WO2013164988A1 - 通信システム、アクセス制御装置、スイッチ、ネットワーク制御方法及びプログラム - Google Patents
通信システム、アクセス制御装置、スイッチ、ネットワーク制御方法及びプログラム Download PDFInfo
- Publication number
- WO2013164988A1 WO2013164988A1 PCT/JP2013/062462 JP2013062462W WO2013164988A1 WO 2013164988 A1 WO2013164988 A1 WO 2013164988A1 JP 2013062462 W JP2013062462 W JP 2013062462W WO 2013164988 A1 WO2013164988 A1 WO 2013164988A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- control information
- packet
- control device
- control
- forwarding node
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
- H04W72/50—Allocation or scheduling criteria for wireless resources
- H04W72/52—Allocation or scheduling criteria for wireless resources based on load
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/02—Arrangements for optimising operational condition
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/02—Communication route or path selection, e.g. power-based or shortest path routing
- H04W40/12—Communication route or path selection, e.g. power-based or shortest path routing based on transmission quality or channel quality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
- H04W72/02—Selection of wireless resources by user or terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
- H04W72/04—Wireless resource allocation
Definitions
- the present invention relates to a communication system, an access control device, a switch, a network control method, and a program, and more particularly, to a communication system, an access control device, a switch, a network control method, and a program having a controller that centrally controls the switch.
- OpenFlow employs a centralized control network architecture in which a control device called an OpenFlow controller controls the behavior of a switch called an OpenFlow switch. More specifically, the OpenFlow controller performs fine path control by setting the flow entry that defines the matching conditions and processing details that specify the input port, Layer 2 to Layer 4 header, in the OpenFlow switch. It is possible to do.
- NMS network management system
- policy server In addition, in a network system, a network management system (NMS) and a policy server are used to centrally manage security and service quality.
- NMS network management system
- policy server In addition, in a network system, a network management system (NMS) and a policy server are used to centrally manage security and service quality.
- Patent Document 1 discloses a management method in a network that is centrally managed by a network manager.
- Paragraphs 0031 to 0032 of the document describe that the switches in the network operate in the same manner as the above-described OpenFlow switch. Further, the end of the paragraph describes that a packet matching a large number of flow header entries is assigned to the highest priority flow entry, that is, a rule such as a longest match can be used.
- Non-Patent Documents 1 and 2 In a centralized control communication system represented by OpenFlow in Non-Patent Documents 1 and 2, when performing a large amount of packet communication and fine-grained access control, a control device that centrally controls devices (see Non-Patent Documents 1 and 2). There is a problem that the number of inquiries to the OpenFlow controller) increases and the load increases.
- the forwarding node controlled by the control device (corresponding to the open flow switch of Non-Patent Documents 1 and 2 and the network element of Patent Document 1) also has the number of flow entries that can be held and the CPU (Central Processing Unit). There are restrictions on processing performance.
- if there is no flow entry that matches the received packet it is necessary to communicate with the control device, so if a large number of packets are received or fine-grained access control is performed, the original performance may not be achieved. .
- TLS / SSL Transport Layer Security / Secure Sockets Layer
- the present invention is a communication system and access control capable of suppressing an increase in load on a control device and a switch and exhibiting its original performance even when performing a large amount of packet communication and fine-grained access control.
- An object is to provide an apparatus, a forwarding node, a network control method, and a program.
- the control device that sets control information in the forwarding node, the first control information set from the control device, and the matching condition of the first control information set from the control device
- a transfer node that transfers a packet using second control information that transfers a packet that does not conform to the predetermined port from a predetermined port, and determines whether or not control information needs to be generated for the packet transferred from the predetermined port of the transfer node.
- the control device that sets control information in the forwarding node, the first control information set from the control device, and the matching condition of the first control information set from the control device
- An access control device is provided that includes a determination unit that determines whether or not to generate control information and requests the control device to generate control information.
- control device that sets control information in the forwarding node, the first control information that is connected and set from the control device, and the first control information that is set from the control device Second control information for transferring a packet that does not match the match condition of the second port from a predetermined port is set, and when a packet that matches the match condition of the second control information is received, a predetermined header is added.
- a forwarding node for forwarding the packet is provided.
- the second control is configured to transfer, from a predetermined port, a packet that does not match the first control information set by the control device and the match condition of the first control information set by the control device. Determining whether or not to generate control information for a packet transferred by the second control information from a transfer node that transfers the packet using the control information of the control information, and On the other hand, there is provided a network control method including a step of requesting generation of control information. This method is associated with a specific machine called a computer that receives a packet from a forwarding node and determines whether or not control information is to be generated.
- the control device that sets control information in the forwarding node, the first control information set from the control device, and the matching condition of the first control information set from the control device Is transferred from the predetermined port of the forwarding node to a computer disposed in a communication system including a forwarding node that forwards the packet using second control information that forwards a packet that does not conform to the predetermined port from the predetermined port.
- a program that executes processing for determining whether or not control information generation is required for a packet and processing for requesting the control device to generate control information based on the determination result.
- This program can be recorded on a computer-readable (non-transient) storage medium. That is, the present invention can be embodied as a computer program product.
- the present invention even when a large amount of packet communication or fine-grained access control is performed, it is possible to suppress an increase in the load on the control device or the switch and to exhibit its original performance.
- FIG. 3 is a diagram in which a packet transfer path is added to FIG. It is a figure which shows the structure of the communication system of the 2nd Embodiment of this invention. It is an example of the flow entry (2nd control information) set to the switch of the 2nd Embodiment of this invention. It is a figure which shows the structure of the communication system of the 3rd Embodiment of this invention. It is a figure which shows the structure of the switch of the 3rd Embodiment of this invention. It is a figure which shows the structure of the communication system of the 4th Embodiment of this invention.
- the present invention has a control device 30 that sets control information in the forwarding node 10 and transfers a packet using the control information set from the control device 30 1 or
- This can be realized by a configuration including a plurality of forwarding nodes 10 and an access control device 20.
- control device 30 transfers to the forwarding node 10 first control information for forwarding a packet between predetermined external nodes (for example, between the client and the server in FIG. 1), and the first control information. And second control information for transferring a packet that does not meet the matching condition from a predetermined port. Then, the forwarding node 10 forwards the received packet using the first and second control information.
- predetermined external nodes for example, between the client and the server in FIG. 1
- second control information for transferring a packet that does not meet the matching condition from a predetermined port. Then, the forwarding node 10 forwards the received packet using the first and second control information.
- the access control device 20 determines whether or not it is necessary to generate control information for a packet (a packet transferred by the second control information) received from a predetermined port of the forwarding node 10, and generates control information for the control device.
- the determination part 22 to request is provided.
- a packet that has not been requested for generation of control information is discarded by the determination unit 22.
- a packet that has not been transferred by the first control information for transferring a packet between predetermined external nodes is transmitted to the access control apparatus 20. (See thick arrow line in FIG. 1). Then, in the access control device 20, a packet that is not the target of the control information generation request is discarded via the determination unit 22. As a result, only necessary control information is generated by the control device 30 and set in the forwarding node 10.
- FIG. 2 is a diagram illustrating the configuration of the communication system according to the first embodiment of this invention.
- a plurality of switches 11 arranged in the network, a controller 60 that controls these switches 11, clients 41 and 42 and a server 50 connected to the network in which the switches 11 are arranged are shown. Yes.
- the switch 11 processes the packet according to the flow entry set by the controller 60.
- FIG. 3 is a diagram showing the configuration of the switch according to the first embodiment of the present invention.
- the switch 11 according to the present embodiment has a configuration including a control message processing unit 111, a packet processing unit 112, and a flow table 113. 3 are ports connected to other switches and the server 50, and the port PP is a port connected to the control target packet extraction unit 61 of the controller 60.
- the flow table 113 is a table for storing flow entries set from the controller 60.
- the flow entry is configured by an entry in which a matching condition (Match Fields) to be compared with a received packet is associated with processing contents (Instructions).
- the packet processing unit 112 When receiving the packet, the packet processing unit 112 searches the flow table 113 for a flow entry having a matching condition that matches the received packet. If a flow entry having a matching condition that matches the received packet is found as a result of the search, the packet processing unit 112 executes the processing content (Instructions) set in the flow entry.
- the processing content Instructions
- the control message processing unit 111 exchanges control messages with the controller 60. For example, a flow entry is added to, changed from, or deleted from the flow table 113 from the controller 60.
- FIG. 4 is a diagram showing a flow entry (second control information) set in the switch 11 in the initial state.
- each field such as a source IP address (Src IP), a destination IP address (Dst IP), a TCP / UDP (Transmission Control Protocol / User Datagram Protocol) destination port (dst port), etc.
- Src IP source IP address
- Dst IP destination IP address
- TCP / UDP Transmission Control Protocol / User Datagram Protocol
- dst port a flow entry in which processing contents (Instructions) to be transferred to the control target packet extraction unit 61 of the controller 60 is set, where a wild card (ANY) is set. Therefore, when only the flow entry of FIG. 4 is set, all received packets are transferred to the control target packet extraction unit 61 of the controller 60.
- ANY wild card
- the flow entry is provided with a statistical information (Counters) field so that the statistical information can be recorded for each flow entry.
- These statistical information can also be provided to the controller 60 via the control message processing unit 111, and can be used, for example, for specifying abnormal traffic.
- flow entry as shown in FIG. 4 may be set in the switch 11 in advance, or may be set by the controller 60 when the switch 11 is connected to the network.
- Non-Patent Documents 1 and 2 can be used. Further, the packet processing unit 112 and the flow table described above can have a hardware configuration using ASIC (Application Specific Integrated Circuit), and can perform flow entry search and various processes at high speed.
- ASIC Application Specific Integrated Circuit
- the clients 41 and 42 and the server 50 are described as communicating with each other, but other communication devices may be included. Further, for example, a device used as the client 41 or 42 may have a function equivalent to the switch 11 described above, and the same operation as the switch 11 may be performed on a packet output from the built-in application.
- the controller 60 includes a control target packet extraction unit 61, a determination unit 62, a flow entry generation unit 63, and a switch control unit 64.
- the control target packet extraction unit 61 operates in the same way as the promiscuous mode in the network card from the switch 11 as described above, and transfers based on the flow entry (second control information) that is initially set. All received packets. Then, the control target packet extraction unit 61 refers to the header information of the received packet, extracts the control target packet, and outputs it to the determination unit 62.
- the selection criterion for the packet to be controlled is determined according to the assumed traffic content and the capability of the controller 60. For example, only packets whose VLAD ID value is within a predetermined range may be transferred to the determination unit 62, or packets other than those having characteristics that are suspected of abnormal traffic or unauthorized access may be transmitted to the determination unit 62. Also good.
- the determining unit 62 determines whether it is necessary to generate a flow entry corresponding to the packet transferred from the control target packet extracting unit 61 based on a predetermined access policy or the like. As a result of the determination, when it is determined that the flow entry needs to be generated, the determination unit 62 transmits the received packet or the information extracted from the received packet to the flow entry generating unit 63 and requests generation of the flow entry. On the other hand, as a result of the determination, when it is determined that the generation of the flow entry is unnecessary, the determination unit 62 discards the received packet.
- FIG. 5 is an example of an access policy that the determination unit 62 refers to in order to determine whether or not a flow entry needs to be generated.
- the access authority is “allow” for the packet whose source IP address is 192.168.100.1 and the destination IP address is 192.168.0.1. It is determined that generation is necessary.
- the access authority is “deny” for the packet whose source IP address is 192.168.100.2 and the destination IP address is 192.168.0.1, it is determined that a flow entry cannot be generated. Is done.
- the determination is performed using only the IP address. However, the determination may be performed using the layer 2 and layer 4 header information and protocol information.
- the flow entry generation unit 63 When the flow entry generation unit 63 receives a flow entry generation request from the determination unit 62, the flow entry generation unit 63 refers to the network topology configured by the switch 11 and calculates a route for transferring the received packet from the transmission source to the destination. A flow entry for generating packet transfer along the route is generated. For example, when the flow entry generation unit 63 receives a flow entry generation request for a packet addressed to the server 50 from the client 42 in FIG. 1, the flow entry generation unit 63 sends a packet addressed to the server 50 from the client 42 to the switch 11. Create a flow entry to be transferred to the hop.
- the switch control unit 64 performs an operation of setting the flow entry generated by the flow entry generation unit 63 in the corresponding switch 11.
- the switch control unit 64 holds a flow entry database for managing the flow entry set for each switch 11 and makes it necessary to set the flow entry generated by the flow entry generation unit 63. Also good.
- the controller 60 as described above can be realized by adding functions corresponding to the control target packet extraction unit 61 and the determination unit 62 based on the OpenFlow controllers of Non-Patent Documents 1 and 2.
- Each unit (processing means) of the access control device, controller, and switch shown in FIGS. 1 to 3 is a computer that causes a computer mounted on these devices to execute the above-described processes using its hardware. It can also be realized by a program.
- FIG. 6 is a sequence diagram showing the operation of the first exemplary embodiment of the present invention.
- a series of operations will be described assuming that the client 42 transmits a packet addressed to the server 50.
- the switch 11 when the client 42 transmits a packet addressed to the server 50 (step S01), the switch 11 refers to the flow table 113 and processes the packet according to the flow entry that matches the received packet (step S01). S02). Here, the flow entry (second control information) shown in FIG. 4 is hit. The switch 11 transfers the packet to the control target packet extraction unit 61 of the controller 60 according to the content of the flow entry (second control information).
- the control target packet extraction unit 61 of the controller 60 determines whether the packet is a control target packet (step S03).
- the packet addressed to the server 50 from the client 42 is determined to be a control target packet. Therefore, a packet addressed to the server 50 from the client 42 is transmitted to the determination unit 62 (Yes in step S03).
- the packet is discarded (step S04).
- the determination unit 62 of the controller 60 determines whether to generate a flow entry (step S05).
- the packet addressed to the server 50 from the client 42 is determined to require flow entry generation according to the access policy of FIG. Accordingly, the determination unit 62 of the controller 60 requests the flow entry generation unit 63 to generate a flow entry (Yes in step S05). If it is determined in step S05 that flow entry generation is not required (No in step S05), the packet is discarded (step S06).
- the flow entry generation unit 63 of the controller 60 calculates a packet transfer route, generates a flow entry to be set in a switch on the transfer route including the switch 11, The data is sent to the control unit 64 (step S07).
- the switch control unit 64 of the controller 60 sets the generated flow entry as a switch on the transfer path (step S08). Further, the switch control unit 64 instructs the switch 11 to transmit the packet received this time to the next hop or to re-search the flow table. As a result, the packet received in step S01 is transferred to the next hop.
- FIG. 7 is an example of the flow entry (first control information) set in step S08.
- a flow entry for forwarding a packet addressed to 0.1) to the next hop is set. That is, the switch 11 searches the flow table 113 in order from the upper entry, and if a matching condition matching the received packet is found, the switch 11 adopts the flow entry.
- the flow entry positioned higher is described as having a higher priority.
- the priority of a flow entry having a matching condition that matches a received packet by providing a priority information field in the flow entry. It is also possible to adopt a method of selecting the highest priority flow entry by comparing the degrees sequentially.
- step S11 when the client 42 transmits a subsequent packet (step S11), the switch 11 transfers the packet based on the flow entry (first control information) set in step S08. Thereafter, high-speed transfer is performed without going through the access control device 20 or the controller 60. Further, a response packet from the server 50 to the client 42 is set with a flow entry permitting communication in the same procedure as described above.
- the switch 11 transfers the packet to the access control device 20 in the same manner as the above flow.
- the access control apparatus 20 performs a packet discarding operation in the control target packet extraction unit 61 or the determination unit 62 (non-control target determination in the control target packet extraction unit 61 or flow in the determination unit 62 Entry generation unnecessary determination).
- no flow entry generation request is issued to the flow entry generation unit 63 of the controller 60, so that no load is applied to the flow entry generation unit 63 of the controller.
- FIG. 8 is a diagram showing a packet transfer path realized by the flow entry setting procedure. Packets between the client 42 and the server 50 are indicated by thick arrows in FIG. 8 according to the flow entry shown in FIG. 7 (first control information; the flow entry for packet transfer from the server 50 to the client 42 is omitted). It is transferred by route. On the other hand, the packet from the client 41 is controlled according to the flow entry (second control information) shown in the lower part of FIG. 4 and FIG. Transferred to and discarded.
- the control target packet extraction unit 61 and the determination unit 62 perform the selection, so that the load on the controller 60 can be suppressed.
- controller 60 includes the control target packet extraction unit 61 and the determination unit 62 .
- FIG. A configuration in which the control target packet extraction unit 61 and the determination unit 62 are arranged in another information processing apparatus (access control apparatus) can also be employed. In this case, it is also possible to distribute the load by increasing the number of information processing devices (access control devices).
- FIG. 9 is a diagram showing a configuration of a communication system according to the second exemplary embodiment of the present invention.
- the difference from the embodiment shown in FIGS. 1 and 2 is that a plurality of access control devices 20A to 20C each including a control target packet extracting unit 61 and a determining unit 62 and receiving a packet from the switch 11 are arranged. It is.
- the individual operations of the access control apparatuses 20A to 20C are the same as the operations of the control target packet extraction unit 61 and the determination unit 62 of the controller 60 according to the first embodiment, and a description thereof will be omitted.
- FIG. 10 is an example of a flow entry (second control information) set in the switch 11 of this embodiment.
- the difference from the flow entry (second control information) shown in FIG. 4 is that a plurality of flow entries (second control information) for switching the destination access control device are set according to the characteristics of the received packet. It is a point.
- a packet (first control information unset packet) that hits a flow entry (second control information) instructing transfer to the access control device in the client 42 is transferred to the access control device 20A.
- a packet (first control information non-set packet) that hits a flow entry (second control information) instructing transfer to the access control apparatus in another client is transferred to the access control apparatus 20B.
- the processing of a large number of packets (first control information unset packets) transferred from the switch 11 is performed by the plurality of access control devices 20A to 20C.
- the switch 11 and the access control devices 20A to 20C are connected by a single link, but the switch 11 and the access control device 20A are connected by ring aggregation in which a plurality of links are combined.
- You can also For example, a flow that is expected to process a large number of packets may be processed by a high-performance access control device connected by ring aggregation.
- the third embodiment is such that a packet (first control information unset packet) can be transferred to the access control device even when the switch 11 and the access control device are connected via another network.
- a form is demonstrated.
- FIG. 11 is a diagram showing a configuration of a communication system according to the third exemplary embodiment of the present invention.
- a packet addressed to the server 50 first control information unset packet
- the switch is changed.
- FIG. 12 is a diagram showing a configuration of the switch 11A according to the third embodiment of the present invention. The difference from the switch 11 of the first embodiment shown in FIG. 3 is that a header addition processing unit 114 that adds an additional header to a packet transmitted to the access control device 20D is added.
- the header addition processing unit 114 adds a header including the data path ID (DPID; identifier of the switch 11A) and the address information of the access control device 20D to the packet transferred from the packet processing unit 112, and then adds it to the port PP. Output.
- DPID data path ID
- the header addition processing unit 114 adds a header including the data path ID (DPID; identifier of the switch 11A) and the address information of the access control device 20D to the packet transferred from the packet processing unit 112, and then adds it to the port PP. Output.
- the packet (first control information unset packet) ) Can be transferred to the access control device.
- the access control device 20D since the data path ID (DPID; identifier of the switch 11A) is included in the additional header, the access control device 20D transmits the packet (first control information unset packet). It is possible to grasp the original switch.
- DID data path ID
- the access control device 20D since the data path ID (DPID; identifier of the switch 11A) is included in the additional header, the access control device 20D transmits the packet (first control information unset packet). It is possible to grasp the original switch.
- control target packet extraction unit has been described as being built in the access control apparatus 20 or the controller.
- the control target packet extraction unit Can also be configured by a transfer node (second transfer node) 12 such as an open flow switch of Non-Patent Documents 1 and 2 (fourth embodiment).
- the control device or the controller sets control information (flow entry) for extracting the control target packet in the forwarding node (second forwarding node), so that the forwarding node (second forwarding node) 12 is set. It becomes possible to function as a control target packet extraction unit.
- the determination unit 62 has been described as determining whether or not a flow entry needs to be generated based on the access policy.
- a packet analysis function may be added to the determination unit 62. For example, as a result of analyzing the packet transferred from the control target packet extraction unit 61, when a packet having the same source IP address is transferred for a predetermined period or more during a predetermined period (N times), the determination unit 62 It is determined that the packet is an illegal packet such as DDoS attack (Distributed Denial of Service attack). Then, the determination unit 62 transmits the received packet or information extracted from the received packet to the flow entry generation unit 63 and requests generation of a flow entry that discards the packet having the same transmission source IP address. In this way, it is possible to thin out the packets to be transferred by the control target packet extraction unit 61.
- DDoS attack Distributed Denial of Service attack
Abstract
Description
本発明は、日本国特許出願:特願2012-104664号(2012年5月1日出願)の優先権主張に基づくものであり、同出願の全記載内容は引用をもって本書に組み込み記載されているものとする。
続いて、本発明の第1の実施形態について図面を参照して詳細に説明する。図2は、本発明の第1の実施形態の通信システムの構成を示す図である。図2を参照すると、ネットワークに配置された複数のスイッチ11と、これらスイッチ11を制御するコントローラ60と、スイッチ11が配置されたネットワークに接続されたクライアント41、42、サーバ50とが示されている。
続いて、情報処理装置(アクセス制御装置)を複数配置して負荷分散を行うようにした第2の実施形態について説明する。
続いて、スイッチ11とアクセス制御装置間が別のネットワークを介して接続されている場合にも、アクセス制御装置へパケット(第1の制御情報未設定パケット)を転送できるようにした第3の実施形態について説明する。
11、11A スイッチ
12 第2の転送ノード
20、20A~20E アクセス制御装置
21、61、121 制御対象パケット抽出部
22、62 判定部
30 制御装置
41、42 クライアント
50 サーバ
60 コントローラ
63 フローエントリ生成部
64 スイッチ制御部
111 制御メッセージ処理部
112 パケット処理部
113 フローテーブル
114 ヘッダ付加処理部
P1~Px、PP ポート
Claims (11)
- 転送ノードに制御情報を設定する制御装置と、
前記制御装置から設定された第1の制御情報と、前記制御装置から設定された前記第1の制御情報のマッチ条件に適合しないパケットを所定のポートから転送する第2の制御情報とを用いてパケットを転送する転送ノードと、
前記転送ノードの前記所定のポートから転送されたパケットについて制御情報の生成要否を判定し、前記制御装置に対し、制御情報の生成を要求する判定部を備えたアクセス制御装置と、
を含む通信システム。 - 前記アクセス制御装置は、さらに、
前記転送ノードの前記所定のポートから転送されたパケットから、前記判定部に送信する制御対象パケットを抽出する制御対象パケット抽出部を備える請求項1の通信システム。 - 前記転送ノードは、さらに、
前記所定のポートから転送するパケットに、前記アクセス制御装置への転送用のヘッダを付加するヘッダ付加処理部を備える請求項1又は2の通信システム。 - 前記アクセス制御装置が複数配置され、
前記第2の制御情報として、前記複数のアクセス制御装置への振り分けを行う複数の制御情報が設定されている請求項1から3いずれか一の通信システム。 - 前記判定部は、所定のアクセスポリシに基づいて、制御情報の生成要否を判定する請求項1から4いずれか一の通信システム。
- 前記判定部は、前記転送ノードの前記所定のポートから転送されたパケットが所定の特徴を有する場合、前記制御装置に対し、前記転送ノードに前記特徴を有するパケットの破棄を実行させる制御情報の生成を要求する請求項1から6いずれか一の通信システム。
- 前記制御対象パケット抽出部が、前記制御装置から制御される第2の転送ノードで構成されている請求項2から6いずれか一の通信システム。
- 転送ノードに制御情報を設定する制御装置と、
前記制御装置から設定された第1の制御情報と、前記制御装置から設定された前記第1の制御情報のマッチ条件に適合しないパケットを所定のポートから転送する第2の制御情報とを用いてパケットを転送する転送ノードと、を含む通信システムに配置され、
前記転送ノードの前記所定のポートから転送されたパケットについて制御情報の生成要否を判定し、前記制御装置に対し、制御情報の生成を要求する判定部を備えたアクセス制御装置。 - 転送ノードに制御情報を設定する制御装置と、接続され、
前記制御装置から設定された第1の制御情報と、前記制御装置から設定された前記第1の制御情報のマッチ条件に適合しないパケットを所定のポートから転送する第2の制御情報とが設定され、
前記第2の制御情報のマッチ条件に適合するパケットを受信した場合、所定のヘッダを付加してからパケットを転送する転送ノード。 - 制御装置から設定された第1の制御情報と、前記制御装置から設定された前記第1の制御情報のマッチ条件に適合しないパケットを所定のポートから転送する第2の制御情報とを用いてパケットを転送する転送ノードから、前記第2の制御情報によって転送されたパケットについて制御情報の生成要否を判定するステップと、
前記判定結果に基づいて、前記制御装置に対し、制御情報の生成を要求するステップと、を含むネットワーク制御方法。 - 転送ノードに制御情報を設定する制御装置と、
前記制御装置から設定された第1の制御情報と、前記制御装置から設定された前記第1の制御情報のマッチ条件に適合しないパケットを所定のポートから転送する第2の制御情報とを用いてパケットを転送する転送ノードと、を含む通信システムに配置されたコンピュータに、
前記転送ノードの前記所定のポートから転送されたパケットについて制御情報の生成要否を判定する処理と、
前記判定結果に基づいて、前記制御装置に対し、制御情報の生成を要求する処理とを実行させるプログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/397,524 US20150124595A1 (en) | 2012-05-01 | 2013-04-26 | Communication system, access control apparatus, switch, network control method, and program |
CN201380023070.2A CN104272676A (zh) | 2012-05-01 | 2013-04-26 | 通信系统、访问控制装置、交换机、网络控制方法及程序 |
JP2014513372A JP6248929B2 (ja) | 2012-05-01 | 2013-04-26 | 通信システム、アクセス制御装置、スイッチ、ネットワーク制御方法及びプログラム |
US15/131,464 US10244537B2 (en) | 2012-05-01 | 2016-04-18 | Communication system, access control apparatus, switch, network control method, and program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2012-104664 | 2012-05-01 | ||
JP2012104664 | 2012-05-01 |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/397,524 A-371-Of-International US20150124595A1 (en) | 2012-05-01 | 2013-04-26 | Communication system, access control apparatus, switch, network control method, and program |
US15/131,464 Continuation US10244537B2 (en) | 2012-05-01 | 2016-04-18 | Communication system, access control apparatus, switch, network control method, and program |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013164988A1 true WO2013164988A1 (ja) | 2013-11-07 |
Family
ID=49514387
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2013/062462 WO2013164988A1 (ja) | 2012-05-01 | 2013-04-26 | 通信システム、アクセス制御装置、スイッチ、ネットワーク制御方法及びプログラム |
Country Status (4)
Country | Link |
---|---|
US (2) | US20150124595A1 (ja) |
JP (1) | JP6248929B2 (ja) |
CN (1) | CN104272676A (ja) |
WO (1) | WO2013164988A1 (ja) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016005138A (ja) * | 2014-06-17 | 2016-01-12 | 株式会社エヌ・ティ・ティ・データ | 通信制御装置、攻撃防御システム、攻撃防御方法、及びプログラム |
JP2016036095A (ja) * | 2014-08-04 | 2016-03-17 | 富士通株式会社 | コントローラ,及びその攻撃者検知方法 |
JP2016537898A (ja) * | 2013-11-22 | 2016-12-01 | 華為技術有限公司Huawei Technologies Co.,Ltd. | 悪意ある攻撃の検出方法および装置 |
JP2020072427A (ja) * | 2018-11-01 | 2020-05-07 | 日本電気株式会社 | ネットワークへの脅威の感染拡大を防ぐ制御装置、制御方法、システム、およびプログラム |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6291834B2 (ja) * | 2013-12-20 | 2018-03-14 | 株式会社リコー | 通信装置、通信方法および通信システム |
WO2015157935A1 (zh) * | 2014-04-16 | 2015-10-22 | 华为技术有限公司 | 一种流表项管理方法及设备 |
US20160294871A1 (en) * | 2015-03-31 | 2016-10-06 | Arbor Networks, Inc. | System and method for mitigating against denial of service attacks |
US10142287B2 (en) | 2015-04-06 | 2018-11-27 | Nicira, Inc. | Distributed network security controller cluster for performing security operations |
CN106713182B (zh) * | 2015-08-10 | 2020-10-09 | 华为技术有限公司 | 一种处理流表的方法及装置 |
CN105306390B (zh) * | 2015-09-30 | 2019-10-25 | 上海斐讯数据通信技术有限公司 | 一种数据报文转发控制方法及系统 |
CN108965215B (zh) * | 2017-05-26 | 2019-12-24 | 中国科学院沈阳自动化研究所 | 一种多融合联动响应的动态安全方法与系统 |
JP6993580B2 (ja) * | 2018-08-03 | 2022-01-13 | 日本電信電話株式会社 | 制御システム及び制御方法 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011030490A1 (ja) * | 2009-09-10 | 2011-03-17 | 日本電気株式会社 | 中継制御装置、中継制御システム、中継制御方法及び中継制御プログラム |
WO2012049960A1 (ja) * | 2010-10-15 | 2012-04-19 | 日本電気株式会社 | スイッチシステム、モニタリング集中管理方法 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007104160A (ja) * | 2005-10-03 | 2007-04-19 | Sony Corp | 通信システム、通信装置および方法、並びにプログラム |
US20080189769A1 (en) * | 2007-02-01 | 2008-08-07 | Martin Casado | Secure network switching infrastructure |
CA2700866C (en) | 2007-09-26 | 2016-06-21 | Martin Casado | Network operating system for managing and securing networks |
RU2494638C2 (ru) * | 2008-01-02 | 2013-10-10 | Нестек С.А. | Съедобные композиции |
CN102577271B (zh) | 2009-10-07 | 2016-04-13 | 日本电气株式会社 | 信息系统、控制服务器、虚拟网络管理方法以及程序 |
JPWO2011081104A1 (ja) * | 2010-01-04 | 2013-05-09 | 日本電気株式会社 | 通信システム、認証装置、制御サーバ、通信方法およびプログラム |
US8893300B2 (en) * | 2010-09-20 | 2014-11-18 | Georgia Tech Research Corporation | Security systems and methods to reduce data leaks in enterprise networks |
KR101634745B1 (ko) * | 2011-12-30 | 2016-06-30 | 삼성전자 주식회사 | 전자장치, 이를 제어할 수 있는 사용자 입력장치 및 그 제어방법 |
-
2013
- 2013-04-26 JP JP2014513372A patent/JP6248929B2/ja active Active
- 2013-04-26 US US14/397,524 patent/US20150124595A1/en not_active Abandoned
- 2013-04-26 CN CN201380023070.2A patent/CN104272676A/zh active Pending
- 2013-04-26 WO PCT/JP2013/062462 patent/WO2013164988A1/ja active Application Filing
-
2016
- 2016-04-18 US US15/131,464 patent/US10244537B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011030490A1 (ja) * | 2009-09-10 | 2011-03-17 | 日本電気株式会社 | 中継制御装置、中継制御システム、中継制御方法及び中継制御プログラム |
WO2012049960A1 (ja) * | 2010-10-15 | 2012-04-19 | 日本電気株式会社 | スイッチシステム、モニタリング集中管理方法 |
Non-Patent Citations (2)
Title |
---|
TAKESHI MIYASAKA: "Concept and Implementation of an ATCA-based Open Architecture Router", IEICE TECHNICAL REPORT, vol. 104, no. 659, 11 February 2005 (2005-02-11), pages 23 - 28 * |
YASUHIRO YAMAZAKI: "Campus VLAN system based on OpenFlow", IEICE TECHNICAL REPORT, vol. 111, no. 132, 7 July 2011 (2011-07-07), pages 43 - 48 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016537898A (ja) * | 2013-11-22 | 2016-12-01 | 華為技術有限公司Huawei Technologies Co.,Ltd. | 悪意ある攻撃の検出方法および装置 |
US10313375B2 (en) | 2013-11-22 | 2019-06-04 | Huawei Technologies Co., Ltd | Method and apparatus for malicious attack detection in an SDN network |
US11637845B2 (en) | 2013-11-22 | 2023-04-25 | Huawei Technologies Co., Ltd. | Method and apparatus for malicious attack detection in a software defined network (SDN) |
JP2016005138A (ja) * | 2014-06-17 | 2016-01-12 | 株式会社エヌ・ティ・ティ・データ | 通信制御装置、攻撃防御システム、攻撃防御方法、及びプログラム |
JP2016036095A (ja) * | 2014-08-04 | 2016-03-17 | 富士通株式会社 | コントローラ,及びその攻撃者検知方法 |
JP2020072427A (ja) * | 2018-11-01 | 2020-05-07 | 日本電気株式会社 | ネットワークへの脅威の感染拡大を防ぐ制御装置、制御方法、システム、およびプログラム |
Also Published As
Publication number | Publication date |
---|---|
JPWO2013164988A1 (ja) | 2015-12-24 |
US20150124595A1 (en) | 2015-05-07 |
US10244537B2 (en) | 2019-03-26 |
CN104272676A (zh) | 2015-01-07 |
JP6248929B2 (ja) | 2017-12-20 |
US20160234848A1 (en) | 2016-08-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6248929B2 (ja) | 通信システム、アクセス制御装置、スイッチ、ネットワーク制御方法及びプログラム | |
US9276852B2 (en) | Communication system, forwarding node, received packet process method, and program | |
US9049251B2 (en) | Method and apparatus for internet protocol based content router | |
EP2759116B1 (en) | Services controlled session based flow interceptor | |
US9071529B2 (en) | Method and apparatus for accelerating forwarding in software-defined networks | |
US11290374B2 (en) | Multi-layer traffic steering for service chaining over software defined networks | |
JP5382451B2 (ja) | フロントエンドシステム、フロントエンド処理方法 | |
EP2693696A1 (en) | Computer system, and communication method | |
WO2013039083A1 (ja) | 通信システム、制御装置および通信方法 | |
JP5858141B2 (ja) | 制御装置、通信装置、通信システム、通信方法及びプログラム | |
US10079805B2 (en) | Bypassing a firewall for authorized flows using software defined networking | |
JP2014516215A (ja) | 通信システム、制御装置、処理規則設定方法およびプログラム | |
US20160380899A1 (en) | Method and apparatus for dynamic traffic control in sdn environment | |
JP6637196B2 (ja) | ネットワークにおいてパケットフロー群を転送する方法及びネットワークシステム | |
JPWO2014112616A1 (ja) | 制御装置、通信装置、通信システム、スイッチの制御方法及びプログラム | |
JP5725236B2 (ja) | 通信システム、ノード、パケット転送方法およびプログラム | |
US20130275620A1 (en) | Communication system, control apparatus, communication method, and program | |
US20150063118A1 (en) | Device for multipath routing of packets in computer networking and the method for its use | |
US20180262473A1 (en) | Encrypted data packet | |
JPWO2015093561A1 (ja) | パケット転送システム、制御装置、中継装置の制御方法及びプログラム | |
US20150236953A1 (en) | Control device, communication system, communication method and storage medium | |
JP6314970B2 (ja) | 通信システム、制御装置、通信方法およびプログラム | |
JP6365663B2 (ja) | 通信装置、制御装置、通信システム、受信パケットの処理方法、通信装置の制御方法及びプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13784412 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14397524 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2014513372 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13784412 Country of ref document: EP Kind code of ref document: A1 |