WO2013128514A1 - Système de communication, appareil de commande, procédé de commande et programme - Google Patents

Système de communication, appareil de commande, procédé de commande et programme Download PDF

Info

Publication number
WO2013128514A1
WO2013128514A1 PCT/JP2012/006955 JP2012006955W WO2013128514A1 WO 2013128514 A1 WO2013128514 A1 WO 2013128514A1 JP 2012006955 W JP2012006955 W JP 2012006955W WO 2013128514 A1 WO2013128514 A1 WO 2013128514A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
node
name
destination node
resolution
Prior art date
Application number
PCT/JP2012/006955
Other languages
English (en)
Inventor
Junichi Yamato
Kazuya Suzuki
Original Assignee
Nec Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Corporation filed Critical Nec Corporation
Publication of WO2013128514A1 publication Critical patent/WO2013128514A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Definitions

  • the present invention is based upon and claims the benefit of the priority of Japanese Patent Application No. 2012-046792 (filed on March 2, 2012), the disclosure of which is incorporated herein in its entirety by reference thereto.
  • the present invention relates to a communication system, a control apparatus, a communication method and a program, and specifically to a flow base communication system, a control apparatus, a control method and a program that control a communication route in the communication system.
  • An ARP Address Resolution Protocol
  • NDP Neighbor Discovery Protocol
  • IP address is acquired from a host name
  • DNS Domain Name System
  • WINS Windows (Registered Trademark) Internet Name Service
  • an available service is determined in accordance with a source server or a destination server.
  • a port used for connecting to such a DNS server, a WINS server, a Web server, an NFS (Network File System) server, a CIFS (Common Internet File System) server, an LDAP (Lightweight Directory Access Protocol) server and a RADIUS (Remote Authentication Dial In Service) server is determined respectively.
  • Non-Patent Literatures 1 and 2 a technique called OpenFlow is described as a flow base communication technique.
  • OpenFlow when a packet reaches an OFS (Open Flow Switch) corresponding to a packet forwarding apparatus, a OFC (Open Flow Controller) corresponding to a control apparatus interprets contents of the packet, and the OFC sets a flow to the OFS so that communication between nodes are realized.
  • OFS Open Flow Switch
  • OFC Open Flow Controller
  • a computer communicates by acquiring an IP address from a host name and acquiring a MAC address from the IP address.
  • Fig.23 is a block diagram showing a configuration of a communication system using OpenFlow.
  • the communication system comprises an OFC 101, OFSs 102a to 102n, and servers 103a-1 to 103a-k, ..., 103n-1 to 103n-m.
  • Fig.24 is a sequence diagram showing an operation of communication using OpenFlow after performing IP address resolution in the communication system shown in Fig.23.
  • Fig.24 shows as an example an operation of sending a message from the server 103a-1 as a source node to the server 103n-m as a destination node.
  • the server 103a-1 sends an arp request to the OFS 102a connected to the server 103a-1 by specifying an IP address of the server 103n-m (step E1).
  • the OFS 102a upon receiving the arp request, forwards the arp request to the OFC 101 (step E2).
  • the OFC 101 receives the arp request, identifies it as arp request, and forwards information included in the packet or the packet itself to an ARP processing unit (not shown in Fig.23) (step E3).
  • the ARP processing unit upon receiving the information, searches a MAC address corresponding to the specified IP address. Next, the ARP processing unit generates an arp reply corresponding to the arp request (step E4).
  • the OFS 101 transmits through the OFS 102a the arp reply to the server 103a-1, which has sent the arp request, (steps E5 and E6).
  • the server 103a-1 specifies an IP address and a MAC address of the server 103n-m to send a message (step E7).
  • the OFS 102a forwards the received message to the OFC 101 (step E8).
  • the OFC 101 analyzes the received message to compute a communication route starting from the OFS 102a and ending at the OFS 102n connected to a node with a source IP address of the message (step E9).
  • the OFC 101 computes a flow entry to be set to each of the OFSs 102a to 102n, and sets a corresponding flow entry to each flow table in the OFSs 102a to 102n (steps E10 and E11).
  • the OFC 101 sends the message to the server 103n-m (step E12).
  • Non-Patent Literatures are incorporated herein by reference thereto.
  • the following analyses are given by the present invention.
  • It is an object of the present invention is to provide a communication system, a control apparatus, a control method and a program that cope with such need.
  • a control apparatus comprising: resolution means (section) that performs an address resolution or a name resolution of a destination node, based on source information identifying a source node and an address or a name of the destination node; a policy database that holds, in association with each other, an identifier of a node and connection permission information indicative of whether connection to the node is permitted or not; and route setting means (section) that searches whether or not there is the connection permission information for the source node and the destination node in the policy database, based on the source information and on either one of the address and the name of the destination node used for performing the address resolution or the name resolution, or one of an address and a name of the destination node identified by the address resolution or the name resolution, and sets a communication route adapted to the policy database between the source node and the destination node.
  • a communication system comprising: a packet forwarding apparatus provided between a source node and a destination node; and a control apparatus that sets in the packet forwarding apparatus a flow entry specifying processing method of a packet.
  • the control apparatus includes: resolution means (section) that performs an address resolution or a name resolution of a destination node, based on source information identifying a source node and an address or a name of the destination node; a policy database that holds, in association with each other, an identifier of a node and connection permission information indicative of whether connection to the node is permitted or not; and route setting means (section) that searches whether or not there is the connection permission information for the source node and the destination node in the policy database, based on the source information and on either one of the address and the name of the destination node used for performing the address resolution or the name resolution, or one of an address and a name of the destination node identified by the address resolution or the name resolution, and sets a communication route adapted to the policy database between the source node and the destination node.
  • a control method comprising: performing an address resolution or a name resolution of a destination node, based on source information identifying a source node and an address or a name of the destination node; holding as a policy database, in association with each other, an identifier of a node and connection permission information indicative of whether connection to the node is permitted or not; and searching whether or not there is the connection permission information for the source node and the destination node in the policy database, based on the source information and on either one of the address and the name of the destination node used for performing the address resolution or the name resolution, or one of an address and a name of the destination node identified by the address resolution or the name resolution, and setting a communication route adapted to the policy database between the source node and the destination node
  • a program that causes a computer to execute: performing an address resolution or a name resolution of a destination node, based on source information identifying a source node and an address or a name of the destination node; holding as a policy database, in association with each other, an identifier of a node and connection permission information indicative of whether connection to the node is permitted or not; and searching whether or not there is the connection permission information for the source node and the destination node in the policy database, based on the source information and on either one of the address and the name of the destination node used for performing the address resolution or the name resolution, or one of an address and a name of the destination node identified by the address resolution or the name resolution, and setting a communication route adapted to the policy database between the source node and the destination node.
  • the program may be offered also as a program product recorded on non-transitory computer-readable storage medium.
  • the control apparatus According to the communication system, the control apparatus, the control method, and the program concerning the present disclosure, it is possible to permit only a packet related to a service provided by a source node or a destination node to pass, in a flow base communication system.
  • Fig.1 is a block diagram showing as an example a schematic structure of a communication system concerning the present disclosure.
  • Fig.2 is a block diagram showing as an example a structure of a communication system concerning a first exemplary embodiment.
  • Fig.3 is a block diagram showing as an example details of the structure of the communication system concerning the first exemplary embodiment.
  • Fig.4 is a diagram showing as an example an entry of a table held with an ARP processing unit in an OFC.
  • Fig.5 Fig.5 is a diagram showing as an example an entry of a policy database.
  • Fig.6 Fig.6 is a diagram showing as an example a structure of a flow entry of OpenFlow.
  • FIG.7 is a sequence diagram showing as an example an operation of the communication system concerning the first exemplary embodiment.
  • Fig.8 is a diagram showing part of information in an arp request.
  • Fig.9 is a diagram showing as an example an entry of topology information in a route setting unit.
  • Fig.10 is a diagram showing part of information in an arp reply.
  • Fig.11 is a flow diagram showing as an example an operation of an OFC in the communication system concerning the first exemplary embodiment.
  • Fig.12 Fig.12 is a sequence diagram showing as an example an operation of a communication system concerning a second exemplary embodiment.
  • FIG.13 Fig.13 is a flow diagram showing as an example an operation of an OFC in the communication system concerning the second exemplary embodiment.
  • FIG.14 Fig.14 is a block diagram showing as an example a structure of a communication system concerning a third exemplary embodiment.
  • Fig.15 is a block diagram showing as an example details of the structure of the communication system concerning the third exemplary embodiment.
  • Fig.16 Fig.16 is a diagram showing an entry of a table in a name processing unit of a name server.
  • Fig.17 Fig.17 is a sequence diagram showing as an example an operation of the communication system concerning the third exemplary embodiment.
  • Fig.18 Fig.18 is a diagram showing part of information in a name resolution request.
  • FIG.19 is a diagram showing part of information in a name resolution response.
  • Fig.20 is a flow diagram showing as an example an operation of a name server in the communication system concerning the third exemplary embodiment.
  • Fig.21 is a sequence diagram showing as an example an operation of a communication system concerning a fourth exemplary embodiment.
  • Fig.22 is a flow diagram showing an operation of a name server in the communication system concerning the fourth exemplary embodiment as an example.
  • FIG.23 Fig.23 is a block diagram showing a structure of a communication system of a related art.
  • Fig.24 Fig.24 is a sequence diagram showing arp processing in the communication system of a related art.
  • Fig.1 is a block diagram showing a schematic structure of a communication system according to the present disclosure as an example.
  • the communication system comprises resolution means (section) (51), a policy database (53), and route setting means (section) (52).
  • the resolution means (51) performs an address resolution or a name resolution of a destination node (72), based on source information identifying a source node (71) and an address or a name of the destination node (72).
  • the policy database (53) holds, in association with each other, an identifier of a node and connection permission information indicative of whether connection to the node is permitted or not.
  • the route setting means (52) searches whether or not there is the connection permission information for the source node (71) and the destination node (72) in the policy database (53), based on the source information and on either one of the address and the name of the destination node (72) used for performing the address resolution or the name resolution, or one of an address or a name of the destination node (72) identified by the address resolution or the name resolution, and sets a communication route adapted to the policy database (53) between the source node (71) and the destination node (72).
  • the route setting means (52) may set a flow entry for transferring or discarding a packet according to the policy database (53) in a packet forwarding apparatus (61, 62) arranged between the source node (71) and the destination node (72).
  • the route setting means (52) may set a flow entry for forwarding a packet in a packet forwarding apparatus (61, 62) arranged between the source node (71) and the destination node (72), if connection to the source node (71) and the destination node (72) is permitted in the policy database (53).
  • connection to a node is permitted or not in the policy database (53) is determined according to a service provided with the node.
  • the resolution means (51) may identify a second layer address (for example, MAC address) of the destination node (72), based on a first layer address (for example, IP address) or a second layer address (for example, MAC address) of the source node (71) and a first layer address (for example, IP address) of the destination node (72).
  • the policy database (53) holds, in association with each other, a first layer address (for example, IP address) or a second layer address (for example, MAC Address) of a node and the connection permission information indicative of whether connection to the node is permitted or not.
  • the resolution means (51) may identify an address of the destination node (72) (for example, IP Address), based on an address of the source node (71) and a name of the destination node (72) (for example, host name).
  • the policy database (53) holds, in association with each other, an address or a name of a node and connection permission information indicative of whether connection to the node is permitted or not.
  • the resolution means for example, the name resolution part 40 in Fig.15
  • the control apparatus for example, OFC 1 in Fig.15.
  • the communication system concerning the present disclosure comprises the resolution means (51) that acquires a lower layer address (for example, MAC address) from a higher layer address (for example, IP address).
  • the control apparatus (50) of flow base communication sets a communication route between the source node (71) and the destination node (72) that permits only a specific flow to pass, based on information indicative of the source or the destination and on instruction by the resolution means (51).
  • the control apparatus (50) of flow base communication comprises the resolution means (51) and the route setting means (52).
  • the resolution means (51) acquires a lower layer address from a higher layer address, and notifies the node that requests address resolution or name resolution and the searched node to the route setting means (52).
  • the route setting means (52) computes a communication route between the notified nodes, generates a rule for allowing to pass thorough only a port used in a service provided by the source node (71) or the destination node (72) of a packet, and sets in each packet forwarding apparatus (61, 62) a flow entry that forms a communication route.
  • the communication system of the present disclosure it is possible to permit only a packet related to a service provided by a source node or a destination node to pass. This is because the flow entry with a rule is set based on information indicative of the source node or the destination node, where the rule allows only a packet to a port corresponding to a service provided by the source node or the destination node to pass.
  • a control apparatus may be the control apparatus according to the first aspect.
  • the route setting means (section) may set a flow entry for forwarding or discarding a packet according to the policy database in a packet forwarding apparatus arranged between the source node and the destination node.
  • the route setting means (section) may set a flow entry for forwarding a packet in a packet forwarding apparatus arranged between the source node and the destination node, if connection to the source node and the destination node is permitted in the policy database.
  • the resolution means may identify a second layer address of the destination node, based on a first layer address or a second layer address of the source node and a first layer address of the destination node, and the policy database may hold, in association with each other, a first layer address or a second layer address of a node and connection permission information indicative of whether connection to the node is permitted or not.
  • the first layer address may be an IP (Internet Protocol) address
  • the second layer address may be a MAC (Media Access Control) address.
  • the resolution means may identify an address of the destination node based on an address of the source node and a name of the destination node, and the policy database may hold, in association with each other, an address or a name of a node and connection permission information indicative of whether connection to the node is permitted or not.
  • the address may be an IP address.
  • a communication system may be the communication system according to the second aspect.
  • a control method may be the control method according to the third aspect.
  • the searching and setting may comprise setting a flow entry for forwarding or discarding a packet according to the policy database in a packet forwarding apparatus arranged between the source node and the destination node.
  • the searching and setting may comprise setting a flow entry for forwarding a packet in a packet forwarding apparatus arranged between the source node and the destination node, if connection to the source node and the destination node is permitted in the policy database.
  • a program may be the program according to the fourth aspect. The program may be stored on a computer-readable storage medium which may by non-transitory.
  • the searching and setting may comprise setting a flow entry for forwarding or discarding a packet according to the policy database in a packet forwarding apparatus arranged between the source node and the destination node.
  • the searching and setting may comprise setting a flow entry for forwarding a packet in a packet forwarding apparatus arranged between the source node and the destination node, if connection to the source node and the destination node is permitted in the policy database.
  • FIG.2 is a block diagram showing as an example a structure of the communication system of the present exemplary embodiment.
  • a communication system comprises an OFC (Open Flow Controller) 1, OFSs (Open Flow Switches) 2a to 2n, and servers 3a-1 to 3a-k,..., 3a-1 to 3n-m.
  • OFC Open Flow Controller
  • OFSs Open Flow Switches
  • the OFC 1 is a computer that controls the OFSs 2a to 2n and is connected to the OFSs 2a to 2n through a communication route called a secure channel.
  • the OFC 1 is a single computer as an example in the present exemplary embodiment. Note that two or more OFCs may be used as a single OFC based on clustering. In this case, fault and load tolerance improves.
  • the OFSs 2a to 2n are a switch that operates on flow basis, and that is controlled by the OFC 1 to process a packet under an OpenFlow protocol.
  • Fig.2 two OFSs are illustrated as an example. Note that the number of OFS may be two or more as well as one.
  • the OFS 2a to 2n may be connected to each other with various types of topology.
  • the OFS 2a to 2n may be connected with a plurality of routes. According to this connection, fault tolerance improves.
  • the servers 3a-1 to 3a-k,...,and 3n-1 to 3n-m are a computer that performs communication with other servers through the OFSs 2a to 2n and performs distributed processing.
  • each of the servers 3a-1 to 3a-k, ..., 3n-1 to 3n-m is connected to a single OFS, as an example.
  • the servers 3a-1 to 3a-k, ..., 3n-1 to 3n-m may be connected to a plurality of OFSs. According to this structure, fault tolerance improves.
  • Fig.3 is a block diagram showing as an example details of the OFC 1 and the OFSs 2a to 2n according to the present exemplary embodiment.
  • the OFC 1 comprises a packet receiving unit 10 that receives a packet from the OFSs, an ARP processing unit 11 that performs ARP processing, a route setting unit 12 that computes a communication route between two points and sets a flow entry in a flow table of each OFS, and a policy database 13 that stores characteristics of each node.
  • the ARP processing unit 11 includes an ARP table that stores correspondence between an IP address and a MAC address.
  • Fig.4 is a diagram showing as an example an entry of a table in the ARP processing unit 11.
  • the ARP processing unit 11 has the table including correspondence between a MAC address and an IP address as shown in Fig.4, and searches a MAC address from an IP address using the table.
  • the correspondence between an IP address and a MAC address may be registered to the ARP table in advance.
  • the ARP processing unit 11 may record an IP address and a MAC address of a source in the ARP table based on an arp request.
  • Fig.5 is a diagram showing as an example an entry of the policy database 13.
  • the policy database 13 is a table including an entry as shown in Fig.5.
  • the entry includes an IP address or a MAC address, a protocol such as TCP/UDP, a port number, and a field indicative of whether connection is permitted or not. Note that ANY indicating an arbitrary value may be set as the IP address, the protocol or the port number.
  • the route setting unit 12 When a source or a destination of connection matches an entry of the policy database 13 and connection is not permitted in the field indicating connection propriety, the route setting unit 12 does not generate a communication route.
  • the OFS 2a to 2n comprise a flow table 21 that stores flow entries, and a packet processing unit 20 that receives and processes a packet according to the flow table.
  • the flow table 21 records a plurality of flow entries.
  • Fig.6 is a diagram showing a structure of the flow entry of OpenFlow.
  • the flow entry includes a rule (matching rule) matched with a packet, actions performed when matched, and statistical information (counters).
  • Fig.7 is a sequence diagram showing as an example an operation of the communication system according to the present exemplary embodiment. Referring to Fig.7, an operation is explained, in which the server 3a-1 as a source node communicates with the server 3n-m as a destination node.
  • the server 3a-1 specifies an IP address of the destination of communication (server 3n-m) and sends an arp request to the OFS 2a connected to the server 3a-1 (step A1).
  • the OFS 2a Upon receiving the arp request, the OFS 2a forwards the arp request to the OFC 1 (step A2).
  • the packet receiving unit 10 judges it as an arp request, and the OFC 1 forwards information in the packet or the packet itself to the ARP processing unit 11 (step A3).
  • Fig.8 illustrates part of a structure of an arp request.
  • the arp request includes an IP address to be searched and source information.
  • the source information includes a source IP address and a source MAC address.
  • the ARP processing unit 11 upon receiving information from the packet receiving unit 10, searches an MAC address corresponding to the specified IP address, and sends a route setting request to the route setting unit 12 (step A4).
  • the route setting unit 12 checks whether there is a corresponding policy in the policy database 13, based on the source information (MAC address, IP address) in the arp request and the destination information (MAC address, IP address) searched by the ARP processing unit 11, and computes a communication route when connection is not permitted (step A5).
  • the route setting unit 12 computes a communication route that starts from the OFS 2a, which receives the arp request, and ends at the OFS 2n, to which a node with the IP address in the arp request is connected.
  • the route setting unit 12 may use for example the "Dijkstra's algorithm," which is an algorithm for computing a shortest path between two points, in order to compute communication route. Note that the route setting unit 12 may use an algorithm other than the Dijkstra's algorithm.
  • the route setting unit 12 stores topology information indicating connection between the OFC 2a to 2n and the servers 3a-1 to 3a-k, ..., 3n-1 to 3n-m.
  • Fig.9 is a diagram showing as an example an entry of topology information in the route setting unit 12.
  • the topology information is a table or a list consisting of a switch and the port of the switch, and node information connected to the port.
  • the topology information includes an OFS identifier, a port number, and connection node information (an IP address, a MAC address, and a node identifier).
  • the route setting unit 12 computes a flow entry to be set in each OFS based on the computed communication route.
  • the flow entry computed by the route setting unit 12 permits a packet with a port number described in the policy database 13 to pass.
  • the route setting unit 12 sets a corresponding flow entry in the flow table 21 of the OFSs 2a to 2n (steps A6 and A7).
  • the route setting unit 12 sends a routing response to the ARP processing unit 11 (step A8).
  • the ARP processing unit 11 generates an arp reply corresponding to the arp request, and orders the OFS 2a, which has forwarded the arp request, to forward the arp reply to the server 3a-1, which has sent the arp request (steps A9 and A10).
  • the OFC 1 may set a flow entry for forwarding the arp reply in the OFS 2a.
  • Fig.10 shows part of a structure of an arp reply.
  • the arp reply includes source information and destination information.
  • the source information includes a source IP address and a source MAC address
  • the destination information includes an IP address to be searched and a searched MAC address.
  • Fig.11 is a flow diagram showing an operation of the OFC 1 as an example. The operation of the OFC 1 is explained with reference to Fig.11.
  • the ARP processing unit 11 Upon receiving information from the packet receiving unit 10, the ARP processing unit 11 searches a MAC address corresponding to the specified IP address, (step S200).
  • the route setting unit 12 searches whether there is a corresponding policy in the policy database 13, based on source information (MAC address, IP address) in the arp request and destination information (MAC address, IP address) searched by the ARP processing unit 11.
  • the route setting unit 12 determines whether to set a route or not according to whether connection is permitted or not in the policy database 13 (step S202). When connection is permitted in the policy database 13, the route setting unit 12 sets a route (Yes of step S202). On the other hand, when the connection is not permitted in the policy database 13, the route setting unit 12 does not set a route (No of step S202), and moves to step S206.
  • the route setting unit 12 computes a communication route between the searched servers (step S203), and generates a flow entry to be set in each switch (step S204).
  • the route setting unit 12 sets the generated flow entry in each switch (step S205).
  • the route setting unit 12 notifies the completion of routing to the ARP processing unit 11.
  • inquiry to the OFC 1 becomes unnecessary at the time of the first communication between the servers, and delay before starting the communication decreases.
  • a plurality of flow entries may be set simultaneously, in a case where a flow with a plurality of port numbers regarding a source and a destination is set in the policy database 13.
  • the OFS 2a which received the arp request, and the port may be used to compute the communication route.
  • a communication system according to a second exemplary embodiment is explained with reference to the drawings.
  • the communication system of the present exemplary embodiment is a modification of the communication system of the first exemplary embodiment.
  • Fig.12 is a sequence diagram showing as an example an operation of the communication system of the present exemplary embodiment.
  • the OFC 1 sends an arp reply (steps A9 and A10) after setting a flow entry (steps A6 and A7).
  • the OFC 1 sets a flow entry in each OFS (steps A6 and A7) after sending an arp reply (steps A9 and A10).
  • Fig.13 is a flow diagram showing a flow of processing in the OFC 1 in the communication system according to the present exemplary embodiment. An operation of the OFC 1 is explained with reference to Fig.13.
  • the ARP processing unit 11 searches a MAC address corresponding to a specified IP address, upon receiving information from the packet receiving unit 10 (step S110).
  • the ARP processing unit 11 notifies the searched MAC address to the server 3a-1, the source node (step S111).
  • the ARP processing unit 11 specifies the source and information corresponding to the specified address, and directs the OFC 1 to compute a communication route (step S112).
  • the route setting unit 12 determines whether to set a route or not according to the specified information and the policy database 13 (step S113).
  • the route setting unit 12 computes a communication route, and sets a flow entry in each switch (step S114).
  • the route setting unit 12 terminates the process.
  • the route setting unit 12 waits for completion of route setting (step S115).
  • time required for the arp processing can be shortened and it is possible to reduce delay before communication between the server 3a-1 and the server 3n-m is initiated.
  • FIG.14 is a block diagram showing a structure of a communication system of the present exemplary embodiment as an example.
  • the communication system of the present exemplary embodiment comprises an OFC (Open Flow Controller) 1, OFSs (Open Flow Switches) 2a-2n, servers 3a-1 to 3n-m, and a name server 4.
  • OFC Open Flow Controller
  • OFSs Open Flow Switches
  • the OFC 1, the OFS 2a-2n, and the server 3a-1 to 3n-m have a similar structure as those in the communication system of the first exemplary embodiment.
  • the name server 4 is a DNS (Domain Name System) server, a WINS (Windows Internet Name Service) server or the like, searches an IP address or MAC address from a host name and returns a searched IP address or MAC address.
  • DNS Domain Name System
  • WINS Windows Internet Name Service
  • Fig.15 is a block diagram showing as an example a detailed structure of the OFC 1, the OFS 2a to 2n, and the name server 4 in the communication system of the present exemplary embodiment.
  • the OFC 1 comprises a route setting unit 12 that computes a communication route between two points and sets a flow entry in the flow table of each OFS, and a policy database 13.
  • the name server 4 comprises a name processing unit 40 that searches such as an IP address from a host name and returns a searched IP address to the server 3, and a route setting request unit 41 that requests setting a route between two points to the OFC 1 in corporation with the name processing unit 40.
  • the name processing unit 40 includes a table that stores correspondence between an IP address or a MAC address and a host name.
  • a table similar to one in a DNS server, a WINS server or the like may be used as this table.
  • Fig.16 is a diagram showing as an example an entry of the table in the name processing unit 40. Referring to Fig.16, the table holds a host name and an IP address in association with each other.
  • the name processing unit 40 searches an IP address from a host name with reference to the table as shown in Fig.16.
  • Fig.17 is a sequence diagram showing an operation of the communication system of the present exemplary embodiment as an example. Referring to Fig.17, a process is explained, in which the server 3a-1 as a source node communicates with the server 3n-m as a destination node.
  • the server 3a-1 specifies a host name and sends a name resolution request to the OFS 2a connected to the server 3a-1 (step B1).
  • Fig.18 shows part of information included in the name resolution request.
  • the name resolution request includes a host name to be searched and source information.
  • the source information includes a source IP address and a source MAC address.
  • the OFS 2a upon receiving the name resolution request, forwards it to the OFC 1 (step B-2).
  • the OFC 1 upon receiving the name resolution request, forwards it to the name server 4 (step B3).
  • the name server 4 searches an IP address from the specified name.
  • the name server 4 specifies the IP address of the server, which requires a name resolution and the searched IP address, and directs the OFC 1 to generate a communication route (step B4).
  • the OFC 1 checks whether setting of a route is permitted or not and necessity of refining the rule using the policy database 13 based on the specified IP address, and the route setting unit 12 computes a communication route when it is necessary to set a route (step B5).
  • the OFC 1 computes a flow entry to be set to each OFS based on the computed communication route, and sets a corresponding flow entry to a flow table 21 of each OFS2 (steps B6 and B7).
  • the OFC 1 sends a route setting response to the name server 4 (step B8).
  • the name server 4 generates a name resolution response, and sends it through the OFS 2a to the server 3a-1, which has sent the name resolution request (steps B9 to B11).
  • Fig.19 shows part of information included in a name resolution response.
  • the name resolution response includes source information and host information.
  • the source information includes a source IP address and a source MAC address.
  • the host information includes a host name to be searched and a searched IP address obtained through name resolution.
  • the server 3a-1 upon receiving a name resolution response, sends an arp request to the ARP processing unit in order to acquire a MAC address corresponding to the IP address of the source server 3n-m, which is obtained through name resolution, (steps B12 to B14).
  • the ARP processing unit is provided on the name server 4.
  • the ARP processing unit may be provided on the OFC 1 as in the first exemplary embodiment.
  • the ARP processing unit searches the MAC address of the source server 3n-m, inserts the searched MAC address in the arp reply, and sends the arp reply to the server 3a-1 (steps B15 to B17).
  • packets are sent from the server 3a-1 to the server 3n-m without inquiry to the OFC 1 (steps B18 to B20).
  • Fig.20 is a flow diagram showing as an example a flow of processing of the name server 4 and the OFC 1.
  • the name server 4 upon receiving a name resolution request, searches an IP address from the specified name (step S300).
  • step S301 If setting of a route is not performed (No of step S301), moves to step S304. On the other hand, if setting of a route is performed (Yes of step S301), the name server 4 searches an IP address from the specified name, and specifies the IP address of the server, which has requested the name resolution, and the searched IP address to order the OFC 1 to generate a communication route (step S302).
  • the OFC 1 checks whether setting of a route is permitted or not with reference to the policy database 13 based on the specified IP address. If setting of a route is necessary, the route setting unit 12 computes a communication route. Moreover, the OFC 1 computes a flow entry to be set in each OFS based on the computed communication route, and sets a corresponding flow entry to a flow table 21 of each OFS 2. Furthermore, the OFC 1 waits for completion of setting of the route (step S303).
  • the name server 4 generates a name resolution response, and sends it to the source server 3a-1, which has sent the name resolution request (step S304).
  • a communication route for a packet with contents adapted to a source or destination is generated upon name resolution, and intervention of the OFC 1 upon the actual first communication can be omitted, which makes it possible to shorten time required before starting a communication.
  • a name resolution request is directly forwarded to the name server 4 from the OFC 1.
  • the name resolution request may be forwarded, by generating a communication route to the name server 4, in a similar manner as usual server processing. Note that time required for generating a route can be shortened by forwarding directly from the OFC 1 to the name server 4.
  • a communication system according to a fourth exemplary embodiment is explained with reference to the drawings.
  • the present exemplary embodiment is a modification of the communication system according to the third exemplary embodiment.
  • Fig.21 is a sequence diagram showing as an example an operation of the communication system of the present exemplary embodiment.
  • the OFC 1 sends a name resolution reply (step B10) after setting a flow entry (steps B6 and B7).
  • the OFC 1 sets a flow entry to each OFS (steps B6 and B7), after sending a name resolution reply (step B10) in the communication system of the present exemplary embodiment. Note that, since an operation in each step of the communication system of the present exemplary embodiment is similar to that of the communication system of the third exemplary embodiment, explanation is omitted.
  • Fig.22 is a flow diagram showing as an example an operation of the name server 4 and the OFC 1 in the communication system of the present exemplary embodiment.
  • the name server 4 upon receiving a name resolution request, searches an IP address from the specified name (step S310).
  • the name server 4 generates a name resolution reply containing the searched IP address, and sends it to the server 3a-1, which has sent the name resolution request (step S311).
  • step S312 If setting of a route is not performed (No of step S312), the process is terminated. On the other hand, if setting of a route is performed (Yes of step S312), the name server 4 searches an IP address from the specified name and specifies the IP address of the server, which has requested the name resolution, and the searched IP address to direct the OFC 1 to produce a communication route (step S313).
  • the OFC 1 checks whether setting of a route is permitted or not with reference to the policy database 13 based on the specified IP address. If setting of a route is necessary, the route setting unit 12 computes a communication route. Moreover, the OFC 1 computes a flow entry to be set in each OFS based on the computed communication route, and sets a corresponding flow entry to a flow table 21 of each OFS 2. Furthermore, the OFC 1 waits for completion of setting of the route (step S314).
  • the communication systems according to the above exemplary embodiments are applicable for example to a network computer system using a network.
  • Non-Patent Literatures are incorporated herein by reference thereto. Modifications and adjustments of the exemplary embodiment are possible within the scope of the overall disclosure (including the claims) of the present invention and based on the basic technical concept of the present invention. Various combinations and selections of various disclosed elements (including each element of each claim, each element of each exemplary embodiment, each element of each drawing, etc. ) are possible within the scope of the claims of the present invention. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the overall disclosure including the claims and the technical concept. Particularly, any numerical range disclosed herein should be interpreted that any intermediate values or subranges falling within the disclosed range are also concretely disclosed even without specific recital thereof.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention se rapporte à un appareil de commande qui comprend une base de données de politiques qui comporte, en rapport les uns avec les autres, un identifiant d'un nœud et des informations d'autorisation de connexion indicatives du fait si la connexion au nœud est autorisée ou non. L'appareil de commande recherche s'il existe les informations d'autorisation de connexion pour le nœud source et le nœud de destination dans la base de données de politiques, sur la base des informations sources et de l'adresse ou du nom du nœud de destination utilisé pour effectuer la résolution d'adresse ou la résolution de nom, ou de l'adresse ou du nom du nœud de destination identifié par la résolution d'adresse ou par la résolution de nom et détermine un trajet de communication adapté à la base de données de politiques entre le nœud source et le nœud de destination. Un seul paquet qui se rapporte à un service proposé par le nœud source ou le nœud de destination, peut passer dans un système de communication.
PCT/JP2012/006955 2012-03-02 2012-10-30 Système de communication, appareil de commande, procédé de commande et programme WO2013128514A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2012046792 2012-03-02
JP2012-046792 2012-03-02

Publications (1)

Publication Number Publication Date
WO2013128514A1 true WO2013128514A1 (fr) 2013-09-06

Family

ID=49081779

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2012/006955 WO2013128514A1 (fr) 2012-03-02 2012-10-30 Système de communication, appareil de commande, procédé de commande et programme

Country Status (1)

Country Link
WO (1) WO2013128514A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017089913A1 (fr) * 2015-11-23 2017-06-01 Telefonaktiebolaget Lm Ericsson (Publ) Procédé, dispositif et support de stockage pour un accès à un dispositif de l'internet des objets (iot) dans un système de réseautage défini par logiciel (sdn)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010136096A (ja) * 2008-12-04 2010-06-17 Nec Corp ネットワーク管理装置,ネットワーク管理方法及びプログラム
WO2011043416A1 (fr) * 2009-10-07 2011-04-14 日本電気株式会社 Système d'informations, serveur de commande, procédé de gestion de réseau virtuel, et programme
US20110286332A1 (en) * 2009-11-27 2011-11-24 Nec Corporation Flow control apparatus, network system, network control method, and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010136096A (ja) * 2008-12-04 2010-06-17 Nec Corp ネットワーク管理装置,ネットワーク管理方法及びプログラム
WO2011043416A1 (fr) * 2009-10-07 2011-04-14 日本電気株式会社 Système d'informations, serveur de commande, procédé de gestion de réseau virtuel, et programme
US20110286332A1 (en) * 2009-11-27 2011-11-24 Nec Corporation Flow control apparatus, network system, network control method, and program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SHINYA HIGUCHI: "Let's implement your own OpenFlow controller by using NOX! (Packet-Out)", SOFTWARE DESIGN, no. 252, 18 October 2011 (2011-10-18), pages 114 - 119 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017089913A1 (fr) * 2015-11-23 2017-06-01 Telefonaktiebolaget Lm Ericsson (Publ) Procédé, dispositif et support de stockage pour un accès à un dispositif de l'internet des objets (iot) dans un système de réseautage défini par logiciel (sdn)
US10050840B2 (en) 2015-11-23 2018-08-14 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for an internet of things (IOT) device access in a software-defined networking (SDN) system

Similar Documents

Publication Publication Date Title
KR101644766B1 (ko) 정보 시스템, 제어 장치, 가상 네트워크의 제공 방법 및 프로그램
US9148342B2 (en) Information system, control server, virtual network management method, and program
JP5994846B2 (ja) 通信システム、制御装置、ノード、ノードの制御方法およびプログラム
US20130329738A1 (en) Communication system, data base, control apparatus, communication method, and program
JP5994851B2 (ja) 転送装置の制御装置、転送装置の制御方法、通信システムおよびプログラム
US10244537B2 (en) Communication system, access control apparatus, switch, network control method, and program
US20130250958A1 (en) Communication control system, control server, forwarding node, communication control method, and communication control program
JP5713101B2 (ja) 制御装置、通信システム、通信方法、および通信プログラム
US9935876B2 (en) Communication system, control apparatus, communication apparatus, communication control method, and program
US10033734B2 (en) Apparatus management system, apparatus management method, and program
JP5880689B2 (ja) 分散ストレージシステム、制御装置、クライアント端末、負荷分散方法及びプログラム
EP3447975A1 (fr) Procédés et appareils d'acheminement de paquets de données dans une topologie de réseau
US20150288595A1 (en) Control apparatus, communication system, control information creation method, and program
CN103299589A (zh) 通信系统、控制装置、通信方法以及程序
US20150043585A1 (en) Communication apparatus, communication method, communication system and program
US20190007279A1 (en) Control apparatus, communication system, virtual network management method, and program
US20150381775A1 (en) Communication system, communication method, control apparatus, control apparatus control method, and program
US20180331998A1 (en) Control apparatus, communication system, communication method, and program
WO2013128514A1 (fr) Système de communication, appareil de commande, procédé de commande et programme
US10469498B2 (en) Communication system, control instruction apparatus, communication control method and program
US20170078193A1 (en) Communication system, control apparatus, communication apparatus, and communication method
US20170078196A1 (en) Communication system, control apparatus, and control method
KR102397923B1 (ko) 정보 중심 네트워크(icn)에서 플로우 스위칭 장치 및 방법
WO2014020902A1 (fr) Système de communication, appareil de commande, procédé de communication, et programme
JPWO2015129727A1 (ja) 通信端末、通信方法およびプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12869661

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: JP

122 Ep: pct application non-entry in european phase

Ref document number: 12869661

Country of ref document: EP

Kind code of ref document: A1