WO2012056010A1 - Procédé et système permettant de commander du trafic ip dans un réseau de fournisseur de services - Google Patents

Procédé et système permettant de commander du trafic ip dans un réseau de fournisseur de services Download PDF

Info

Publication number
WO2012056010A1
WO2012056010A1 PCT/EP2011/069015 EP2011069015W WO2012056010A1 WO 2012056010 A1 WO2012056010 A1 WO 2012056010A1 EP 2011069015 W EP2011069015 W EP 2011069015W WO 2012056010 A1 WO2012056010 A1 WO 2012056010A1
Authority
WO
WIPO (PCT)
Prior art keywords
cgn
traffic
service provider
nat device
customer
Prior art date
Application number
PCT/EP2011/069015
Other languages
English (en)
Inventor
Rolf Winter
Joerg Wagner
Andreas Ripke
Armin Jahanpanah
Original Assignee
Nec Europe Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Europe Ltd. filed Critical Nec Europe Ltd.
Publication of WO2012056010A1 publication Critical patent/WO2012056010A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2546Arrangements for avoiding unnecessary translation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses

Definitions

  • the present invention relates to a method and a system for controlling IP traffic in a service provider network, wherein said service provider network includes one or more switches for connecting service provider's customers to the global Internet, and a Carrier Grade Network Address Translation (CGN NAT) device, which is configured to translate between private and public IP addresses, wherein the private side faces said service provider's customers.
  • CGN NAT Carrier Grade Network Address Translation
  • IPv4 Internet Service Providers
  • IPv6 Internet Service Providers
  • NATs are not installed at the customer-end of the network (e.g. enterprises, broadband home customers etc.) to connect customers to a service provider, but they are installed within the operator network with the private side of the NAT facing the service provider's customers.
  • carrier-grade NATs briefly CGN NAT, although sometimes in the literature one can also find the denotation "large-scale NAT”.
  • CGN NATs are an efficient mechanism for economizing the deployment of scarce public, globally unique IPv4 addresses, since they enable service providers to assign to their customers private IP addresses instead, there are on the other hand numerous problems with these devices. For instance, there is no control over which ports are being used and how they are used, which makes it difficult to e.g. host services at the customer-end or troubleshoot network connectivity problems. For home customers this might often not be a problem but many other customer groups and technology-sawy users might not be satisfied with such a solution. Furthermore, some applications make use of IP addresses in the payload and NAT complicates the operation of these protocols or even breaks them. The easy answer to the above problems would be to give a public IP address to these customers, but with the current rate of IPv4 address depletion this answer will soon not be viable any more.
  • Another problem is user diversity. Some heavy users consume a huge amount of ports whereas others only consume very little. Some cause a huge amount of traffic and others don't. An operator might want to restrict the usable port range, charge on excessive port consumption or distinguish between different tariffs. However, with today's way of using CGN NAT, no individual handling of different users is possible.
  • a more general problem is of performance.
  • a carrier-grade NAT serving many customers at once needs to store a huge amount of mapping state and needs to operate on much higher bandwidth scales. These requirements will render the device slow, expensive or both.
  • Some delay in packet delivery might be acceptable for home users but if a service is hosted at an enterprise there should be no such delay.
  • the aforementioned object is accomplished by a method comprising the features of claim 1.
  • a method comprising the features of claim 1.
  • such a method is characterized in that said service provider's customers and/or said CGN NAT device are enabled to select IP traffic according to configurable criteria, wherein selected IP traffic is routed such that it bypasses said CGN NAT device.
  • a system comprising the features of claim 16.
  • said service provider's customers and/or said CGN NAT device are enabled to select IP traffic according to configurable criteria, wherein selected IP traffic is routed such that it bypasses said CGN NAT device.
  • the present invention proposes a selection mechanism that allows service provider's customers and/or the CGM NAT device itself to select certain traffic according to configurable criteria.
  • this will be some kind of "premium" traffic the customer considers to be of high priority, for instance because it pertains to a service hosted by the customer's enterprise, e.g. the traffic of a Web server operated by the customer.
  • selected traffic is routed such that it bypasses the CGN NAT device.
  • the customers are given native IP connectivity by bypassing the CGN NAT device for a particular selected service.
  • the switches process packets much faster than the CGN NAT device. Because of the pass-through no packet re-writing will be performed, which will eliminate the problems associated with NAT and will make connectivity troubleshooting easier.
  • the memory limitation of current switches will be no problem as there should be far less services that need pass-through entries compared to the NAT states. Handling traffic to the NAT device is handled on the switches by a single entry (default). Together this idea will decrease the delay and isolates the specific traffic from problems on the NAT.
  • the present invention provides a new method and system that allows to separate different kinds of traffic, e.g. low and high-priority traffic, for performance and isolation reasons by selectively and dynamically bypassing a CGN NAT device using appropriate switches to obtain native IP connectivity for services to customers that are otherwise behind the CGN NAT device.
  • this innovation it is easy to provide customers an interface to offer services which are automatically provisioned in the NAT system, with the added benefit that the traffic belonging to their service is treated in a special way that ensures native IP, isolated traffic, and high performance.
  • the service provider network includes a switch that connects the service provider's customers with the network.
  • this switch will be denoted “customer facing switch”, corresponding to its location within the service provider network and corresponding to its functions.
  • the service provider network includes a further switch that connects service provider's customers to the global Internet.
  • this switch will be denoted “Internet facing switch”.
  • the customer facing switch and the Internet facing switch could, in principle, even be the same switch being configured in a loop-back connection, depending on the switch design. Moreover, it would even be possible to deploy a high-power switch that is logically partitioned into two independent ones.
  • the CGN NAT device is located between the customer facing switch and the Internet facing switch. Based on this architectural design it is possible that all traffic that traverses the switches is directed to the CGN NAT device. For instance, this could be realized by setting the default switching entries of the switches accordingly, such that they pass - by default - all incoming IP traffic to the CGN NAT device.
  • the switches of the service provider network are programmable flow-based switches.
  • OpenFlow switches could be deployed.
  • the controller may be provided within the service provider network, which on the one hand is logically connected to the involved switches of the service provider network in which on the other hand it is logically connected to the CGN NAT device.
  • the controller may effectuate CGN NAT device bypassing for specific traffic.
  • CGN NAT device traffic bypassing may be realized in situations in which selected IP traffic belongs to a specific customer side service. For instance, such situations may occur when a service provider's customer wishes to isolate certain "premium" traffic, which e.g. pertains to services hosted on the customer side, from other less vital traffic.
  • the controller includes a web interface for customer login.
  • alternative means may be provided that allow a customer to login to the controller. After successful login, in a next step, it may be provided that the customer is enabled to request at the controller a public IP address and a port for the selected traffic.
  • CGN NAT device traffic bypassing may be realized in situations in which IP traffic is selected by the CGN NAT device itself with the objective to offload the selected IP traffic from the CGN NAT device, for instance because it is currently operating under high load. In this case it may be provided that the CGN NAT device sends a respective notification to the controller.
  • the controller upon receiving such notification/request, installs suitable flow entries within the involved switches. More specifically, the controller may prompt the Internet facing switch to install a respective flow entry for IP traffic belonging to the selected customer side service, such that all such traffic from the Internet is directed directly through the customer facing switch, thus bypassing the CGN NAT device. On the other end, the controller may prompt the customer facing switch to install a flow entry that directs the selected traffic directly through the Internet facing switch, thus also bypassing the CGN NAT device.
  • the controller before performing any flow entry installations, may check with an AAA server whether the requesting customer is authorized to do so. For instance, in this context it could be checked whether the customer's actual tariff includes the authorization to execute such actions or, if not, whether the customer is willing/potential to pay more for a premium traffic isolation as described above.
  • the service provider offers value-added managed services with respect to the traffic of a selected customer side service that circumnavigates the CGN NAT device. For instance, with respect to a service a customer wishes to host at his premises, the service provider could program the switches, in particular the customer facing switch and the Internet facing switch, in such a way that they first redirect traffic/flows of the selected service through a firewall and/or intrusion detection system. As a result, such a firewall and/or intrusion detection system would then not need to be hosted by the customer himself. Instead, the customer could therefore easily outsource the services to the service provider.
  • Fig. schematically illustrates a carrier-grade NAT architecture in accordance with an embodiment of the present invention.
  • Carrier-grade NAT technology is currently being standardized within the IETF. At the moment the NAT “flavor” is the main focus. “Flavor” here refers to aspects such as address ranges used in certain parts of the network and related issues.
  • Today carrier-grad NAT is already in use in countries or areas where a high mis- ratio between a provider's public IP range and the number of (potential) customers is faced, e.g. India, China but also some ISPs in highly developed countries start offering Internet connectivity behind NAT devices.
  • the present invention avoids these problems by allowing certain selected traffic to bypass the CGN NAT device.
  • the present invention relates to a technology and connection design as depicted in the Fig., which allows traffic bypassing and/or traffic offloading from a CGN NAT device 1 in a service provider network 2.
  • a service provider network 2 e.g. a service provider network.
  • it is beneficial to bypass the CGN NAT device 1 for selected services, e.g. services that are hosted by customers 3 (for instance a web server), and have other traffic from customers 3 still passing the CGN NAT device 1 (e.g. from desktop computers).
  • these issues can be handled in a configurable and dynamic way, as will be explained in detail below.
  • customers 3 are connected to a programmable flow-based switch (such as an OpenFlow switch), which hereinafter is denoted customer facing switch 4a.
  • the default switching entry in the customer facing switch 4a is to pass all traffic to the CGN NAT device 1 .
  • Behind the CGN NAT device 1 is another flow-based switch, Internet facing switch 4b, which connects the customers 3 to the global Internet 5. In principle this could even be the same switch as switch 4a in a loop-back connection, depending on the switch design.
  • the Internet facing switch 4b will also per default direct all traffic coming in from the Internet 5 to the CGN NAT device 1 , thereby establishing connectivity for all customers 3.
  • the service provider network 2 includes a controller 6 that is logically connected to both the CGN NAT device 1 and the customer and Internet facing switches 4a, 4b, respectively.
  • the customer 3 can login to the controller 6 (e.g. through a web interface) and request an IP and port for this. If the customer's 3 tariff allows or if he is willing to pay more, which can be checked, for instance, with an AAA (Authentication, Authorization, Accounting) server 7, the respective flow entries are set inside the flow-based switch(es) 4a and 4b.
  • AAA Authentication, Authorization, Accounting
  • the Internet-facing switch side 4b will install an entry to direct all traffic from the Internet 5 to the new server (identified by IP, Port and protocol number) directly through the customer-facing switch 4a, thus bypassing the CGN NAT device 1 .
  • the customer-facing switch 4a will install an entry that directs all traffic from the new server directly through to the Internet-facing switch 4b, thus also bypassing the CGN NAT device 1 .
  • This also includes visibility of the NAT state and potentially setting permanent NAT table entries if the respective customer's tariff allows. For instance, if a business customer wanted to add a new server to his network, which should be reachable over the Internet, a fixed NAT table entry usually needs to be added.
  • the CGN NAT device 1 could signal having high load to the controller 6 which installs respective entries in the flow-based switches 4a, 4b to off-load the CGN NAT device 1 for selected and specific flows. Care needs to be taken of course in case of DoS attacks, but this could be a configuration issue.
  • the flow switches 4a, 4b need to provide packet re-writing capabilities for this, which is available for example in OpenFlow based switches. In any event, relieving the CGN NAT device 1 from traffic in cases of high load conditions makes it more stable.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un système permettant de commander du trafic IP dans un réseau de fournisseur de services. Ledit réseau de fournisseur de services (2) comprend un ou plusieurs commutateurs (4a, 4b) servant à connecter des clients du fournisseur de services (3) à l'internet global (5), et un dispositif de traduction d'adresse réseau de classe transporteur (NAT CGN) (1), qui est configuré pour traduire entre les adresses IP publiques et privées. Les faces côté privé desdits clients du fournisseur de services (3) sont caractérisées en ce que lesdits clients du fournisseur de services (3) et/ou ledit dispositif NAT CGN (1) peuvent sélectionner du trafic IP en fonction d'un critère configurable, le trafic IP sélectionné étant acheminé de manière qu'il contourne ledit dispositif NAT CGN (1).
PCT/EP2011/069015 2010-10-29 2011-10-28 Procédé et système permettant de commander du trafic ip dans un réseau de fournisseur de services WO2012056010A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP10014105 2010-10-29
EP10014105.0 2010-10-29

Publications (1)

Publication Number Publication Date
WO2012056010A1 true WO2012056010A1 (fr) 2012-05-03

Family

ID=45047729

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/069015 WO2012056010A1 (fr) 2010-10-29 2011-10-28 Procédé et système permettant de commander du trafic ip dans un réseau de fournisseur de services

Country Status (1)

Country Link
WO (1) WO2012056010A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103580880A (zh) * 2012-08-03 2014-02-12 华为技术有限公司 一种快速通知cgn异常的方法、设备及系统
US9860195B2 (en) 2015-12-31 2018-01-02 Hughes Network Systems, Llc Method and system of providing carrier grade NAT (CGN) to a subset of a subscriber base
CN108234139A (zh) * 2016-12-14 2018-06-29 中国电信股份有限公司 宽带网络中用户身份溯源的方法和系统及溯源设备
US10819678B2 (en) 2016-08-24 2020-10-27 British Telecommunications Public Limited Company Data network address sharing between multiple elements associated with a shared network interface unit
CN113472676A (zh) * 2020-03-31 2021-10-01 华为技术有限公司 一种网络接入控制方法、sdf、cp、up以及网络系统

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BUSH R ET AL: "The A+P Approach to the IPv4 Address Shortage; draft-ymbk-aplusp-06.txt", THE A+P APPROACH TO THE IPV4 ADDRESS SHORTAGE; DRAFT-YMBK-APLUSP-06.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARDWORKINGDRAFT, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, no. 6, 18 October 2010 (2010-10-18), pages 1 - 38, XP015071914 *
NICK MCKEOWN ET AL: "OpenFlow: Enabling Innovation in Campus Networks", 14 March 2008 (2008-03-14), pages 1 - 6, XP055002028, Retrieved from the Internet <URL:http://www.openflow.org/documents/openflow-wp-latest.pdf> [retrieved on 20110705] *
NIKHIL HANDIGO ET AL: "Plug-n-Serve: Load-Balancing Web Traffic using OpenFlow", 31 July 2009 (2009-07-31), pages 1 - 2, XP055023941, Retrieved from the Internet <URL:http://conferences.sigcomm.org/sigcomm/2009/demos/sigcomm-pd-2009-final26.pdf> [retrieved on 20120405] *
XU HUAWEI TECHNOLOGIES CO X ET AL: "Redundancy Requirements and Framework for Stateful Network Address Translators (NAT); draft-xu-behave-stateful-nat-standby-06.txt", REDUNDANCY REQUIREMENTS AND FRAMEWORK FOR STATEFUL NETWORK ADDRESS TRANSLATORS (NAT); DRAFT-XU-BEHAVE-STATEFUL-NAT-STANDBY-06.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARDWORKINGDRAFT, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEV, no. 6, 20 October 2010 (2010-10-20), pages 1 - 14, XP015072012 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103580880A (zh) * 2012-08-03 2014-02-12 华为技术有限公司 一种快速通知cgn异常的方法、设备及系统
US9553805B2 (en) 2012-08-03 2017-01-24 Huawei Technologies Co., Ltd. Method, device, and system for quickly informing CGN exception
US10110555B2 (en) 2012-08-03 2018-10-23 Huawei Technologies Co., Ltd. Method, device, and system for quickly informing CGN exception
US9860195B2 (en) 2015-12-31 2018-01-02 Hughes Network Systems, Llc Method and system of providing carrier grade NAT (CGN) to a subset of a subscriber base
US10819678B2 (en) 2016-08-24 2020-10-27 British Telecommunications Public Limited Company Data network address sharing between multiple elements associated with a shared network interface unit
CN108234139A (zh) * 2016-12-14 2018-06-29 中国电信股份有限公司 宽带网络中用户身份溯源的方法和系统及溯源设备
CN108234139B (zh) * 2016-12-14 2021-01-12 中国电信股份有限公司 宽带网络中用户身份溯源的方法和系统及溯源设备
CN113472676A (zh) * 2020-03-31 2021-10-01 华为技术有限公司 一种网络接入控制方法、sdf、cp、up以及网络系统

Similar Documents

Publication Publication Date Title
US11271905B2 (en) Network architecture for cloud computing environments
CN107623663B (zh) 处理网络流量的方法及装置
Blendin et al. Position paper: Software-defined network service chaining
US7633864B2 (en) Method and system for creating a demilitarized zone using network stack instances
US10075459B1 (en) Securing workspaces in a cloud computing environment
US8458786B1 (en) Automated dynamic tunnel management
US7401355B2 (en) Firewall load balancing using a single physical device
US10686874B2 (en) Load balancing method, apparatus and system
US9774565B2 (en) Role based router functionality
US10419236B1 (en) Mobile wide area network IP translation configuration
WO2015062627A1 (fr) Commande d&#39;une chaîne de services
US7283534B1 (en) Network with virtual “Virtual Private Network” server
US11677717B2 (en) Unified network service that connects multiple disparate private networks and end user client devices operating on separate networks
US9491042B1 (en) Requesting high availability for network connections through control messages
WO2012056010A1 (fr) Procédé et système permettant de commander du trafic ip dans un réseau de fournisseur de services
US9042389B2 (en) Multi-access communications gateway
EP3166262B1 (fr) Dispositif de commande, système de commande, procédé de commande et programme de commande
WO2012087217A1 (fr) Procédé et agencement de transfert de paquets de données
CN101917414A (zh) Bgp分类网关设备及利用该设备实现网关功能的方法
Polezhaev et al. Implementation of dynamically autoconfigured multiservice multipoint VPN
US9800545B2 (en) Role based router functionality
US12010097B2 (en) Network architecture for cloud computing environments
Lee et al. Deployment considerations for dual-stack lite
KR102527370B1 (ko) 공인 ip와 사설 ip를 함께 제공하는 nfv 기반의 인터넷 서비스를 위한 서비스 펑션 체이닝을 통한 동적 서비스 구성 방법
Linkova et al. Using Conditional Router Advertisements for Enterprise Multihoming

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11788389

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11788389

Country of ref document: EP

Kind code of ref document: A1