ALS.
- One of the aims of the system 100 according to the invention is to provide a referral of the streams transmitted from the local network S1 to one or more WANs by providing a differentiation of the services and a transmission of each stream to the WAN extended network the most. adapted according to predetermined constraints and the state of these extended networks.
- the difficulty of such an adaptation resides in the presence of the encryption device CH which imposes a partitioning between the red-side (local network) and black-side (wide-area network) flows and therefore an information-exchange prevention between the red routers R1_S1 and the black routers R2_S1.
- the observation module OB performs two functions.
- the first function consists in duplicating each packet received from the local network S1 and transmitting a copy of each packet to the analysis module AN.
- the second function consists in associating with each packet, a specific tattoo in the form of a field of the header of the packet or the frame which transports this packet during the exchanges between modules so as to identify the flows uniquely in the following of treatments performed by the different modules.
- the identification of flows makes it possible to take into account the transmission constraints specific to each stream. Transmission constraint is understood to mean in particular the bit rate necessary for routing the stream to its destination or the constraints in terms of delay, jitter or packet loss rate that a stream can support while guaranteeing its routing or the degree security that needs to be taken.
- the transmission medium in this case one of the IN module module links IN, is selected through available WANs extended networks best suited to each stream so as to guarantee its routing to its destination.
- the tattooing of each packet is done, for example by modifying the value of the Differentiated Services Code Point (DSCP) field of an IP packet or by setting MAC addresses of the frame carrying the packet.
- the observation module OB also performs the function F3 previously described for the first embodiment of the invention.
- the encryption module CH ensures the security of data streams by encryption in tunnel mode.
- the tunnels are dynamically established between each encryption module of each system connected to a source or destination LAN.
- the packets transmitted by the observation module OB are encrypted in their entirety and encapsulated in a packet or frame where the identification of the stream will be at least locally readable, for example by means of the DSCP field of the encapsulating packet.
- the encryption module CH also performs the function F1 previously described for the first embodiment of the invention.
- the analysis module AN performs a qualitative and quantitative analysis of the flows flowing between the local network S1 and the remote LAN networks. This analysis makes it possible to anticipate the needs and to judge the good adequacy between needs and means of interconnection in place. Each fiux identified is associated with flow constraints to be respected. According to predefined categories, the analysis module AN associates the degree of priority of the flow with a minimum bandwidth requirement. The analysis of the degree of priority of a stream is performed, for example, by an interpretation of the "session" protocol by identifying the field which carries the information indicating the priority of the session which is determined by functional entities of the network MAN.
- the analysis module AN also executes the function F4 previously described for the first embodiment of the invention.
- the decision module DE establishes the policy of referral of the flows to the WAN extended network according to a part of the flow constraints to be respected of each of the streams and the number of flows to be served determined by the module. AN analysis, and secondly the availability of WAN extended networks.
- the decision module DE thus determines the transport services that must be initiated, modified or canceled in accordance with the established referral rules. For this purpose, it generates adapted messages allowing a secure communication of choice of referral to the IN interface module.
- the messages generated by the decision module DE must guarantee the partitioning of the data flows between the black part and the red part of the network. In particular, the messages transmitted between the decision module DE and the interface module IN must not be correlated to the data flows that pass between the local network S1 and the wide area networks WAN.
- the decision module DE implements a set of controls, of the state machine type.
- the decision module DE also takes into account, in the allocation of flows to a WAN network, the overhead added by the encryption module CH. This overhead is especially taken into account for the calculation of the transmission rate required for the routing of a stream according to its degree of priority.
- the decision module DE also executes the functions F6 and F7 previously described for the first embodiment of the invention.
- the lexical and syntactic analysis module ALS of the messages exchanged between the decision module DE and the interface module IN makes it possible to partition the red and black parts of the network.
- the messages coming from the interface module IN are only accepted by the ALS module if they intervene in response to an explicit request formulated by the decision module DE.
- These messages contain, in particular, the encrypted packet header attributes that make it possible to identify the link used among the available WANs as well as the characteristics of this link.
- the lexical and syntactical analysis module ALS constitutes a secure gateway allowing on the one hand to inform the interface module IN of the referral decisions taken by the decision module DE and on the other hand to indicate to the decision module DE the state of the links established by WANs.
- the security established by the ALS module can withstand denial of service attacks from potential WANs. It also guarantees the absence of information leaks.
- the lexical and syntactical analysis module ALS also performs the function F5 previously described for the first embodiment of the invention.
- the interface module IN performs the establishment of point-to-point or point-to-multipoint links between the local network S1 and at least one other remote network S2 through one or more extended WANs. It ensures that each link operates in the predetermined operating range and on which the decision module DE has established its referral policy. It provides the state of availability of the links established to the decision module DE, via the module ALS.
- point-to-point or point-to-multipoint links can be established using the Multiprotocol Label Switching (MPLS) data transport mechanism or by introducing virtual VLANs.
- MPLS Multiprotocol Label Switching
- the interface module IN can apply the routing policy established, for each encrypted stream, according to its identification.
- a link is characterized on the one hand by the identifiers of the local networks S1. , S2 that it connects and secondly by the data transfer parameters on this link. These parameters include the transfer delay, the average rate of packet losses, the level of security, the level of criticality, the maximum continuous rate, the maximum time of interruption of service.
- a link is identified by a combination of encrypted packet header attributes, including the DSCP field and the source and destination addresses of the stream.
- a link is maintained according to its predetermined characteristics. For example, in the event of a WAN network malfunction, the link may be maintained using other means of transmission, for example satellite transmission means.
- the IN interface module also implements an IGP link state routing protocol having the ability to establish a link topology including bandwidth and busy band availability metrics.
- a routing protocol adapted for this purpose is the OSPF-TE protocol.
- OSPF-TE protocol Associated with this protocol, a calculation function of the shortest path is executed. It takes into account said metrics to define the best routes to reach the destination network.
- the interface module IN also executes the functions F2, F4 and F7 previously described for the first embodiment of the invention.
- the system 100 according to the invention and the modules of which it is composed are implemented on a common hardware and / or software basis.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2011267159A AU2011267159A1 (en) | 2010-06-14 | 2011-06-14 | System and method for managing secure flows between a plurality of remote sites |
SG2012092664A SG186374A1 (en) | 2010-06-14 | 2011-06-14 | System and method for managing secure flows between a plurality of remote sites |
ZA2012/09503A ZA201209503B (en) | 2010-06-14 | 2012-12-13 | System and method for managing secure flows between a plurality of remote sites |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR1002522 | 2010-06-14 | ||
FR1002522A FR2961365A1 (fr) | 2010-06-14 | 2010-06-14 | Methode de gestion de flux securises entre plusieurs sites et routeur-chiffreur associe |
FR1005089 | 2010-12-23 | ||
FR1005089A FR2961367B1 (fr) | 2010-06-14 | 2010-12-23 | Systeme et methode de gestion de flux securises entre plusieurs sites distants |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2011157704A2 true WO2011157704A2 (fr) | 2011-12-22 |
WO2011157704A3 WO2011157704A3 (fr) | 2012-02-23 |
Family
ID=43725371
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2011/059834 WO2011157704A2 (fr) | 2010-06-14 | 2011-06-14 | Système et méthode de gestion de flux sécurisés entre plusieurs sites distants |
Country Status (5)
Country | Link |
---|---|
AU (1) | AU2011267159A1 (fr) |
FR (2) | FR2961365A1 (fr) |
SG (1) | SG186374A1 (fr) |
WO (1) | WO2011157704A2 (fr) |
ZA (1) | ZA201209503B (fr) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR3106710B1 (fr) * | 2020-01-28 | 2022-02-11 | Naval Group | Module de gestion d'echanges de flux de donnees dans une architecture d'echanges pour une formation d'engins mobiles |
FR3106709B1 (fr) * | 2020-01-28 | 2022-02-11 | Naval Group | Procede de construction et de maintien de conduits dans une architecture d'echanges de flux de donnees dans une formation d'engins mobiles et module central associe |
FR3106712B1 (fr) * | 2020-01-28 | 2022-02-11 | Naval Group | Architecture d'echanges de flux de donnees dans une formation d'engins mobiles |
FR3106711B1 (fr) * | 2020-01-28 | 2022-01-28 | Naval Group | Procede de construction de regles d'echanges dans une architecture d'echanges de flux de donnees dans une formation d'engins mobiles et module central associe |
-
2010
- 2010-06-14 FR FR1002522A patent/FR2961365A1/fr active Pending
- 2010-12-23 FR FR1005089A patent/FR2961367B1/fr active Active
-
2011
- 2011-06-14 SG SG2012092664A patent/SG186374A1/en unknown
- 2011-06-14 AU AU2011267159A patent/AU2011267159A1/en not_active Abandoned
- 2011-06-14 WO PCT/EP2011/059834 patent/WO2011157704A2/fr active Application Filing
-
2012
- 2012-12-13 ZA ZA2012/09503A patent/ZA201209503B/en unknown
Non-Patent Citations (1)
Title |
---|
None |
Also Published As
Publication number | Publication date |
---|---|
FR2961365A1 (fr) | 2011-12-16 |
SG186374A1 (en) | 2013-01-30 |
ZA201209503B (en) | 2013-08-28 |
AU2011267159A1 (en) | 2013-01-24 |
WO2011157704A3 (fr) | 2012-02-23 |
FR2961367B1 (fr) | 2012-08-17 |
FR2961367A1 (fr) | 2011-12-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11005818B2 (en) | Dynamic, user-configurable virtual private network | |
US9491144B2 (en) | Methods and apparatus for denial of service resistant policing of packets | |
US20180197156A1 (en) | Distributed micro transactions for software defined networking flows | |
US9887974B2 (en) | Method for network communication past encryption devices | |
US8238325B2 (en) | Packet communication network and packet communication method | |
US10079805B2 (en) | Bypassing a firewall for authorized flows using software defined networking | |
WO2011157704A2 (fr) | Système et méthode de gestion de flux sécurisés entre plusieurs sites distants | |
CN109417556B (zh) | 用于安全服务协作的系统和方法 | |
FR3072238A1 (fr) | Dispositif et procede de transmission de donnees | |
US8553539B2 (en) | Method and system for packet traffic congestion management | |
CN112583689B (zh) | 将服务映射到隧道以便使用网络装置转发分组 | |
CN113709091B (zh) | 用于基于策略的分组处理的方法、设备和系统 | |
US8971330B2 (en) | Quality of service and encryption over a plurality of MPLS networks | |
Wahanani et al. | Performance analysis of video on demand and video streaming on the network MPLS Traffic Engineering | |
Perez | IP, Ethernet and MPLS Networks: Resource and Fault Management | |
Carlberg et al. | Framework for supporting emergency telecommunications service (ETS) in IP telephony | |
EP1432210A1 (fr) | Dispositif de contrôle de traitements associés a des flux au sein d'un reseau de communications | |
EP2640004B1 (fr) | Procede de gestion des echanges de flux de donnees dans un reseau de telecommunication autonomique | |
EP2472783B1 (fr) | Procédé de selection de noeuds de bordure inter-domaines | |
EP1762051A1 (fr) | Procede de gestion d'une interconnexion entre reseaux de telecommunication et dispositif mettant en oeuvre ce procede | |
EP2476225B1 (fr) | Procede et systeme pour le controle de l'acheminement d'un flux de donnees d'une classe de service a travers un reseau maille et chiffre | |
Moser | Performance Analysis of an SD-WAN Infrastructure Implemented Using Cisco System Technologies | |
EP2759103B1 (fr) | Dispositif et procede d'acheminement de flux de communication securises entre sites distants | |
WO2024068725A1 (fr) | Procédé de gestion du trafic de données entre une entité source et une entité destinataire, entité et programme d'ordinateur correspondants | |
EP1878172B1 (fr) | Controle de la reservation de ressources partagees de chemins de connexion dans un reseau de communication a commutation d'etiquettes de type "non paquet" |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11725439 Country of ref document: EP Kind code of ref document: A2 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2011267159 Country of ref document: AU Date of ref document: 20110614 Kind code of ref document: A |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 11725439 Country of ref document: EP Kind code of ref document: A2 |