WO2012098596A1 - Communication system, control device, policy management device, communication method, and program - Google Patents
Communication system, control device, policy management device, communication method, and program Download PDFInfo
- Publication number
- WO2012098596A1 WO2012098596A1 PCT/JP2011/004817 JP2011004817W WO2012098596A1 WO 2012098596 A1 WO2012098596 A1 WO 2012098596A1 JP 2011004817 W JP2011004817 W JP 2011004817W WO 2012098596 A1 WO2012098596 A1 WO 2012098596A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- processing rule
- control device
- forwarding node
- user
- policy
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0895—Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/34—Signalling channels for network management communication
- H04L41/342—Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/40—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Definitions
- the present invention relates to a communication system, a control device, a policy management device, a communication method, and a program, and in particular, relates to a communication system, a control device, a policy management device, a communication method, and a program, which realize communication by forwarding a packet via forwarding nodes arranged in a network.
- Non-Patent Literature 1 and 2 In recent years, technology known as OpenFlow has been proposed (refer to Patent Literature 1, and Non-Patent Literatures 1 and 2). In OpenFlow, communication is taken as end-to-end flow, and path control, recovery from failure, load balancing, and optimization are performed in flow units.
- An OpenFlow switch as specified in Non-Patent Literature 2 is provided with a secure channel for communication with an OpenFlow controller that is regarded as a control device, and operates according to a flow table in which appropriate addition or rewriting is instructed by the OpenFlow controller.
- In the flow table are definitions of sets of matching rules (header fields) that refer to packet headers, flow statistical information (Counters), and actions (Actions) defining processing content, for each flow (refer to Fig. 24).
- an OpenFlow switch when an OpenFlow switch receives a packet, an entry is searched for that has a matching rule (refer to the header fields of Fig. 24) that matches header information of the received packet, from the flow table.
- a matching rule (refer to the header fields of Fig. 24) that matches header information of the received packet, from the flow table.
- the OpenFlow switch updates the flow statistical information (Counters), and also implements processing content (packet transmission from a specified port, flooding, dropping, and the like) described in an Actions field of the entry, for the received packet.
- the OpenFlow switch forwards the received packet to the OpenFlow controller via a secure channel, requests determination of a path of the packet based on source and destination of the received packet, receives a flow entry for realizing this, and updates the flow table.
- the OpenFlow switch uses the entry contained in the flow table as a processing rule to perform packet forwarding.
- Patent Literature 2 has a description in which a control device corresponding to the abovementioned OpenFlow controller searches for an authenticated host or group policy, refers to the policy, and only in a case where a flow belonging to the received packet is allowed, performs determination and setting of a path according to the policy (refer to Fig. 6, and [0076] to [0077] of Patent Literature 2).
- An OpenFlow controller of Patent Literature 1 refers to a policy file when a new flow is generated, performs a permission check, and thereafter carries out access control by calculating a path (refer to [0052] in Patent Literature 1, and to Fig. 6 and [0076] to [0077] in Patent Literature 2).
- a NOX (Controller) of Patent Literature 2 searches for a policy based on a group or name given to a user or host, and according to a result thereof, performs packet forwarding to an authenticated system, determination and setting of a path according to the policy, and packet dropping.
- the present invention has been made in light of the abovementioned situations, and it is an object thereof to provide a communication system, a control device, a policy management device, a communication method, and a program, whereby it is possible to reduce load on a control device performing a policy check and path control on a forwarding node, in accordance with a request from the forwarding node as described above.
- a communication (network) system comprising: a control device; a forwarding node(s) that processes (or handles), in accordance with a processing rule set by the control device, a packet transmitted from a user terminal; and a policy management device that manages a communication policy and notifies the control device of a communication policy that corresponds to a user for whom authentication has succeeded, wherein the control device further comprises: a setting request transmission permitting unit that, based on a notification from the policy management device, sets to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of a processing rule with regard to a packet transmitted from the user terminal; and a path control unit that, in a case of receiving the setting request from a forwarding node to which the first processing rule is set, determines a path from the user terminal to an access destination in accordance with the communication policy, and sets to a forwarding node along the path
- a control device that is connected to: a forwarding node that processes, in accordance with a processing rule set by the control device, a packet transmitted from a user terminal; and a policy management device that manages a communication policy and notifies the control device of a communication policy that corresponds to a user for whom authentication has succeeded, wherein the control device comprises: a setting request transmission permitting unit that, based on a notification from the policy management device, sets to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of a processing rule with regard to a packet transmitted from the user terminal; and a path control unit that, in a case of receiving the setting request from a forwarding node to which the first processing rule is set, determines a path from the user terminal to an access destination in accordance with the communication policy, and sets to a forwarding node along the path a second processing rule that corresponds to the path.
- a policy management device that provides the abovementioned control device with a communication policy that corresponds to a user for whom authentication has succeeded.
- a communication method performed by a control device connected to: a forwarding node that processes, in accordance with a processing rule set by the control device, a packet transmitted from a user terminal; and a policy management device that manages a communication policy and notifies the control device of a communication policy that corresponds to a user for whom authentication has succeeded, wherein the communication method comprises: based on a notification from the policy management device, setting to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of a processing rule with regard to a packet transmitted from the user terminal; and in a case of receiving the setting request from a forwarding node for which the first processing rule is set, determining a path from the user terminal to an access destination in accordance with the communication policy, and setting to a forwarding node along the path a second processing rule that corresponds to the path.
- the present method is linked with a specific instrument, known as a
- a program that causes a computer comprising included in a control device connected to: a forwarding node that processes, in accordance with a processing rule set by the control device, a packet transmitted from a user terminal; and a policy management device that manages a communication policy and notifies the control device of a communication policy that corresponds to a user for whom authentication has succeeded, to execute: based on a notification from the policy management device, setting to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of a processing rule with regard to a packet transmitted from the user terminal; and in a case of receiving the setting request from a forwarding node for which the first processing rule is set, determining a path from the user terminal to an access destination in accordance with the communication policy, and setting to a forwarding node along the path a second processing rule that corresponds to the path.
- the program can be recorded in computer
- Fig. 1 is a diagram for describing an outline of the present invention.
- Fig. 2 is a diagram representing a configuration of a communication system of a first exemplary embodiment of the present invention.
- Fig. 3 is an example of authentication information stored in an authentication device of the first exemplary embodiment of the present invention.
- Fig. 4 is an example of communication policy information stored in a communication policy storage unit of the first exemplary embodiment of the present invention.
- Fig. 5 is an example of resource information stored in a resource information storage unit of the first exemplary embodiment of the present invention.
- Fig. 6 is an example of a communication policy notified to a control device from a policy management device of the first exemplary embodiment of the present invention.
- Fig. 1 is a diagram for describing an outline of the present invention.
- Fig. 2 is a diagram representing a configuration of a communication system of a first exemplary embodiment of the present invention.
- Fig. 3 is an example of authentication information stored in an authentication device of the first exemplary embodiment of the
- FIG. 7 is a block diagram representing a configuration of a control device of the first exemplary embodiment of the present invention.
- Fig. 8 is a sequence diagram representing a sequence of operations of the first exemplary embodiment of the present invention.
- Fig. 9 is a diagram representing a processing rule storage table stored in a forwarding node of the first exemplary embodiment of the present invention.
- Fig. 10 is a diagram for describing operations until a user, who is using a communication system of the first exemplary embodiment of the present invention, receives user authentication from an authentication device.
- Fig. 11 is a continuation diagram of Fig. 10.
- Fig. 12 is a diagram showing a state where a first processing rule is added to the processing rule storage table of Fig. 9.
- Fig. 13 is a continuation diagram of Fig. 11.
- Fig. 11 is a continuation diagram of Fig. 11. Fig.
- Fig. 14 is a continuation diagram of Fig. 13.
- Fig. 15 is a diagram showing a state where a second processing rule is added to the processing rule storage table of Fig. 12.
- Fig. 16 is a continuation diagram of Fig. 14.
- Fig. 17 is a sequence diagram representing operations when the communication system of the first exemplary embodiment of the present invention receives a data packet of an unauthenticated user.
- Fig. 18 is a sequence diagram representing operations when the communication system of the first exemplary embodiment of the present invention receives a data packet exceeding a user's access rights from the user.
- Fig. 19 is a sequence diagram representing operations of a second exemplary embodiment of the present invention.
- Fig. 20 is a diagram for describing a configuration of a communication system of a third exemplary embodiment of the present invention.
- Fig. 21 is a sequence diagram representing operations of the third exemplary embodiment of the present invention.
- Fig. 22 is an example of communication policy information stored in a communication policy storage unit of a fourth exemplary embodiment of the present invention.
- Fig. 23 is a diagram for describing operations of the fourth exemplary embodiment of the present invention.
- Fig. 24 is a diagram representing a configuration of a flow entry described in Non-Patent Literature 2.
- the present invention is realized by forwarding nodes 200A and 200B that forward a packet transmitted from a user terminal in accordance with a processing rule set by a control device 300, a policy management device 320 that manages a communication policy and notifies the control device 300 of a communication policy, which has been granted to a user for whom authentication has succeeded, and the control device 300 that sets a processing rule in the forwarding nodes 200A and 200B.
- a policy management device 320 that manages a communication policy and notifies the control device 300 of a communication policy, which has been granted to a user for whom authentication has succeeded
- the control device 300 that sets a processing rule in the forwarding nodes 200A and 200B.
- the control device 300 comprises a setting request transmission permitting unit 301 and a path control unit 302.
- the setting request transmission permitting unit 301 sets a first processing rule causing a forwarding node (for example, the forwarding node 200A of Fig. 1) that receives a packet from the user terminal 100, to make a setting request of a processing rule with regard to a packet transmitted from the user terminal 100, based on a notification (Fig. 1, (2) communication policy) from the policy management device 320, sent at a prescribed trigger (for example, Fig. 1, (1) user authentication protocol) (Fig. 1, (3) first processing rule setting).
- a forwarding node for example, the forwarding node 200A of Fig. 1
- a notification Fig. 1, (2) communication policy
- a prescribed trigger for example, Fig. 1, (1) user authentication protocol
- a forwarding node (for example, the forwarding node 200A of Fig. 1) makes a request to the control device 300 to set a processing rule with regard to a packet transmitted from the user terminal 100 in accordance with the first processing rule.
- the path control unit 302 of the control device 300 In a case of receiving a request for setting of a processing rule from a forwarding node as described above (Fig. 1, (5) setting request for second processing rule), the path control unit 302 of the control device 300 generates a path from the user terminal 100 to an access destination (for example, a network resource 600) in accordance with the communication policy, and sets the second processing rule realizing the path (Fig. 1, (6) setting of second processing rule).
- the forwarding nodes 200A and 200B perform processing to drop (discard) the packet.
- Fig. 1 shows a configuration in which the control device 300 comprises the setting request transmission permitting unit 301 and the path control device 302, each of which is independent, but since both have a common point in that they generate and set a processing rule, realization is possible by two processing means with separate functions, being a means for generating a processing rule (path and action calculating unit of a first exemplary embodiment as described later) and a means for setting a processing rule (a processing rule management unit of the first exemplary embodiment as described later), as adopted in an exemplary embodiment to be described later.
- two processing means with separate functions being a means for generating a processing rule (path and action calculating unit of a first exemplary embodiment as described later) and a means for setting a processing rule (a processing rule management unit of the first exemplary embodiment as described later), as adopted in an exemplary embodiment to be described later.
- Fig. 2 is a diagram representing a configuration of a communication system of the first exemplary embodiment of the present invention. Referring to Fig. 2, a configuration is shown that includes a plurality of forwarding nodes 201 to 204, a control device 300 that sets a processing rule in these forwarding nodes, a policy management device 320 that notifies the control device 300 of a communication policy, and an authentication device 310 that provides authentication information showing an authentication result to the policy management device 320.
- the forwarding nodes 201 to 204 are switching devices that process a received packet in accordance with a processing rule associating a matching rule that refers to a received packet and processing content applied to a packet that matches the matching rule.
- a processing rule associating a matching rule that refers to a received packet and processing content applied to a packet that matches the matching rule.
- network resources 600A and 600B are connected to the forwarding node 204, and a user terminal 100 can communicate with the network resources 600A and 600B, via the forwarding nodes 201 to 204.
- the network resource 600A and the network resource 600B respectively belong to different resource groups, and resource_group_0001 and resource_group_0002 are attached thereto as respective resource group IDs.
- the authentication device 310 is an authentication server or the like that uses a password or biometric authentication information to perform a user authentication protocol with a user terminal 100.
- the authentication device 310 transmits authentication information indicating a result of the user authentication protocol with the user terminal 100 to the policy management device 320.
- Fig. 3 is an example of authentication information stored in the authentication device 310 of the present exemplary embodiment.
- the authentication device 310 transmits attributes of user1, IP address: 192.168.100.1, and MAC address: 00-00-00-44-55-66, and a user1 entry of role ID: role_0001 and role_0002 as authentication information to the policy management device 320.
- attributes of user2, IP address: 192.168.100.2, and MAC address: 00-00-00-77-88-99, and a user2 entry of role ID: role_0002 are transmitted as authentication information to the policy management device 320.
- the authentication information may be information whereby the policy management device 320 can determine a communication policy given to a user, and is not limited to an example of Fig. 3.
- the user ID of a user for whom authentication has succeeded a role ID derived from the user ID, an access ID such as a MAC address or the like, location information for the user terminal 100, or a combination thereof, as authentication information.
- information concerning a user for whom authentication has failed may be transmitted to the policy management device 320, as authentication information, and a communication policy whereby the policy management device 320 limits access from the user may be transmitted to the control device 300.
- the policy management device 320 is a device that is connected to a communication policy storage unit 321 and a resource information storage unit 322; determines a communication policy in response to authentication information received from the authentication device 310; and transmits to the control device 300.
- Fig. 4 is an example of communication policy information stored in the communication policy storage unit 321.
- communication policy information is shown which sets a resource group ID given to a group of resources, and access rights.
- a user having a role ID: role_0001 is allowed access to both resource group IDs: resource_group_0001 and resource_group_0002.
- a user having a role ID: role_0002 is not allowed access to the resource group ID: resource_group_0001, but is allowed access to the resource_group_0002.
- Fig. 5 is an example of resource information stored in the resource information storage unit 322.
- the example of Fig. 5 has content associating resource IDs of resources belonging to the abovementioned resource group IDs and detailed attributes thereof.
- resources of resource_0001, resource_0002, and resource_0003 are included in a group identified by the resource group ID: resource_group_0001, and it is possible to identify IP address, MAC address, and port numbers used in services, for each thereof.
- the policy management device 320 determines a communication policy for a user who has received authentication in the authentication device 310, and gives a notification to the control device 300. For example, with a role ID included in authentication information received from the authentication device 310, it is possible to identify content of a resource group ID attached to the corresponding role ID and access rights thereof, from the policy information of Fig. 4. Information of a resource belonging to the resource group ID from the resource information of Fig. 5 is used to generate a communication policy.
- Fig. 6 illustrates a communication policy of a user having a user ID: user1 generated from information shown in Fig. 3, Fig. 4, and Fig. 5.
- a value of attributes information of the user ID: user1 of the authentication information of Fig. 3 is set in a source field of Fig. 6.
- a resource attribute extracted from the resource information of Fig. 5 is set, based on content of the role ID: role_0001 of the policy information of Fig. 4, in a destination field.
- a value the same as the access rights of the role ID: role_0001 of the policy information of Fig. 4 is set in an access rights field.
- a service that is set in a resource attributes field of resource information of Fig. 5 and a port number are set in a conditions (options) field.
- the control device 300 On receiving the communication policy as described above, the control device 300 first generates a first processing rule whereby a request for setting of a processing with regard to a packet from a user that is a target of application of the communication policy is transmitted, and to be set in a forwarding node selected from the forwarding nodes 201 to 204. Furthermore, in a case of receiving a request for setting of a processing rule, according to the first processing rule, the control device 300 generates a forwarding path for a packet and a processing rule realizing the forwarding path, based on packet information included in the request for setting of the processing rule, to be set in a forwarding node along the packet forwarding path.
- Fig. 7 is a block diagram representing a detailed configuration of the control device 300 of the present exemplary embodiment.
- the control device 300 comprises: a node communication unit 11 that performs communication with the forwarding nodes 201 to 204, a control message processing unit 12, a processing rule management unit 13, a processing rule storage unit 14, a forwarding node management unit 15, a path and action calculating unit 16, a topology management unit 17, a terminal location management unit 18, a communication policy management unit 19, and a communication policy storage unit 20.
- a node communication unit 11 that performs communication with the forwarding nodes 201 to 204
- a control message processing unit 12 a processing rule management unit 13
- a processing rule storage unit 14 a forwarding node management unit 15
- a path and action calculating unit 16 a topology management unit 17, a terminal location management unit 18, a communication policy management unit 19, and a communication policy storage unit 20.
- the control message processing unit 12 analyzes a control message received from a forwarding node, and delivers the control message information to a relevant processing means in the control device 300.
- the processing rule management unit 13 manages how a processing rule is set and in which forwarding node. Specifically, a processing rule generated in the path and action calculating unit 16 is registered in the processing rule storage unit 14 and set in a forwarding node, and in response to a case where a change occurs in a processing rule that has been set in a forwarding node, according to a processing rule deletion notification or the like from a forwarding node, registered information in the processing rule storage unit 14 is updated.
- the forwarding node management unit 15 manages capability (for example, the number and type of ports, the type of actions supported, and the like) of a forwarding node controlled by the control device 300.
- the path and action calculating unit 16 On receiving a communication policy from the communication policy management unit 19, the path and action calculating unit 16 first refers to network topology stored in the topology management unit 17, in accordance with the communication policy, and generates a processing rule (first processing rule) that executes a request for setting of a processing with regard to a packet from a user.
- the forwarding node having a set destination of the processing rule may be all forwarding nodes to which there is a possibility of the user terminal 100 connecting to, or, may a forwarding node (for example, the forwarding node 201 of Fig. 1) may be selected from the terminal location management unit 18 based on source information included in the communication policy.
- the path and action calculating unit 16 On receiving a request for setting of a processing rule, based on the abovementioned processing rule (first processing rule), the path and action calculating unit 16 generates, based on packet information included in the request for setting of the processing rule, a forwarding path for the packet and a processing rule realizing the forwarding path.
- the path and action calculating unit 16 computes the forwarding path of the packet based on location information of a communication terminal managed by the terminal location management unit 18 and network topology information configured in the topology management unit 17.
- the path and action calculating unit 16 acquires port information and the like of a forwarding node in the forwarding path, from the forwarding node management unit 15, and obtains an action executed in a forwarding node in the path in order to realize the computed forwarding path, and a matching rule that identifies a flow to which the action is applied.
- the matching rule can be generated using a source IP address, a destination IP address, conditions (options), or the like, of the communication policy of Fig. 6.
- respective processing rules are generated that decide a forwarding node which is a subsequent hop, or an action for forwarding from a port to which the network resources 600A and 600B are connected.
- a processing rule may be generated not only for a packet for which a request for setting of a processing rule has been received, but also for realizing packet forwarding to a resource for which a user terminal has access rights.
- the topology management unit 17 configures network topology information based on connection relations of the forwarding nodes 201 to 204 collected via the node communication unit 11.
- the terminal location management unit 18 manages information that identifies the location of a user terminal connected to the communication system.
- a description is given in which, with an IP address as information for identifying a user terminal, information of a forwarding node identifier of a forwarding node to which the user terminal is connected, and of a port thereof, is used as information for identifying the location of the user terminal.
- information provided by the authentication device 310 may be used to identify the terminal and its location.
- the communication policy management unit 19 On receiving communication policy information from the policy management device 320, the communication policy management unit 19 stores the information in the communication policy storage unit 20, and also transmits the information to the path and action calculating unit 16.
- control device 300 can be realized by adding a function to generate the first processing rule (flow entry) with receipt of the abovementioned communication policy as a trigger, based on an OpenFlow controller of Non-Patent Literatures 1 and 2.
- respective units (processing means) of the control device 300 shown in Fig. 7 can be realized by a computer program that stores the respective information items described above and executing each of the processes described above, in a computer forming the control device 300, by using hardware thereof.
- a processing rule is set, as shown in Fig. 8, in the forwarding node 201 connected to the user terminal.
- the uppermost entry is a processing rule that forwards a packet belonging to flow #A to the forwarding node 203.
- the third entry from the top is a processing rule that forwards an authenticated packet to the authentication device 310.
- the lowermost entry is a processing rule that drops other packets that do not relate to the highest priority processing rule as described above.
- a forwarding node is given a priority in which the higher the position is, the higher the priority.
- Fig. 9 is a sequence diagram representing a sequence of operations of the present exemplary embodiment. Referring to Fig. 9, first, when a user terminal makes a login request to the authentication device 310, as shown in Fig. 10, the forwarding node 201 performs packet forwarding to the authentication device 310, in accordance with a processing rule for an authenticated packet shown in Fig. 8 (S001 in Fig. 9).
- the authentication device 310 When the authentication device 310 performs user authentication (S002 in Fig. 9), and transmits authentication information to the policy management device 320 (S003 in Fig. 9), the policy management device 320 refers to the communication policy storage unit 321 and the resource information storage unit 322 based on the received authentication information, determines a communication policy (S004 in Fig. 9), and transmits to the control device 300 (refer to S005 in Fig. 9, and to Fig. 11).
- the control device 300 On receiving the communication policy, the control device 300 sets a first processing rule for making a setting request of a processing with regard to a packet from the user terminal, in the forwarding node 201 (refer to S006 in Fig. 9, and to Fig. 11).
- Fig. 12 is a diagram showing a processing rule set in the forwarding node 201, after setting the first processing rule.
- a processing rule (first processing rule) that causes a received packet to be forwarded to the control device 300 from an authenticated terminal is set to a location with a lower priority than an authenticated packet.
- the forwarding node 201 in which the first processing rule has been set transmits a request for setting of a processing rule, to the control device 300 (S008 in Fig. 9).
- the control device 300 that has received the request for setting of a processing rule performs calculation of a forwarding path of a packet for which the request for setting of the processing rule has been received, in accordance with a communication policy, and as shown in Fig. 14, generates and sets a processing rule prescribing packet processing content in respective forwarding nodes (S009 in Fig. 9).
- Fig. 15 is a diagram showing a processing rule set in the forwarding node 201, after setting the second processing rule.
- a processing rule (second processing rule) that causes a user terminal to forward a packet (flow #B) with a destination of a network resource to the forwarding node 202.
- control device 300 sets a processing rule in a forwarding node in a forwarding path, as shown in Fig. 16, communication becomes possible between the user terminal and the network resource ("start communication" in Fig. 9).
- Fig. 17 is a sequence diagram representing operations in a case where a packet with a destination of a network resource is transmitted by the user terminal, without passing user authentication.
- a processing rule that drops (discards) packets (other packets in Fig. 8) which do not match a processing rule that has already been set, the forwarding node 201 drops the received packet (S009 in Fig. 17).
- Fig. 18 is a sequence diagram representing operations in a case where user authentication has been passed but a packet (for example, flow #C), having a destination of a network resource without access rights, is transmitted by the user terminal.
- a packet for example, flow #C
- the forwarding node 201 since in the forwarding node 201 a processing rule is set that drops packets (other packets in Fig. 15) which do not match a processing rule that has already been set, the forwarding node 201 drops a received packet (S009 in Fig. 18).
- a destination or port as a matching rule of the first processing rule, it is possible to reduce the number of packets for which the control device 300 is requested to set a processing rule, and to drop other packets.
- the control device 300 first sets a first processing rule allowing the request itself for setting a processing rule, it is possible to reduce the number of requests to set a processing rule issued by forwarding nodes. As a result, it is possible to reduce the load on the control device accompanying requests to set a processing rule.
- Fig. 19 is a sequence diagram representing a sequence of operations of the present exemplary embodiment. Operations up to where a user terminal makes a login request to an authentication device 310 (S101 in Fig. 19), and user authentication is performed in the authentication device 310 are similar to the first exemplary embodiment. In the present exemplary embodiment, if user authentication fails (S102 in Fig. 19), the authentication device 310 transmits authentication information (NG) to a policy management device 320 (S103-1 in Fig. 19).
- NG authentication information
- the policy management device 320 that receives the authentication NG information transmits the received authentication NG information to a control device 300 (S103-2 in Fig. 19).
- information specifying a user terminal for which the authentication has failed (MAC address or information on connected forwarding nodes) is included in the received authentication NG information.
- the control device 300 that receives the authentication NG information sets a processing rule for dropping a packet from the user terminal in a forwarding node 201, and also in a forwarding node for which there is a possibility of being connected to the user terminal. It is to be noted that it is desirable to give a higher priority to this processing rule than other processing rules.
- the forwarding node 201 performs processing to drop the packet transmitted from the user terminal (S109 in Fig. 19).
- the present exemplary embodiment in addition to an effect of the first exemplary embodiment described above, it is possible to curtail forwarding to the authentication device 310 of a packet from a user for whom authentication has failed once, and to protect from unauthorized access from a malicious user. Furthermore, in the exemplary embodiment described above a description has been given in which the packet from the user terminal is dropped, but a processing rule may be set, which causes access to a specific server displaying a message that access is not possible to the user terminal.
- a communication policy of the first exemplary embodiment described above may be made to hold a flag or the like forbidding setting of a first processing rule, and an instruction may be given to drop a packet from the user terminal.
- Fig. 20 is a diagram for describing a configuration of a communication system of the third exemplary embodiment of the present invention.
- a point of difference in the configuration with respect to the first exemplary embodiment represented in Fig. 2 is that a second authentication device 311 is added in parallel to an (first) authentication device 310.
- the second authentication device 311 similar to the authentication device 310, can transmit a result of user authentication with respect to a user terminal 100 via a forwarding node 201 to a policy management device 320.
- Fig. 21 is a sequence diagram representing an operation of the third exemplary embodiment of the present invention.
- the user terminal makes a login request to the authentication device 310 (S201 in Fig. 21), and a user authentication protocol is performed in the authentication device 310 (S202 in Fig. 21).
- the authentication device 310 transmits a result thereof to a policy management device 320 and the second authentication device 311 (S203 in Fig. 21).
- the policy management device 320 On confirming that a source of authentication information is the authentication device 310, the policy management device 320 generates a communication policy indicating that a user authentication protocol with the authentication device 311 has not been completed by the user terminal, and transmits to a control device 300 (S204 and S205 in Fig. 21).
- the control device 300 that receives the communication policy sets to the forwarding node 201 a processing rule redirecting a packet next sent from a user terminal to the second authentication device 311 (S206 in Fig. 21).
- the forwarding node 201 redirects to the second authentication device 311, in accordance with the processing rule (S207-1 and S207-2 in Fig. 21).
- the second authentication device 311 makes a request for a user authentication protocol to the user terminal (S208 of Fig. 21).
- the user authentication protocol is performed between the user terminal and the authentication device 311 (S209 and S210 in Fig. 21), and a result thereof is transmitted to the policy management device 320 (S211 of Fig. 21).
- the policy management device 320 refers to a communication policy storage unit 321 and a resource information storage unit 322 based on the received authentication information, determines a communication policy (S212 of Fig. 21), and transmits the policy to the control device 300 (S213 of Fig. 21).
- the control device 300 sets a first processing rule for making a request for setting of a processing with regard to a packet from a user terminal in a forwarding node 201 (S214 in Fig. 21).
- the possibility of a first and second processing rule being set by a malicious user can be further reduced.
- the policy management device 320 determines whether or not a user authentication protocol with a predetermined plurality of authentication devices has been completed by the user terminal.
- a configuration is also possible in which a table or the like is provided that manages an authentication state of respective users, on the policy management device 320 side. In this way, it is possible to use a method in which, after first performing the user authentication protocol with the authentication device 311, the user authentication protocol with the authentication device 310 is performed.
- an arrangement is possible in which it is sufficient if management is performed by providing an appropriate period of validity for authentication results obtained from respective authentication devices, and a user authentication protocol is performed with authentication devices for which the period of validity has expired.
- Fig. 22 is an example of communication policy information stored in a communication policy storage unit of the fourth exemplary embodiment of the present invention.
- a point of difference from the communication policy information stored in the communication policy storage unit of the first exemplary embodiment is that a movement range limitation field indicating a range of possible movement of a user terminal is added.
- a policy management device 320 based on communication policy information as described above, gives an instruction to a control device 300 to set a first processing rule in a forwarding node determined in the movement range limitation field, as shown in Fig. 23.
- a forwarding node 201 it is possible to set a first processing rule also in a forwarding node to which a connection is possible by the user terminal moving (for example, forwarding node 203 in Fig. 23), and user movement is allowed with limitations. Furthermore, in a case where the user actually moves to these forwarding nodes, it is possible to omit a process from a user authentication protocol (S001 "login” in Fig. 9) up to setting (S006 in Fig. 9) of the first processing rule by the control device 300.
- a user authentication protocol S001 "login" in Fig. 9
- setting S006 in Fig. 9
- the number of forwarding nodes set in the movement range limitation field can be appropriately set in accordance with roles or resource groups of respective users.
- a distance (number of hops) from a forwarding node to which the user terminal is presently connected may be specified in the movement range limitation field, and the first processing rule may be set in a forwarding node that is in a fixed distance range, in a network topology.
- control device 300 the authentication device 310, the policy management device 320, the communication policy storage unit 321, and the resource information storage unit 322 are each provided independently, but it is also possible to use a configuration in which these are consolidated as appropriate.
- information such as communication attributes such as QoS or the like, forwarding nodes that can be used in a path, a period of time in which access is possible, and the like, in the communication policy.
- the policy management device 320 may update the communication policy according to time, user location, or the like, and re-notify the control device 300. Furthermore, a mode is also possible in which detailed control content such as the time, the user location, and the like is included in the communication policy itself, and detailed setting, modification and deletion of the first and second processing rules are performed on the control device 300 side.
- a role ID is given to a user as shown in Fig. 3 to Fig. 6 to perform access control.
- control device 300 generates and sets the second processing with regard to a packet for which a request is received to set a processing rule, based on the first processing rule.
- control device 300 with reception of a request for setting of a processing rule as a trigger, to refer to the communication policy and to compute a path to all access destinations allowed for a user, and to set processing rules realizing these paths in advance. By so doing, it is possible to further curtail the frequency of occurrence of requests to set a processing rule.
- the user terminal 100 performs an authentication protocol with the authentication device 310 via the forwarding node 201.
- the user terminal 100 communicates directly with the authentication device 310, and implements the authentication protocol.
- node communication unit 12 control message processing unit 13 processing rule management unit 14 processing rule storage unit 15 forwarding node management unit 16 path and action calculating unit 17 topology management unit 18 terminal location management unit 19 communication policy management unit 20 communication policy storage unit 100 user terminal 200A, 200B, 201 to 204 forwarding node (network node) 300 control device 301 setting request transmission permitting unit 302 path control unit 310, 311 authentication device 320 policy management device 321 communication policy storage unit 322 resource information storage unit 600, 600A, 600B network resource
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
This application claims the benefit of priority of Japanese Patent Application No. 2011-009817, filed on January 20, 2011, the disclosure of which is incorporated herein in its entirety by reference. The present invention relates to a communication system, a control device, a policy management device, a communication method, and a program, and in particular, relates to a communication system, a control device, a policy management device, a communication method, and a program, which realize communication by forwarding a packet via forwarding nodes arranged in a network.
The present method is linked with a specific instrument, known as a control device that controls the abovementioned forwarding node.
It is to be noted that the program can be recorded in computer readable storage media. That is, the present invention can be embodied as a computer program product.
Next, a detailed description is given concerning a first exemplary embodiment of the present invention, making reference to the drawings. Fig. 2 is a diagram representing a configuration of a communication system of the first exemplary embodiment of the present invention. Referring to Fig. 2, a configuration is shown that includes a plurality of forwarding
Next, a description is given concerning a second exemplary embodiment of the present invention, in which a modification is added to operations of an authentication device and policy management device of the first exemplary embodiment as described above. Since the present exemplary embodiment can be realized with a configuration that is equivalent to the first exemplary embodiment described above, a description is given below centering on points of difference in operations thereof.
Next, a description is given concerning a third exemplary embodiment of the present invention, in which a security function of the first exemplary embodiment described above is strengthened. Since the present exemplary embodiment can be realized with a configuration that is approximately in common with the first exemplary embodiment described above, a description is given below centering on points of difference.
Furthermore, in the exemplary embodiment described above a description has been given in which a
12 control message processing unit
13 processing rule management unit
14 processing rule storage unit
15 forwarding node management unit
16 path and action calculating unit
17 topology management unit
18 terminal location management unit
19 communication policy management unit
20 communication policy storage unit
100 user terminal
200A, 200B, 201 to 204 forwarding node (network node)
300 control device
301 setting request transmission permitting unit
302 path control unit
310, 311 authentication device
320 policy management device
321 communication policy storage unit
322 resource information storage unit
600, 600A, 600B network resource
Claims (15)
- A communication system, comprising:
a control device;
a forwarding node that processes, in accordance with a processing rule set by the control device, a packet transmitted from a user terminal; and
a policy management device that manages a communication policy and notifies the control device of a communication policy that corresponds to a user for whom authentication has succeeded, wherein the control device further comprises:
a setting request transmission permitting unit that, based on a notification from the policy management device, sets to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of a processing rule with regard to a packet transmitted from the user terminal; and
a path control unit that, in a case of receiving the setting request from a forwarding node to which the first processing rule is set, determines a path from the user terminal to an access destination in accordance with the communication policy, and sets to a forwarding node along the path a second processing rule that corresponds to the path. - The communication system according to claim 1, wherein:
the communication policy includes a policy of generating for the first processing rule a matching rule that identifies a packet for which a setting request of a processing rule is allowed; and
the setting request transmission permitting unit refers to the communication policy, and, in a case of receiving a packet that matches the matching rule from the user terminal, sets a first processing rule that causes a setting request of a processing rule to the control device. - The communication system according to claim 1 or 2, wherein:
the communication policy includes information of a resource that is accessible by the user, or a resource that is inaccessible by the user; and
the path control unit sets the second processing rule, in a case where a destination of a packet related to a setting request of a processing rule received from the forwarding node is a destination that is accessible by the user. - The communication system according to any one of claims 1 to 3, wherein:
the policy management device further notifies the control device that a user, for whom authentication has failed, is detected; and
the control device, based on the notification, sets to a predetermined forwarding node a processing rule that prevents forwarding of a packet from the user to a predetermined authentication device. - The communication system according to any one of claims 1 to 4, wherein
a notification is given to the control device as to whether or not a user authentication procedure against all predetermined authentication devices is completed, and
the control device, in a case where a communication policy received from the policy management device indicates that a user authentication procedure against all predetermined authentication devices is not completed, sets to a predetermined forwarding node a processing rule that causes the predetermined forwarding node to start a user authentication procedure between the user and a predetermined authentication device. - The communication system according to any one of claims 1 to 5, wherein:
the communication policy includes information for determining a forwarding node, to which the first processing rule is to be set; and
the setting request transmission permitting unit refers to the communication policy to set the first processing rule to a plurality of forwarding nodes. - A control device, that is connected to:
a forwarding node that processes, in accordance with a processing rule set by the control device, a packet transmitted from a user terminal; and
a policy management device that manages a communication policy and notifies the control device of a communication policy that corresponds to a user for whom authentication has succeeded, wherein the control device comprises:
a setting request transmission permitting unit that, based on a notification from the policy management device, sets to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of a processing rule with regard to a packet transmitted from the user terminal; and
a path control unit that, in a case of receiving the setting request from a forwarding node to which the first processing rule is set, determines a path from the user terminal to an access destination in accordance with the communication policy, and sets to a forwarding node along the path a second processing rule that corresponds to the path. - The control device according to claim 7, wherein:
the communication policy includes a policy of generating a matching rule that identifies a packet, to which processing content prescribed in the first processing rule is applied; and
the setting request transmission permitting unit refers to the communication policy, and, in a case of receiving a packet that matches the matching rule from the user terminal, sets a first processing rule that causes a setting request of a processing rule to the control device. - The control device according to claim 7 or 8, wherein:
the communication policy includes information of a resource that is accessible by the user, or a resource that is inaccessible by the user; and
the path control unit sets the second processing rule, in a case where a destination of a packet related to a setting request of a processing rule received from the forwarding node is a destination that is accessible by the user. - The control device according to any one of claims 7 to 9, wherein
in a case where the control device receives from the policy management device a notification that a user, for whom authentication has failed, is detected, the control device sets to a predetermined forwarding node a processing rule that prevents forwarding of a packet from the user to a predetermined authentication device. - The control device according to any one of claims 7 to 10, wherein
in a case where a communication policy received from the policy management device indicates that a user authentication procedure against all predetermined authentication devices is not completed, the control device sets to a predetermined forwarding node a processing rule that causes the predetermined forwarding node to start a user authentication procedure between the user and a predetermined authentication device. - The control device according to any one of claims 7 to 11, wherein:
the communication policy includes information for determining a forwarding node, to which the first processing rule is to be set; and
the setting request transmission permitting unit refers to the communication policy to set the first processing rule to a plurality of forwarding nodes. - A policy management device that provides the control device of any one of claims 7 to 12 with a communication policy that corresponds to a user for whom authentication has succeeded.
- A communication method performed by a control device connected to:
a forwarding node that processes, in accordance with a processing rule set by the control device, a packet transmitted from a user terminal; and
a policy management device that manages a communication policy and notifies the control device of a communication policy that corresponds to a user for whom authentication has succeeded, wherein the communication method comprises:
based on a notification from the policy management device, setting to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of a processing rule with regard to a packet transmitted from the user terminal; and
in a case of receiving the setting request from a forwarding node for which the first processing rule is set, determining a path from the user terminal to an access destination in accordance with the communication policy, and setting to a forwarding node along the path a second processing rule that corresponds to the path. - A program that causes a computer comprising included in a control device connected to:
a forwarding node that processes, in accordance with a processing rule set by the control device, a packet transmitted from a user terminal; and
a policy management device that manages a communication policy and notifies the control device of a communication policy that corresponds to a user for whom authentication has succeeded, to execute:
based on a notification from the policy management device, setting to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of a processing rule with regard to a packet transmitted from the user terminal; and
in a case of receiving the setting request from a forwarding node for which the first processing rule is set, determining a path from the user terminal to an access destination in accordance with the communication policy, and setting to a forwarding node along the path a second processing rule that corresponds to the path.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/980,029 US9363182B2 (en) | 2011-01-20 | 2011-08-30 | Communication system, control device, policy management device, communication method, and program |
EP11856261.0A EP2666264B1 (en) | 2011-01-20 | 2011-08-30 | Communication system, control device, policy management device, communication method, and program |
ES11856261.0T ES2630014T3 (en) | 2011-01-20 | 2011-08-30 | Communication system, control device, policy management device, communication method, and program |
JP2013532759A JP5811179B2 (en) | 2011-01-20 | 2011-08-30 | COMMUNICATION SYSTEM, CONTROL DEVICE, POLICY MANAGEMENT DEVICE, COMMUNICATION METHOD, AND PROGRAM |
CN201180065565.2A CN103329489B (en) | 2011-01-20 | 2011-08-30 | Communication system, control appliance, policy management apparatus, communication means and program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2011-009817 | 2011-01-20 | ||
JP2011009817 | 2011-01-20 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012098596A1 true WO2012098596A1 (en) | 2012-07-26 |
Family
ID=46515251
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2011/004817 WO2012098596A1 (en) | 2011-01-20 | 2011-08-30 | Communication system, control device, policy management device, communication method, and program |
Country Status (6)
Country | Link |
---|---|
US (1) | US9363182B2 (en) |
EP (1) | EP2666264B1 (en) |
JP (1) | JP5811179B2 (en) |
CN (1) | CN103329489B (en) |
ES (1) | ES2630014T3 (en) |
WO (1) | WO2012098596A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014046888A3 (en) * | 2012-09-20 | 2014-07-31 | Sky Socket, Llc | Controlling distribution of resources on a network |
CN104125244A (en) * | 2013-04-23 | 2014-10-29 | 中兴通讯股份有限公司 | Information forwarding method and system in distributed network |
JP2014220673A (en) * | 2013-05-09 | 2014-11-20 | 日本電信電話株式会社 | Communication policy control system and communication control device |
WO2017039971A1 (en) * | 2015-08-28 | 2017-03-09 | Microsoft Technology Licensing, Llc | User-aware datacenter security policies |
WO2017039494A1 (en) * | 2015-08-28 | 2017-03-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Systems and methods for routing traffic originating from a communication device |
US9680763B2 (en) | 2012-02-14 | 2017-06-13 | Airwatch, Llc | Controlling distribution of resources in a network |
US10257194B2 (en) | 2012-02-14 | 2019-04-09 | Airwatch Llc | Distribution of variably secure resources in a networked environment |
US10404615B2 (en) | 2012-02-14 | 2019-09-03 | Airwatch, Llc | Controlling distribution of resources on a network |
US11824644B2 (en) | 2013-03-14 | 2023-11-21 | Airwatch, Llc | Controlling electronically communicated resources |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
SG194457A1 (en) * | 2011-04-18 | 2013-12-30 | Nec Corp | Terminal, control device, communication method, communication system, communication module,program, and information processing device |
US9363152B2 (en) * | 2012-06-11 | 2016-06-07 | Microsoft Technology Licensing, Llc | Large-scale passive network monitoring using multiple tiers of ordinary network switches |
CN104838624B (en) * | 2013-11-22 | 2017-12-08 | 华为技术有限公司 | The method, apparatus and system that a kind of control business data forward in virtual network |
US9705921B2 (en) | 2014-04-16 | 2017-07-11 | Cisco Technology, Inc. | Automated synchronized domain wide transient policy |
BR112016030581B1 (en) * | 2014-06-26 | 2023-02-28 | Huawei Technologies Co., Ltd | CONTROL PLANE DEVICE, FORWARDING PLAN DEVICE AND SERVICE QUALITY CONTROL METHOD FOR SOFTWARE-DEFINED NETWORK |
CN104035831A (en) * | 2014-07-01 | 2014-09-10 | 浪潮(北京)电子信息产业有限公司 | High-end fault-tolerant computer management system and method |
US9961059B2 (en) * | 2014-07-10 | 2018-05-01 | Red Hat Israel, Ltd. | Authenticator plugin interface |
TW201721498A (en) * | 2015-12-01 | 2017-06-16 | Chunghwa Telecom Co Ltd | Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server |
CN109314649A (en) * | 2016-06-23 | 2019-02-05 | 英特尔Ip公司 | Device and method for NFV life cycle management |
CN107547565B (en) * | 2017-09-28 | 2020-08-14 | 新华三技术有限公司 | Network access authentication method and device |
JP6610908B2 (en) * | 2018-03-09 | 2019-11-27 | Kddi株式会社 | Communications system |
JP6610907B2 (en) * | 2018-03-09 | 2019-11-27 | Kddi株式会社 | Communications system |
US11552953B1 (en) * | 2018-06-18 | 2023-01-10 | Amazon Technologies, Inc. | Identity-based authentication and access control mechanism |
US11201854B2 (en) | 2018-11-30 | 2021-12-14 | Cisco Technology, Inc. | Dynamic intent-based firewall |
CN112202750B (en) * | 2020-09-25 | 2023-01-24 | 统信软件技术有限公司 | Control method for policy execution, policy execution system and computing device |
CN112564946B (en) * | 2020-11-23 | 2022-11-11 | 浪潮思科网络科技有限公司 | SDN-based application program terminal group communication method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008095010A1 (en) | 2007-02-01 | 2008-08-07 | The Board Of Trustees Of The Leland Stanford Jr. University | Secure network switching infrastructure |
US20090138577A1 (en) | 2007-09-26 | 2009-05-28 | Nicira Networks | Network operating system for managing and securing networks |
WO2011081104A1 (en) * | 2010-01-04 | 2011-07-07 | 日本電気株式会社 | Communication system, authentication device, control server, and communication method and program |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE60039890D1 (en) * | 2000-11-17 | 2008-09-25 | Sony Deutschland Gmbh | Information transmission via an ad hoc network |
US7340531B2 (en) * | 2002-09-27 | 2008-03-04 | Intel Corporation | Apparatus and method for data transfer |
JP2004318582A (en) | 2003-04-17 | 2004-11-11 | Nippon Telegraph & Telephone East Corp | Network access system and method, verification system, edge router, access controller, and computer program |
US20040213172A1 (en) * | 2003-04-24 | 2004-10-28 | Myers Robert L. | Anti-spoofing system and method |
JP4357401B2 (en) * | 2004-10-13 | 2009-11-04 | 日本電信電話株式会社 | Filtering method |
US8627490B2 (en) * | 2005-12-29 | 2014-01-07 | Nextlabs, Inc. | Enforcing document control in an information management system |
US8046378B1 (en) * | 2007-09-26 | 2011-10-25 | Network Appliance, Inc. | Universal quota entry identification |
JP4649465B2 (en) | 2007-11-30 | 2011-03-09 | 富士通株式会社 | Virtual network construction program, virtual network construction device, and virtual network construction method |
US8646067B2 (en) * | 2008-01-26 | 2014-02-04 | Citrix Systems, Inc. | Policy driven fine grain URL encoding mechanism for SSL VPN clientless access |
US8229812B2 (en) * | 2009-01-28 | 2012-07-24 | Headwater Partners I, Llc | Open transaction central billing system |
US8023504B2 (en) * | 2008-08-27 | 2011-09-20 | Cisco Technology, Inc. | Integrating security server policies with optimized routing control |
US8248958B1 (en) * | 2009-12-09 | 2012-08-21 | Juniper Networks, Inc. | Remote validation of network device configuration using a device management protocol for remote packet injection |
US8935384B2 (en) * | 2010-05-06 | 2015-01-13 | Mcafee Inc. | Distributed data revocation using data commands |
-
2011
- 2011-08-30 US US13/980,029 patent/US9363182B2/en active Active
- 2011-08-30 ES ES11856261.0T patent/ES2630014T3/en active Active
- 2011-08-30 CN CN201180065565.2A patent/CN103329489B/en not_active Expired - Fee Related
- 2011-08-30 WO PCT/JP2011/004817 patent/WO2012098596A1/en active Application Filing
- 2011-08-30 JP JP2013532759A patent/JP5811179B2/en active Active
- 2011-08-30 EP EP11856261.0A patent/EP2666264B1/en not_active Not-in-force
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008095010A1 (en) | 2007-02-01 | 2008-08-07 | The Board Of Trustees Of The Leland Stanford Jr. University | Secure network switching infrastructure |
US20090138577A1 (en) | 2007-09-26 | 2009-05-28 | Nicira Networks | Network operating system for managing and securing networks |
JP2010541426A (en) * | 2007-09-26 | 2010-12-24 | ニシラ・ネットワークス | Network operating system for managing and securing a network |
WO2011081104A1 (en) * | 2010-01-04 | 2011-07-07 | 日本電気株式会社 | Communication system, authentication device, control server, and communication method and program |
Non-Patent Citations (4)
Title |
---|
HIROSHI UENO ET AL.: "A Study on Deployment of Network Appliance Functionalities in Datacenter Network", IEICE TECHNICAL REPORT, vol. 109, no. 296, 13 November 2009 (2009-11-13), pages 7 - 12, XP008166907 * |
OPEN FLOW: ENABLING INNOVATION IN CAMPUS NETWORKS, 22 December 2010 (2010-12-22), Retrieved from the Internet <URL:http://www.openflowswitch.org//documents/openflow- wp-atestpdf> |
OPEN FLOW: SWITCH SPECIFICATION, 22 December 2010 (2010-12-22) |
See also references of EP2666264A4 |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10404615B2 (en) | 2012-02-14 | 2019-09-03 | Airwatch, Llc | Controlling distribution of resources on a network |
US12081452B2 (en) | 2012-02-14 | 2024-09-03 | Airwatch Llc | Controlling distribution of resources in a network |
US11483252B2 (en) | 2012-02-14 | 2022-10-25 | Airwatch, Llc | Controlling distribution of resources on a network |
US11082355B2 (en) | 2012-02-14 | 2021-08-03 | Airwatch, Llc | Controllng distribution of resources in a network |
US10951541B2 (en) | 2012-02-14 | 2021-03-16 | Airwatch, Llc | Controlling distribution of resources on a network |
US9680763B2 (en) | 2012-02-14 | 2017-06-13 | Airwatch, Llc | Controlling distribution of resources in a network |
US9705813B2 (en) | 2012-02-14 | 2017-07-11 | Airwatch, Llc | Controlling distribution of resources on a network |
US10257194B2 (en) | 2012-02-14 | 2019-04-09 | Airwatch Llc | Distribution of variably secure resources in a networked environment |
WO2014046888A3 (en) * | 2012-09-20 | 2014-07-31 | Sky Socket, Llc | Controlling distribution of resources on a network |
US11824644B2 (en) | 2013-03-14 | 2023-11-21 | Airwatch, Llc | Controlling electronically communicated resources |
US10021030B2 (en) | 2013-04-23 | 2018-07-10 | Zte Corporation | Method and system for forwarding information in distributed network |
CN104125244B (en) * | 2013-04-23 | 2019-05-07 | 中兴通讯股份有限公司 | The method and system of forwarding information in a kind of distributed network |
EP2991313A4 (en) * | 2013-04-23 | 2016-04-20 | Zte Corp | Method and system for forwarding information in distributed network |
CN104125244A (en) * | 2013-04-23 | 2014-10-29 | 中兴通讯股份有限公司 | Information forwarding method and system in distributed network |
JP2014220673A (en) * | 2013-05-09 | 2014-11-20 | 日本電信電話株式会社 | Communication policy control system and communication control device |
WO2017039494A1 (en) * | 2015-08-28 | 2017-03-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Systems and methods for routing traffic originating from a communication device |
WO2017039971A1 (en) * | 2015-08-28 | 2017-03-09 | Microsoft Technology Licensing, Llc | User-aware datacenter security policies |
US11303636B2 (en) | 2015-08-28 | 2022-04-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Systems and methods for routing traffic originating from a communication device |
Also Published As
Publication number | Publication date |
---|---|
JP2014503135A (en) | 2014-02-06 |
JP5811179B2 (en) | 2015-11-11 |
EP2666264A1 (en) | 2013-11-27 |
US9363182B2 (en) | 2016-06-07 |
EP2666264A4 (en) | 2015-01-21 |
CN103329489B (en) | 2016-04-27 |
US20130322257A1 (en) | 2013-12-05 |
ES2630014T3 (en) | 2017-08-17 |
EP2666264B1 (en) | 2017-04-19 |
CN103329489A (en) | 2013-09-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2666264B1 (en) | Communication system, control device, policy management device, communication method, and program | |
US9178910B2 (en) | Communication system, control apparatus, policy management apparatus, communication method, and program | |
RU2586587C2 (en) | Terminal control device, communication method, communication system, communication module, program and information processing device | |
KR101528825B1 (en) | Terminal, control device, communication method, communication system, communication module, program, and information processing device | |
EP2680506A1 (en) | Communication system, database, control device, communication method and program | |
JP5943006B2 (en) | COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION METHOD, AND PROGRAM | |
JP5880560B2 (en) | Communication system, forwarding node, received packet processing method and program | |
WO2012169164A1 (en) | Communication system, control device, and processing rule setting method and program | |
EP2832058B1 (en) | Communication system, control apparatus, communication apparatus, communication control method, and program | |
JP5812108B2 (en) | Terminal, control apparatus, communication method, communication system, communication module, program, and information processing apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201180065565.2 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11856261 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13980029 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2013532759 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2011856261 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011856261 Country of ref document: EP |