WO2012141086A1 - コンピュータシステム、コントローラ、及びネットワークアクセスポリシ制御方法 - Google Patents
コンピュータシステム、コントローラ、及びネットワークアクセスポリシ制御方法 Download PDFInfo
- Publication number
- WO2012141086A1 WO2012141086A1 PCT/JP2012/059471 JP2012059471W WO2012141086A1 WO 2012141086 A1 WO2012141086 A1 WO 2012141086A1 JP 2012059471 W JP2012059471 W JP 2012059471W WO 2012141086 A1 WO2012141086 A1 WO 2012141086A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- policy
- information
- received packet
- controller
- authentication
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
Definitions
- the present invention relates to a computer system, a controller, a network access policy control method, and a program, and more particularly, to a computer system and a network policy control method using open flow technology.
- networks such as IP networks have become large and complex, and in addition, high flexibility is required. For this reason, setting of network devices is complicated, and the number to be set is enormous, which increases the burden of network design management.
- a MAC-based VLAN Virtual Local Area Network
- MAC-based VLAN Virtual Local Area Network
- a computer system includes an open flow controller 100 (hereinafter referred to as OFC 100), a plurality of open switches 2-1 to 2-n (hereinafter referred to as OFS 2-1 to 2-n). And a host group 30 having a plurality of host computers 3-1 to 3-i (hereinafter referred to as hosts 3-1 to 3-i).
- n and i are natural numbers of 2 or more.
- the OFSs 2-1 to 2-n are collectively referred to as OFS2 when they are collectively referred to without distinction
- the hosts 3 are referred to as hosts 3 when they are collectively referred to without distinction.
- the OFC 100 sets a communication path between the hosts 3 and a transfer operation (relay operation) for the OFS 2 on the path.
- the OFC 100 sets a flow entry in which a rule for specifying a flow (packet data) and an action for defining an operation for the flow are associated with each other in the flow table held by the OFS 2.
- the OFS 2 on the communication path determines the transfer destination of the received packet data according to the flow entry set by the OFC 100, and performs transfer processing.
- the host 3 can transmit and receive packet data to and from other hosts 3 using the communication path set by the OFC 100. That is, in the computer system using OpenFlow, the OFC 100 that sets the communication path and the OFS 2 that performs the transfer process are separated, so that communication of the entire system can be controlled and managed centrally.
- the OFS 2-1 when performing packet transmission from the host 3-1 to the host 3-i, the OFS 2-1 sends destination information (header information: for example, destination MAC address, The destination IP address) is referred to, and an entry that matches the header information is searched from the flow table held in the OFS 2-1.
- destination information for example, destination MAC address, The destination IP address
- An entry that matches the header information is searched from the flow table held in the OFS 2-1.
- the contents of entries set in the flow table are defined in Non-Patent Document 1, for example.
- the OFS 2-1 transfers the packet data (hereinafter referred to as the first packet) or the header information of the first packet (or the first packet itself) to the OFC 100. .
- the OFC 100 that has received the first packet from the OFS 2-1 determines the path 40 based on the information of the transmission source host and the transmission destination host included in the packet.
- the OFC 100 instructs all OFSs 2 on the path 40 to set a flow entry that defines a packet transfer destination (issues a flow table update instruction).
- the OFS 2 on the path 40 updates the flow table managed by itself in response to the flow table update instruction. After that, the OFS 2 starts packet transfer according to the updated flow table, so that the packet reaches the destination host 3-i via the path 40 determined by the OFC 100.
- a host terminal such as a PC (Personal Computer) connected to the OpenFlow system is identified by an IP address or a MAC address.
- IP addresses and MAC addresses can be camouflaged, there is a risk of unauthorized access and countermeasures are required.
- Patent Document 1 describes a policy server having a function of controlling access to network devices and application servers based on a security policy held by itself, but does not disclose policy control in an open flow environment system. .
- an object of the present invention is to provide a computer system in an OpenFlow protocol environment capable of easily performing network access policy control.
- Another object of the present invention is to improve the security strength against unauthorized access in the network of the OpenFlow protocol environment.
- a computer system includes a controller and a switch that performs a relay operation defined by the flow entry for a received packet that conforms to the flow entry set by the controller.
- the switch transmits a received packet that does not match the flow entry set in the switch to the controller.
- the controller authenticates the received packet with reference to the authentication information included in the received packet.
- the controller sets, in the switch, a flow entry that defines a relay operation for a packet including information specifying the transmission source of the received packet among the header information of the received packet determined to be valid.
- a policy control method includes a step in which a controller receives a received packet that does not conform to a flow entry set in a switch from the switch, and the controller refers to authentication information included in the received packet.
- Set the flow entry that specifies the relay operation for the packet that includes the step of authenticating the received packet and the header information of the received packet that the controller determines to be valid in the information that identifies the source of the received packet.
- the policy control method described above is preferably realized by a program executed by a computer.
- FIG. 1 is a diagram illustrating an example of a configuration of a computer system using an open flow protocol.
- FIG. 2 is a diagram showing an example of the configuration of a computer system according to the present invention.
- FIG. 3 is a diagram showing an example of policy information according to the present invention.
- FIG. 4 is a diagram showing a specific example of policy information according to the present invention.
- FIG. 5A is a diagram showing a specific example of a flow entry according to the present invention.
- FIG. 5B is a diagram showing a specific example of a flow entry according to the present invention.
- FIG. 6 is a sequence diagram showing an example of policy setting and communication operation in the computer system according to the present invention.
- FIG. 7 is a flowchart showing an example of a policy control operation by the OpenFlow controller according to the present invention.
- FIG. 2 is a diagram showing an example of the configuration of a computer system according to the present invention.
- the computer system according to the present invention is different from the system shown in FIG. 1 in the configuration of the OpenFlow controller (OFC) and the host terminal (for example, PC), and the other configurations (for example, OFS) are the same.
- OFC OpenFlow controller
- PC host terminal
- OFS OFS
- a computer system according to the present invention includes an OpenFlow controller 1 (OpenFlow Controller: hereinafter referred to as OFC1), a plurality of OpenFlow switches 2 (OpenFlow Switch: hereinafter referred to as OFS2), and a plurality of hosts.
- a terminal 3 (example: PC) and an input terminal 4 are provided.
- the OFC 1 is connected to a plurality of OFS 2 via a secure channel network, and updates the flow table 21 of the OFS 2 via the network. Thereby, communication between the plurality of host terminals 3 connected via the OFS 2 is controlled.
- the OFS 2 is provided between the plurality of host terminals 3 and relays a packet transferred from the host terminal 3 or another network (not shown) to a transfer destination according to the flow entry set in the flow table 21.
- OFC1 controls the construction of a communication path related to packet transfer in the system and the packet transfer process by open flow technology.
- the open flow technology is that OFC1 sets multi-layer and flow unit route information in OFS2 and OFVS33 on the communication route according to the routing policy (flow entry: flow + action), and performs route control and node control.
- the technique to perform is shown (for details, refer nonpatent literature 1).
- the route control function is separated from the routers and switches, and optimal routing and traffic management are possible through centralized control by the controller.
- OFS2 and OFVS33 to which the open flow technology is applied handle communication as a flow of END2END, not as a unit of packet or frame as in a conventional router or switch.
- the OFC 1 is preferably realized by a computer including a CPU and a storage device.
- each function of the flow control unit 11 and the policy management unit 12 illustrated in FIG. 2 is realized by a CPU (not shown) executing a program stored in a storage device.
- the flow control unit 11 sets or deletes a flow entry (rule + action) for a switch (here, OFS2) according to the open flow protocol.
- a switch here, OFS2
- an action for example, relay or discard of packet data
- a combination of layer 1 to layer 4 addresses and identifiers of the OSI (Open Systems Interconnection) reference model included in header information in TCP / IP packet data is defined.
- OSI Open Systems Interconnection
- each combination of a layer 1 physical port, a layer 2 MAC address, a VLAN tag (VLAN id), a layer 3 IP address, and a layer 4 port number is set as a rule.
- the VLAN tag may be given a priority (VLAN priority).
- an identifier such as a port number or an address set in the rule by the flow control unit 11 may be set within a predetermined range. Further, it is preferable that the destination and the address of the transmission source are distinguished and set as a rule. For example, a range of a MAC destination address, a range of a destination port number that specifies a connection destination application, and a range of a transmission source port number that specifies a connection source application are set as rules. Furthermore, an identifier for specifying the data transfer protocol may be set as a rule.
- a method for processing TCP / IP packet data is defined in the action set in the flow entry. For example, information indicating whether or not the received packet data is to be relayed and the transmission destination in the case of relaying are set. Further, as an action, information for instructing to copy or discard the packet data may be set.
- the flow control unit 11 sets the flow entry corresponding to the instruction from the policy management unit 12 to the OFS 2 specified by the instruction.
- the policy management unit 12 converts the policy information 130 supplied from the input terminal 4 into a format that is easy to search and records it in the policy information storage unit 13.
- FIG. 3 is a diagram showing the structure of the policy information 130 recorded in the policy information storage unit 13. Referring to FIG. 3, policy ID 131, authentication ID 132, and policy 133 are associated with each other and recorded as policy information 130 in policy information storage unit 13.
- Policy ID 131 is an identifier for uniquely identifying policy information 130.
- the authentication ID 132 is information (example: password) for authenticating whether the policy 133 may be applied to the first packet (the transmission source host or the destination host).
- the policy 133 is information that defines the network access policy of the host terminal 3.
- the policy 133 defines conditions for defining a transmission source host or a transmission destination host, a protocol for defining an access method, priority, and the like.
- FIG. 4 is a diagram showing a specific example of the policy information 130.
- an identifier “Accounting Department General Staff Policy” that identifies a terminal to which a plurality of policies 133 “Policy 1 to Policy 3,...” Is applied is set as the policy ID 131.
- An authentication ID 132 “XXXX” used for authentication as to whether to apply the policy 133 is set.
- policy 1 indicates that packet transfer to IP address 10.11.12.1 using HTTP (Hypertext Transfer Protocol) is permitted and its priority is set to “10”.
- Policy 2 indicates that packet transfer addressed to IP address 10.11.12.2 using FTP (File Transfer Protocol) is permitted and its priority is set to “20”.
- Policy 3 indicates that packet forwarding addressed to IP address 10.11.12.0/24 using RDP (Remote Desktop Protocol) is permitted and the priority is set to “30”.
- the policy management unit 12 compares the authentication information 140 included in the first packet notified from the OFS 2 with the policy information 130 recorded in the policy information storage unit 13 to authenticate the first packet.
- the host terminal 3 includes the authentication information 140 having the policy ID and the authentication ID in the data area of the packet and transmits the packet to the destination host.
- the policy management unit 12 searches the policy information storage unit 13 using the policy ID of the authentication information 140 included in the first packet notified from the OFS 2 as a key, and extracts the policy information 130 of the policy ID 131 that matches the policy ID. Then, the policy management unit 12 authenticates the first packet by comparing the authentication ID of the authentication information 140 with the authentication ID 132 in the policy information 130.
- the policy management unit 12 instructs the flow control unit 11 to set a flow entry for transferring the first packet.
- the flow control unit 11 sets a flow entry according to the policy 133 according to the header information of the first packet in the OFS 2 on the communication path calculated according to the header information.
- the policy management unit 12 determines that the authentication has failed. In this case, the policy management unit 12 instructs the flow control unit 11 to set a flow entry for discarding the first packet. In response to the instruction, the flow control unit 11 sets a flow entry in which at least a part of the header information of the first packet is a rule and the packet discard is an action in the OFS 2 that is the notification source of the first packet. It should be noted that the OFS 2 selection method, the communication path calculation method, and the flow entry setting and management method performed by the flow control unit 11 are performed in accordance with the open flow protocol described in Non-Patent Document 1. .
- FIG. 5A and FIG. 5B show an example of a flow entry set in the switch when the policy management unit 12 successfully authenticates the terminal A (first packet from) and applies the policy 1 shown in FIG.
- a flow entry set in OFS 2 in which terminal A is connected to port 0/1 and a Web server is connected to port 0/2 will be described.
- a match field (Match Field) and a match field value (Match Value) are defined as a rule 211 in the flow entry.
- the action information 212 defines an action and a priority.
- Policy 1 defines “Allow HTTP connection to 10.11.12.1, priority 10”.
- the OFS 2 includes a flow entry (FIG. 5A) that defines a relay process for a packet destined for the IP address “10.11.12.1” from the authenticated terminal A, and an IP address “10.11.12.1.
- a flow entry (FIG. 5B) that defines a relay process for a packet destined for the authenticated terminal A is set from the Web server to which “is assigned.
- rule 211 includes an input port “0/1”, a source MAC address “terminal A MAC address”, an input VLAN ID “terminal A VLAN ID”, and Ether Type “ 0x0800 (IPv4) ", IP protocol (protocol number) is” 6 (TCP) ", source IP address is” IP address of terminal A “, destination IP address is” 10.11.12.1 “, destination port number “80 (HTTP)” is defined, and “ANY” is defined for the other match fields.
- the action information 212 defines “output received packet to port“ 0/2 ”” and its priority “10”.
- the OFS 2 follows the flow entry shown in FIG. 5A, and transmits the packet addressed to the IP address “10.11.12.1” transmitted from the authenticated terminal A by the HTTP communication to the port “ Output to 0/2 ".
- the rule 211 includes an input port “0/2”, a destination MAC address “terminal A MAC address”, an Ether Type “0x0800 (IPv4)”, and an IP protocol (protocol number). ) Is defined as “6 (TCP)”, the source IP address is “10.11.12.1”, the destination IP address is “IP address of terminal A”, and the destination port number is “80 (HTTP)”. Other match fields are defined as “ANY”.
- the action information 212 defines “output received packet to port“ 0/1 ”” and its priority “10”.
- the OFS 2 follows the flow entry shown in FIG. 5B to send a packet addressed to the IP address “IP address of terminal A” transmitted from the Web server with the IP address “10.11.12.1” to the terminal. Output to port “0/1” connected to A.
- the flow entry according to the policy corresponding to the first packet (host terminal 3) that has been successfully authenticated is set in OFS2.
- the setting of the flow entry for the policy 1 has been described.
- the corresponding flow entry is set.
- the OFS 2 includes a flow table 21 in which a flow entry is set by the OFC 1 and a packet control unit 22 that forwards or discards a received packet according to the flow entry set in the flow table 21.
- the setting of the flow entry for the OFS 2 is performed by a Flow-mod request from the OFC 1 as in the conventional case.
- the packet control unit 22 transmits the received packet to the OFC 1 as a first packet.
- the OFS 2 transmits the authentication information 140 transmitted from the host terminal 3 to the OFC 1.
- the packet control unit 22 performs processing on the packet according to the action of the flow entry.
- an action for the received packet there are, for example, transfer to another OFS 2 or host terminal 3 and packet discard. 2 shows only the end switches connected to the two host terminals 3, but as in FIG. 1, it is connected to the other host terminals 3 via other OFS 2. Needless to say.
- the OFS 2 is preferably a physical switch, but may be realized by a virtual switch as long as it operates according to the OpenFlow protocol.
- the host terminal 3 is preferably a computer device (physical server) including a CPU and RAM (not shown), and includes a storage device (not shown) in which authentication information 140 is recorded. Alternatively, the host terminal 3 may be realized by a virtual machine. The host terminal 3 transmits the authentication information 140 held by itself in the packet data area. Other configurations are the same as those of a conventional computer device or virtual machine capable of packet communication. Although only two host terminals 3 are shown in FIG. 2, it goes without saying that this system includes other host terminals 3 connected via a plurality of OFSs 2 as in FIG.
- FIG. 2 only one host terminal 3 is provided in the system, but the present invention is not limited to this, and a plurality of host terminals 3 are usually provided.
- the input terminal 4 is a computer device provided with a policy setting UI (User Interface) 41.
- the policy setting UI 41 is a user interface for setting policy information in the OFC 1, and outputs an instruction from the user to the policy management unit 12 of the OFC 1.
- arbitrary policy information 130 is set in OFC1.
- the setting method of the policy information 130 is not limited to this, and the policy information 130 may be set using a portable recording medium.
- an output device exemplified by a monitor or a printer may be connected to the OFC 1.
- the policy management unit 12 can identify the OFS 2 that is the notification source of the packet and the host terminal 3 that is the transmission source based on the header information (the transmission source port number and the transmission source MAC address) of the first packet that has failed authentication. By outputting this identification result so as to be visible through the output device, it is possible to identify not only unauthorized access monitoring but also an unauthorized access source.
- the authentication of the packet (access) is performed on the controller side using the first packet according to the OpenFlow protocol, and the packet transfer operation ( Access destination) is controlled.
- the authentication information inserted in the packet by the host terminal 3 is authenticated by the control OFC1
- the communication from the host terminal 3 having a different network access policy can be centrally controlled by the OFC1.
- the host terminal 3 to which the policy 133 is applied can be specified by the authentication ID 132 assigned for each policy information 130. Therefore, it is not necessary to set a policy for each IP address or MAC address, and it is possible to easily change or manage the policy.
- OFC1 controls access by packet authentication using the first packet
- OFS2 at the end of the host side that is, unauthorized access (example: intrusion of packet with spoofed address) at the network entrance is blocked. can do.
- FIG. 6 is a sequence diagram showing an example of policy setting and communication operation in the computer system according to the present invention.
- FIG. 7 is a flowchart showing an example of a policy control operation by the OFC 1 according to the present invention.
- policy information 130 is recorded in advance in policy information storage unit 13 of OFC 1 from input terminal 4 (steps S11 and S12). Specifically, the policy information 130 given from the input terminal 4 is supplied to the policy management unit 12, converted into a database, and stored in the policy information storage unit 13. As a result, the policy information storage unit 13 is updated with the latest policy information 130. Here, the policy information storage unit 13 can always be searched by the policy management unit 12. In addition, the updating of the policy information storage unit 13 in steps S11 and S12 may be performed during operation of the system.
- the host terminal 3 transmits a packet including the encrypted policy ID and the authentication information 140 assigned with the authentication ID into the network (step S21). At this time, the packet from the host terminal 3 is transferred to the OFS 2.
- the OFS 2 determines whether or not the header information of the packet received from the host terminal 3 matches (matches) the rule of the flow entry set in the flow table 21.
- the received packet is processed (for example, transferred to another OFS 2 or discarded) according to the action to be performed (not shown).
- the OFS 2 extracts the header information (transmission / reception IP address, MAC address, port number, protocol, etc.) of the packet received from the host terminal 3.
- the OFS 2 compares the header information with the flow table 21 and confirms whether there is a matching flow entry. If there is a matching flow entry, the OFS 2 executes the action (transfer or discard) described in the flow entry and ends the transfer process.
- the OFS 2 notifies the policy management unit 12 of the OFC 1 as the received packet. (Step S22, PacketIN).
- the policy management unit 12 that is PacketIN authenticates the first packet and instructs the flow control unit 11 on a packet processing method according to the authentication result (steps S23 and S24).
- the flow control unit 11 sets a flow entry according to the instruction from the policy management unit 12 in the flow table 21 of the OFS 2 to be controlled (step S25).
- OFS2 performs the process according to the flow entry newly set to the flow table 21 with respect to the packet received in step S21.
- step S23 to S25 in FIG. 6 the details of the operation of the policy management unit 12 that has received the first packet (steps S23 to S25 in FIG. 6) will be described.
- the OFC 1 analyzes the data area of the first packet received from the OFS 2 and acquires the authentication information 140 (policy ID and authentication ID) (step S101). Subsequently, the OFC 1 performs authentication by comparing the acquired authentication information 140 (policy ID and authentication ID) with the policy information 130 stored in the policy information storage unit 13 (step S102). Specifically, the policy management unit 12 searches the policy information storage unit 13 for policy information 130 that matches the authentication information 140 (policy ID and authentication ID). At this time, if the policy information 130 matching the authentication information 140 is recorded in the policy information storage unit 13, the policy management unit 12 determines that the authentication is successful, and if not recorded, determines that the authentication fails (step S102). ).
- step S102 when the authentication is successful, the policy management unit 12 acquires the policy information 130 corresponding to the policy ID in the authentication information 140 from the policy information storage unit 13 (step S103).
- the OFC 1 sets a flow entry corresponding to the acquired policy information 130 in the OFS 2 to be controlled (step S104).
- the policy management unit 12 refers to the policy information 130 corresponding to the authentication information 140 that has been successfully authenticated, and sets the flow entry based on the policy 133 corresponding to the header information of the first packet. To instruct. At this time, as in the conventional OpenFlow system, the communication path is calculated and the OFS 2 to be set as the flow entry is designated.
- the flow control unit 11 sets a flow entry corresponding to an instruction from the policy management unit 12 in the designated OFS 2 by a Flow-mod request via the secure channel.
- a flow entry including a rule including the source MAC address and an action corresponding to the policy 133 is set.
- the communication of the transmission source host of the packet authenticated by OFC1 (that is, the authenticated host terminal) is controlled based on the policy set in advance in OFC1.
- a destination address and a destination port number may be defined as a flow entry rule set here. Thereby, control according to the access destination of the authenticated host terminal is also possible.
- the policy management unit 12 acquires the policy information 130 shown in FIG. 4 according to the authentication information 140, and the source packet MAC address: “0000.000.0001” and the destination IP address in the header information of the first packet. : Setting of flow entry when “10.11.12.1” and protocol: “HTTP” are included will be described. In this case, the policy management unit 12 instructs the setting of the flow entry according to the policy 1 shown in FIG. As a result, the flow control unit 11 sets the policy management transmission source MAC address as “0000.000.0001”, the destination IP address as “10.11.12.1”, and the protocol as “HTTP”. A flow entry whose action is to transfer a packet to a port to which “10.11.12.1” is connected is set in OFS2 on the communication path. Further, the flow control unit 11 sets the priority when the flow entry is applied in the OFS 2 to “10”.
- the OFS 2 in which the flow table 21 has been updated performs packet control according to the flow table.
- the OFC 1 sets a flow entry in which at least part of the header information of the first packet is a rule and packet discard is defined as an action as a flow table of the OFS 2 that is the notification source of the first packet. 21 is set (step S105).
- a rule including a transmission source MAC address is defined, and a flow entry having packet discard as an action is set.
- communication of the transmission source host of the packet that is not authenticated by the OFC 1 (that is, the host terminal that is not authenticated) is blocked at the OFS 2 at the entrance of the network.
- a destination address and a destination port number may be specified as a flow entry rule that specifies packet discard. This makes it possible to restrict access for each access destination of an unauthenticated host terminal.
- the OFC 1 receives and authenticates the authentication information 140 from the host terminal 3 by notification of the first packet, and sets the rule that the transmission source is the host terminal, and performs an action according to the policy. Set the specified flow entry. For this reason, in the system according to the present invention, it is possible to control the policy for each terminal by providing the authentication information 140 in advance to the host terminal 3 to which the policy is applied. That is, in the present invention, it is not necessary to prepare a configuration (policy information) for applying a policy for each host terminal. For example, in a network to which tens of thousands of PCs are connected, tens of thousands of configurations are necessary to design flexible policy control. However, in the present invention, configuration for each PC is not necessary, and design is easy. It can be operated.
- authentication using authentication information is performed in the first connection from the host terminal 3 to the network. For this reason, since unauthorized access due to IP address or MAC address spoofing can be blocked at the initial stage of access, the safety of the OpenFlow system can be improved.
- the OFS used in the computer system according to the present invention only needs to follow a conventional open flow protocol (for example, a protocol defined by OpenFlow Switch Specification version 1.0), and only the functions of the OFC and the host terminal are performed as described above.
- a conventional open flow protocol for example, a protocol defined by OpenFlow Switch Specification version 1.0
- network policy control and prevention of unauthorized access can be realized. That is, according to the present invention, in the existing OpenFlow system, the above-described network policy control and prevention of unauthorized access can be realized by changing only the functions of the OFC and the host terminal. For this reason, functions such as network policy control can be easily added to an existing system at low cost.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本発明によるコンピュータシステムは、図1に示すシステムと同様にオープンフロー技術を利用して通信経路の構築及びパケットデータの転送制御を行う。図2は、本発明によるコンピュータシステムの構成の一例を示す図である。本発明によるコンピュータシステムは、図1に示すシステムとは、オープンフローコントローラ(OFC)とホスト端末(例えばPC)の構成が相違し、他の構成(例えばOFS)は同様である。
次に、図6及び図7を参照して、本発明によるコンピュータシステムにおける通信動作及びアクセス制御動作の詳細を説明する。
Claims (12)
- コントローラと、
前記コントローラによって設定されたフローエントリに適合する受信パケットに対し、前記フローエントリで規定された中継動作を行うスイッチと
を具備し、
前記スイッチは、自身に設定されたフローエントリに適合しない受信パケットを、前記コントローラに送信し、
前記コントローラは、前記受信パケットに含まれる認証情報を参照して前記受信パケットを認証し、正当と判断した前記受信パケットのヘッダ情報のうち、前記受信パケットの送信元を特定する情報を含むパケットに対する中継動作を規定したフローエントリを、前記スイッチに設定する
コンピュータシステム。 - 請求項1に記載のコンピュータシステムにおいて、
前記コントローラは、前記認証情報を参照して前記受信パケットを認証し、不正と判断した前記受信パケットのヘッダ情報のうち、前記受信パケットの送信元を特定する情報を含むパケットを破棄することを規定したフローエントリを、前記スイッチに設定する
コンピュータシステム。 - 請求項1又は2に記載のコンピュータシステムにおいて、
前記コントローラは、中継動作ポリシを規定したポリシ情報が記録された記憶装置を備え、前記正当と判断した受信パケットに含まれる認証情報に対応するポリシ情報に従ったフローエントリを、前記スイッチに設定する
コンピュータシステム。 - 請求項3に記載のコンピュータシステムにおいて、
認証情報は、前記ポリシ情報を識別するポリシIDと、認証に利用される第1認証IDを含み、
前記ポリシ情報は、前記ポリシ情報を識別するポリシIDと、第2認証IDとが対応付けられて前記記憶装置に記録され、
前記コントローラは、前記認証情報に含まれるポリシIDに対応する前記第2認証IDと、前記第1認証IDとが一致する受信パケットを正当な受信パケットと判断する
コンピュータシステム。 - 請求項4に記載のコンピュータシステムにおいて、
前記ポリシ情報は、前記ポリシ情報を識別するポリシIDに対応付けられた複数のポリシを含み、
前記コントローラは、前記認証情報に含まれるポリシIDに対応する複数のポリシの中で、前記正当と判断した受信パケットのヘッダ情報に適合するポリシを前記記憶装置から抽出し、抽出されたポリシに従ったフローエントリを前記スイッチに設定する
コンピュータシステム。 - 請求項1から5のいずれか1項に記載のコンピュータシステムで利用されるサーバ。
- スイッチに設定されたフローエントリに適合しない受信パケットを前記スイッチからコントローラが受信するステップと、
前記コントローラが、前記受信パケットに含まれる認証情報を参照して前記受信パケットを認証するステップと、
前記コントローラが、前記認証するステップにおいて正当と判断した前記受信パケットのヘッダ情報のうち、前記受信パケットの送信元を特定する情報を含むパケットに対する中継動作を規定したフローエントリを、前記スイッチに設定するステップと
を具備する
ポリシ制御方法。 - 請求項7に記載のポリシ制御方法において、
コントローラが、前記認証するステップにおいて不正と判断した前記受信パケットのヘッダ情報のうち、前記受信パケットの送信元を特定する情報を含むパケットを破棄することを規定したフローエントリを、前記スイッチに設定するステップを更に具備する
ポリシ制御方法。 - 請求項7又は8に記載のポリシ制御方法において、
前記コントローラが、中継動作ポリシを規定したポリシ情報を保持するステップと、
前記中継動作を規定したフローエントリを設定するステップは、前記コントローラが、前記正当と判断された受信パケットに含まれる認証情報に対応するポリシ情報に従ったフローエントリを前記スイッチに設定するステップを備える
ポリシ制御方法。 - 請求項9に記載のポリシ制御方法において、
認証情報は、前記ポリシ情報を識別するポリシIDと、認証に利用される第1認証IDを含み、
前記ポリシ情報は、前記ポリシ情報を識別するポリシIDと、第2認証IDとが対応付けられて前記コントローラに保持され、
前記認証するステップにおいて、前記コントローラは、前記認証情報に含まれるポリシIDに対応する前記第2認証IDと、前記第1認証IDとが一致する受信パケットを正当な受信パケットと判断する
ポリシ制御方法。 - 請求項10に記載のポリシ制御方法において、
前記ポリシ情報は、前記ポリシ情報を識別するポリシIDに対応付けられた複数のポリシを含み、
前記中継動作を規定したフローエントリを設定するステップは、
前記コントローラが、前記認証情報に含まれるポリシIDに対応する複数のポリシの中で、前記正当と判断した受信パケットのヘッダ情報に適合するポリシを前記記憶装置から抽出するステップと、
前記コントローラが、前記抽出されたポリシに従ったフローエントリを前記スイッチに設定するステップと
を備える
ポリシ制御方法。 - 請求項7から11のいずれか1項に記載のポリシ制御方法をコンピュータに実行させるポリシ制御プログラムが記録された記録媒体。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2013509875A JP5660202B2 (ja) | 2011-04-15 | 2012-04-06 | コンピュータシステム、コントローラ、及びネットワークアクセスポリシ制御方法 |
EP12770700.8A EP2698952A4 (en) | 2011-04-15 | 2012-04-06 | COMPUTER SYSTEM, CONTROL DEVICE AND NETWORK ACCESS POLICY CONTROL PROCEDURE |
US14/110,917 US9065815B2 (en) | 2011-04-15 | 2012-04-06 | Computer system, controller, and method of controlling network access policy |
CN201280018455.5A CN103621028B (zh) | 2011-04-15 | 2012-04-06 | 控制网络访问策略的计算机系统、控制器和方法 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2011-091105 | 2011-04-15 | ||
JP2011091105 | 2011-04-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012141086A1 true WO2012141086A1 (ja) | 2012-10-18 |
Family
ID=47009261
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2012/059471 WO2012141086A1 (ja) | 2011-04-15 | 2012-04-06 | コンピュータシステム、コントローラ、及びネットワークアクセスポリシ制御方法 |
Country Status (5)
Country | Link |
---|---|
US (1) | US9065815B2 (ja) |
EP (1) | EP2698952A4 (ja) |
JP (1) | JP5660202B2 (ja) |
CN (1) | CN103621028B (ja) |
WO (1) | WO2012141086A1 (ja) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014110462A (ja) * | 2012-11-30 | 2014-06-12 | Toshiba Corp | 認証装置およびその方法、ならびにコンピュータプログラム |
US20150009828A1 (en) * | 2012-03-05 | 2015-01-08 | Takahiko Murakami | Network System, Switch and Method of Network Configuration |
WO2015025848A1 (ja) * | 2013-08-21 | 2015-02-26 | 日本電気株式会社 | 通信システム、制御指示装置、通信制御方法及びプログラム |
CN104937572A (zh) * | 2013-01-28 | 2015-09-23 | 英特尔公司 | 业务和/或工作负荷处理 |
JP2015192399A (ja) * | 2014-03-28 | 2015-11-02 | 株式会社日立製作所 | パケット伝送システムおよびネットワークコントローラ |
JP2016528809A (ja) * | 2013-07-18 | 2016-09-15 | パロ・アルト・ネットワークス・インコーポレーテッドPalo Alto Networks Incorporated | ネットワークルーティングのためのパケット分類 |
US20160352731A1 (en) * | 2014-05-13 | 2016-12-01 | Hewlett Packard Enterprise Development Lp | Network access control at controller |
JP2016537898A (ja) * | 2013-11-22 | 2016-12-01 | 華為技術有限公司Huawei Technologies Co.,Ltd. | 悪意ある攻撃の検出方法および装置 |
JP2017520194A (ja) * | 2014-06-30 | 2017-07-20 | アルカテル−ルーセント | ソフトウェア定義ネットワークにおけるセキュリティ |
US9935841B2 (en) | 2013-01-28 | 2018-04-03 | Intel Corporation | Traffic forwarding for processing in network environment |
JP2019201374A (ja) * | 2018-05-18 | 2019-11-21 | アライドテレシスホールディングス株式会社 | 情報処理システム |
JP2019205192A (ja) * | 2019-07-24 | 2019-11-28 | アルカテル−ルーセント | ソフトウェア定義ネットワークにおけるセキュリティ |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9571523B2 (en) | 2012-05-22 | 2017-02-14 | Sri International | Security actuator for a dynamically programmable computer network |
US9705918B2 (en) * | 2012-05-22 | 2017-07-11 | Sri International | Security mediation for dynamically programmable network |
US9282118B2 (en) | 2012-11-13 | 2016-03-08 | Intel Corporation | Policy enforcement in computing environment |
US9794288B1 (en) * | 2012-12-19 | 2017-10-17 | EMC IP Holding Company LLC | Managing policy |
US20150063110A1 (en) * | 2013-09-04 | 2015-03-05 | Electronics And Telecommunications Research Institute | Programmable sensor networking apparatus and sensor networking service method using the same |
WO2015041706A1 (en) * | 2013-09-23 | 2015-03-26 | Mcafee, Inc. | Providing a fast path between two entities |
CN106506439A (zh) * | 2015-11-30 | 2017-03-15 | 杭州华三通信技术有限公司 | 一种认证终端接入网络的方法和装置 |
CN115190105B (zh) * | 2021-04-06 | 2024-03-29 | 维沃移动通信有限公司 | 信息处理方法、装置和通信设备 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005004549A (ja) | 2003-06-12 | 2005-01-06 | Fuji Electric Holdings Co Ltd | ポリシーサーバ、そのポリシー設定方法、アクセス制御方法、プログラム |
WO2011030490A1 (ja) * | 2009-09-10 | 2011-03-17 | 日本電気株式会社 | 中継制御装置、中継制御システム、中継制御方法及び中継制御プログラム |
WO2011037105A1 (ja) * | 2009-09-25 | 2011-03-31 | 日本電気株式会社 | コンテンツベーススイッチシステム、及びコンテンツベーススイッチ方法 |
JP2011091105A (ja) | 2009-10-20 | 2011-05-06 | Shinko Electric Ind Co Ltd | 半導体レーザ用パッケージ、半導体レーザ装置及び製造方法 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6141755A (en) * | 1998-04-13 | 2000-10-31 | The United States Of America As Represented By The Director Of The National Security Agency | Firewall security apparatus for high-speed circuit switched networks |
US8238241B2 (en) * | 2003-07-29 | 2012-08-07 | Citrix Systems, Inc. | Automatic detection and window virtualization for flow control |
US7836488B2 (en) * | 2005-08-18 | 2010-11-16 | Hong Kong Applied Science And Technology Research Institute Co. Ltd. | Authentic device admission scheme for a secure communication network, especially a secure IP telephony network |
US8266696B2 (en) * | 2005-11-14 | 2012-09-11 | Cisco Technology, Inc. | Techniques for network protection based on subscriber-aware application proxies |
US20080189769A1 (en) * | 2007-02-01 | 2008-08-07 | Martin Casado | Secure network switching infrastructure |
US8325733B2 (en) * | 2009-09-09 | 2012-12-04 | Exafer Ltd | Method and system for layer 2 manipulator and forwarder |
US8675601B2 (en) * | 2010-05-17 | 2014-03-18 | Cisco Technology, Inc. | Guest access support for wired and wireless clients in distributed wireless controller system |
-
2012
- 2012-04-06 US US14/110,917 patent/US9065815B2/en not_active Expired - Fee Related
- 2012-04-06 CN CN201280018455.5A patent/CN103621028B/zh not_active Expired - Fee Related
- 2012-04-06 WO PCT/JP2012/059471 patent/WO2012141086A1/ja active Application Filing
- 2012-04-06 JP JP2013509875A patent/JP5660202B2/ja not_active Expired - Fee Related
- 2012-04-06 EP EP12770700.8A patent/EP2698952A4/en not_active Withdrawn
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005004549A (ja) | 2003-06-12 | 2005-01-06 | Fuji Electric Holdings Co Ltd | ポリシーサーバ、そのポリシー設定方法、アクセス制御方法、プログラム |
WO2011030490A1 (ja) * | 2009-09-10 | 2011-03-17 | 日本電気株式会社 | 中継制御装置、中継制御システム、中継制御方法及び中継制御プログラム |
WO2011037105A1 (ja) * | 2009-09-25 | 2011-03-31 | 日本電気株式会社 | コンテンツベーススイッチシステム、及びコンテンツベーススイッチ方法 |
JP2011091105A (ja) | 2009-10-20 | 2011-05-06 | Shinko Electric Ind Co Ltd | 半導体レーザ用パッケージ、半導体レーザ装置及び製造方法 |
Non-Patent Citations (3)
Title |
---|
"OpenFlow Switch Specification Version 1.0.0", WIRE PROTOCOL 0X01, 31 December 2009 (2009-12-31) |
MARTIN CASADO ET AL.: "Ethane: Taking Control of the Enterprise", ACM SIGCOMM COMPUTER COMMUNICATION REVIEW, vol. 37, no. 4, October 2007 (2007-10-01), pages 1 - 12, XP002531272 * |
See also references of EP2698952A4 |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9548933B2 (en) * | 2012-03-05 | 2017-01-17 | Nec Corporation | Network system, switch, and methods of network configuration |
US20150009828A1 (en) * | 2012-03-05 | 2015-01-08 | Takahiko Murakami | Network System, Switch and Method of Network Configuration |
JP2014110462A (ja) * | 2012-11-30 | 2014-06-12 | Toshiba Corp | 認証装置およびその方法、ならびにコンピュータプログラム |
US9935841B2 (en) | 2013-01-28 | 2018-04-03 | Intel Corporation | Traffic forwarding for processing in network environment |
CN104937572A (zh) * | 2013-01-28 | 2015-09-23 | 英特尔公司 | 业务和/或工作负荷处理 |
EP2948856A4 (en) * | 2013-01-28 | 2017-04-26 | Intel Corporation | Traffic and/or workload processing |
JP2016528809A (ja) * | 2013-07-18 | 2016-09-15 | パロ・アルト・ネットワークス・インコーポレーテッドPalo Alto Networks Incorporated | ネットワークルーティングのためのパケット分類 |
US11394688B2 (en) | 2013-07-18 | 2022-07-19 | Palo Alto Networks, Inc. | Packet classification for network routing |
US10757074B2 (en) | 2013-07-18 | 2020-08-25 | Palo Alto Networks, Inc. | Packet classification for network routing |
US11811731B2 (en) | 2013-07-18 | 2023-11-07 | Palo Alto Networks, Inc. | Packet classification for network routing |
JPWO2015025848A1 (ja) * | 2013-08-21 | 2017-03-02 | 日本電気株式会社 | 通信システム、制御指示装置、通信制御方法及びプログラム |
US10469498B2 (en) | 2013-08-21 | 2019-11-05 | Nec Corporation | Communication system, control instruction apparatus, communication control method and program |
WO2015025848A1 (ja) * | 2013-08-21 | 2015-02-26 | 日本電気株式会社 | 通信システム、制御指示装置、通信制御方法及びプログラム |
US10313375B2 (en) | 2013-11-22 | 2019-06-04 | Huawei Technologies Co., Ltd | Method and apparatus for malicious attack detection in an SDN network |
JP2016537898A (ja) * | 2013-11-22 | 2016-12-01 | 華為技術有限公司Huawei Technologies Co.,Ltd. | 悪意ある攻撃の検出方法および装置 |
US11637845B2 (en) | 2013-11-22 | 2023-04-25 | Huawei Technologies Co., Ltd. | Method and apparatus for malicious attack detection in a software defined network (SDN) |
JP2015192399A (ja) * | 2014-03-28 | 2015-11-02 | 株式会社日立製作所 | パケット伝送システムおよびネットワークコントローラ |
US20160352731A1 (en) * | 2014-05-13 | 2016-12-01 | Hewlett Packard Enterprise Development Lp | Network access control at controller |
JP2017520194A (ja) * | 2014-06-30 | 2017-07-20 | アルカテル−ルーセント | ソフトウェア定義ネットワークにおけるセキュリティ |
US10666689B2 (en) | 2014-06-30 | 2020-05-26 | Alcatel Lucent | Security in software defined network |
JP2019201374A (ja) * | 2018-05-18 | 2019-11-21 | アライドテレシスホールディングス株式会社 | 情報処理システム |
JP7083275B2 (ja) | 2018-05-18 | 2022-06-10 | アライドテレシスホールディングス株式会社 | 情報処理システム |
JP2019205192A (ja) * | 2019-07-24 | 2019-11-28 | アルカテル−ルーセント | ソフトウェア定義ネットワークにおけるセキュリティ |
Also Published As
Publication number | Publication date |
---|---|
US20140033275A1 (en) | 2014-01-30 |
JPWO2012141086A1 (ja) | 2014-07-28 |
EP2698952A4 (en) | 2014-12-03 |
JP5660202B2 (ja) | 2015-01-28 |
US9065815B2 (en) | 2015-06-23 |
CN103621028A (zh) | 2014-03-05 |
CN103621028B (zh) | 2016-05-11 |
EP2698952A1 (en) | 2014-02-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5660202B2 (ja) | コンピュータシステム、コントローラ、及びネットワークアクセスポリシ制御方法 | |
JP5790827B2 (ja) | 制御装置、制御方法、及び通信システム | |
JP5062967B2 (ja) | ネットワークアクセス制御方法、およびシステム | |
JP5862577B2 (ja) | 通信システム、制御装置、ポリシ管理装置、通信方法およびプログラム | |
JP5811179B2 (ja) | 通信システム、制御装置、ポリシ管理装置、通信方法およびプログラム | |
US9215237B2 (en) | Communication system, control device, communication method, and program | |
US8713087B2 (en) | Communication system, authentication device, control server, communication method, and program | |
JP5880560B2 (ja) | 通信システム、転送ノード、受信パケット処理方法およびプログラム | |
US10044830B2 (en) | Information system, control apparatus, method of providing virtual network, and program | |
JP5811171B2 (ja) | 通信システム、データベース、制御装置、通信方法およびプログラム | |
JP5143199B2 (ja) | ネットワーク中継装置 | |
WO2013042634A1 (ja) | 通信システム、ポリシー管理装置、通信方法およびプログラム | |
US20120054359A1 (en) | Network Relay Device and Frame Relaying Control Method | |
US20130275620A1 (en) | Communication system, control apparatus, communication method, and program | |
JP2008066907A (ja) | パケット通信装置 | |
JP6440191B2 (ja) | スイッチ装置、vlan設定管理方法及びプログラム | |
WO2014034119A1 (en) | Access control system, access control method, and program | |
JP2017208718A (ja) | 通信装置および通信方法 | |
WO2014119602A1 (ja) | 制御装置、スイッチ、通信システム、スイッチの制御方法及びプログラム | |
JP6213028B2 (ja) | 通信システム、通信方法、通信プログラムおよび通信装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201280018455.5 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12770700 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14110917 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012770700 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2013509875 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |