WO2014034119A1 - Système de commande d'accès, procédé de commande d'accès et programme - Google Patents

Système de commande d'accès, procédé de commande d'accès et programme Download PDF

Info

Publication number
WO2014034119A1
WO2014034119A1 PCT/JP2013/005109 JP2013005109W WO2014034119A1 WO 2014034119 A1 WO2014034119 A1 WO 2014034119A1 JP 2013005109 W JP2013005109 W JP 2013005109W WO 2014034119 A1 WO2014034119 A1 WO 2014034119A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
forwarding node
control
control information
access
Prior art date
Application number
PCT/JP2013/005109
Other languages
English (en)
Inventor
Kentaro Sonoda
Hideyuki Shimonishi
Yoichi Hatano
Masayuki Nakae
Masaya Yamagata
Yoichiro Morita
Takayuki Sasaki
Original Assignee
Nec Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Corporation filed Critical Nec Corporation
Priority to JP2015511530A priority Critical patent/JP2015530763A/ja
Publication of WO2014034119A1 publication Critical patent/WO2014034119A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present invention is based upon and claims the benefit of the priority of Japanese Patent Application No. 2012-190316 (filed on August 30, 2012), the disclosure of which is incorporated herein in its entirety by reference.
  • the present invention relates to an access control system, an access control method, and a program. More specifically, the invention relates to an access control system, an access control method, and a program, for a network where a control apparatus for concentrically controlling a forwarding node is disposed.
  • OpenFlow OpenFlow
  • Non Patent Literatures 1 and 2 OpenFlow identifies communications as end-to-end flows, and performs path control, failure recovery, load distribution, and optimization on a per-flow basis.
  • An OpenFlow switch specified in Non Patent Literature 2 includes a secure channel for communication with an OpenFlow controller.
  • the OpenFlow switch operates according to a flow table in which appropriate adding or rewriting is instructed by the OpenFlow controller.
  • a set of a matching condition (Match Fields) to be matched to a packet header, flow statistics information (Counters), and instructions (Instructions) defining processing content is defined for each flow (refer to section "4.1 Flow Table" in Non Patent Literature 2).
  • the OpenFlow switch When the OpenFlow switch receives a packet, for example, the OpenFlow switch searches in the flow table for an entry having a matching condition that matches header information of the received packet (refer to "4.3 Match Fields" in Non Patent Literature 2). When the entry that matches the received packet is found as a result of the search, the OpenFlow switch updates the flow statistics information (one or more Counters), and executes processing content (e.g., transmission of the packet from a specified port, flooding of the packet, discarding of the packet, or the like) described in the instruction field of the entry.
  • processing content e.g., transmission of the packet from a specified port, flooding of the packet, discarding of the packet, or the like
  • the OpenFlow switch transmits to the OpenFlow controller a request for setting an entry, or a request (Packet-In message) for transmitting control information for processing the received packet, through a secure channel.
  • the OpenFlow switch receives the flow entry in which the processing content is defined, and then updates the flow table. In this manner, the OpenFlow switch performs packet forwarding by using the entry stored in the flow table as the control information.
  • Patent Literature 1 describes that an OpenFlow controller performs permission check by referring to a policy file when a new flow is generated, and then calculates a path, thereby performing access control.
  • Patent Literature 2 discloses a network access control system in which the need for forwarding an authentication request to a server on an external network and the need for temporarily setting an access control policy for an information terminal beyond management and control are eliminated, and the information terminal and a user beyond management and control can use a target network.
  • an access request apparatus does not directly make a request to an authentication processing apparatus.
  • a proxy request apparatus makes a request to the authentication processing apparatus, using authentication data of the proxy request apparatus.
  • the authentication processing apparatus distributes access control data based on a result of the authentication process to an access control apparatus. Accordingly, even the access request apparatus that is the information terminal beyond management and control can access the network.
  • the access request apparatus makes the access request to the proxy request apparatus that is an information terminal under management and control, and then processes of the proxy request apparatus, the access control apparatus, and the authentication apparatus are executed. After execution of the processes, control by the access control apparatus for an access to the network from the access request apparatus that has made the access request is changed. Then, the access request apparatus can make the access to the network
  • user authentication is performed using information such as a company employee ID that can uniquely identify a user, for example. Then, communication between the terminal of the user and a server can be controlled, based on a result of the authentication.
  • Patent Literature and Non Patent Literatures are incorporated herein by reference.
  • the following analysis has been given by the present invention.
  • a plurality of resources such as servers may be connected to the network using OpenFlow described in each of Patent Literature 1 and Non Patent Literatures 1 and 2, so that communication may occur between these resources.
  • a method of setting a flow entry by the OpenFlow controller whenever the communication newly occurs may be conceived.
  • Patent Literature 2 is not suited to the access control between the resources in the network using OpenFlow described in Patent Literature 1 and Non Patent Literatures 1 and 2.
  • an access control system comprising: a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node; a forwarding node configured to process the received packet by referring to the control information; an authentication apparatus configured to authenticate a resource connected to the forwarding node, using identification information obtained from the resource; and a policy management apparatus configured to determine a communication policy for the resource, using a result of the authentication and the identification information; the control apparatus generates the control information associated with the communication policy and setting the generated control information in the forwarding node.
  • an access control method comprising the step of: using an apparatus connected to a communication system including a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node, and a forwarding node configured to process the received packet by referring to the control information; authenticating a resource connected to the forwarding node, using identification information obtained from the resource; determining a communication policy for the resource, using a result of the authentication and the identification information; and generating the control information associated with the communication policy and setting the generated control information in the forwarding node.
  • This method is associated with a specific machine, which is the at least one apparatus that authenticates the resource, determines the communication policy, and generates and sets the control information.
  • a program for a computer installed in an apparatus connected to a communication system comprising a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node, and a forwarding node configured to process the received packet by referring to the control information, the program causing the computer to execute the processes of: authenticating a resource connected to the forwarding node, using identification information obtained from the resource; determining a communication policy for the resource, using a result of the authentication and the identification information; and generating the control information associated with the communication policy and setting the generated control information in the forwarding node.
  • This program can be recorded in a computer-readable (non-transient) storage medium. That is, the present invention can also be embodied as a computer program product.
  • the present invention can contribute to reduction of a management burden of access control between resources and improvement in convenience of the access control, in a network using OpenFlow described in Patent Literature 1 and Non Patent Literatures 1 and 2.
  • Fig. 1 is a diagram showing a configuration of exemplary embodiment of the present disclosure.
  • Fig. 2 is a diagram showing a configuration of an access control system in a first exemplary embodiment of the present disclosure.
  • Fig. 3 includes tables each showing an example of resource identification information in the first exemplary embodiment of the present disclosure.
  • Fig. 4 is a table showing examples of resource identification information held in an identification information storage apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 5 is a table showing examples of communication policies held in a policy storage apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 6 is a table showing examples of resource information held in the policy storage apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 1 is a diagram showing a configuration of exemplary embodiment of the present disclosure.
  • Fig. 2 is a diagram showing a configuration of an access control system in a first exemplary embodiment of the present disclosure.
  • Fig. 3 includes tables each showing an example of resource identification information in the first exemplary embodiment
  • FIG. 7 is a table showing examples of communication policies to be provided to a control apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 8 is a block diagram showing a detailed configuration of the control apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 9 is a sequence diagram showing operations of the first exemplary embodiment of the present disclosure.
  • Fig. 10 is a diagram continuing from Fig. 9.
  • Fig. 11 shows examples of control information to be generated by the control apparatus in the first exemplary embodiment of the present disclosure.
  • the exemplary embodiment of the present disclosure can be implemented by a configuration including: a control apparatus (100 in Fig. 1) configured to generate control information defining processing content to be applied to a received packet and then to set the control information in a forwarding node (200 in Fig. 1), a forwarding node (200 in Fig. 1) configured to process the received packet by referring to the control information, an authentication apparatus (600 in Fig. 1) configured to authenticate a resource connected to the forwarding node, using identification information obtained from the resource, and a policy management apparatus (310 in Fig. 1) configured to determine a communication policy for the resource, using a result of the authentication and the identification information.
  • the control apparatus when the communication policy is determined by the policy management apparatus (310 in Fig. 1), the control apparatus (100 in Fig. 1) generates the control information associated with the communication policy, and sets the control information in the forwarding node (200 in Fig. 1).
  • a timing at which the authentication apparatus (600 in Fig. 1) authenticates the resource can be set to a time when the resource is connected to the forwarding node.
  • communication policy determination and control information setting are automatically completed based on identification information of a new resource whenever the new resource is connected to the forwarding node.
  • the forwarding node (200 in Fig. 1) disposes of the control information which has not been used or the like.
  • the forwarding node (200 in Fig. 1) deletes the control information upon establishment of a condition (of a hard timeout) that a predetermined time period has passed after setting of the control information or a condition (of an idle timeout) that a predetermined time period has passed since a packet which matches the control information was last received.
  • Fig. 2 is a diagram showing a configuration of an access control system in the first exemplary embodiment of the present disclosure. Referring to Fig. 2, the configuration including a forwarding node 200, a control apparatus 100 configured to control the forwarding node 200, a policy management apparatus 310 configured to notify a communication policy to the control apparatus 100, an authentication apparatus 600 configured to authenticate a resource, and an identification information storage apparatus 700 is shown.
  • the forwarding node 200 is a switching device configured to process a received packet, according to control information that associates a matching condition to be matched against the received packet and processing content (action) to be applied to a packet that matches the matching condition.
  • an OpenFlow switch in Non Patent Literature 2 configured to operate, using a flow entry set by an OpenFlow controller as the control information can also be used.
  • a resource 410 and a resource 420 are connected to the forwarding node 200 in Fig. 2, and the resource 410 and the resource 420 can be therefore communicated through the forwarding node 200.
  • Each of the resources 410 and 420 is a computer represented by a server, a PC (Personal Computer), or the like.
  • the respective resources hold respective identification information 510 and 520 each for uniquely identifying the resource itself.
  • the identification information is represented by a combination of the name of the computer, the MAC address of the computer, and an arbitrary character string, for example. Any identification information may be used if the identification information is a character string that can uniquely identify the resource.
  • the description will be given, assuming that each of the resources 410 and 420 is a device connected to the forwarding node 200 by wire.
  • Each of the resources 410 and 420 may be a mobile terminal such as a tablet terminal or a smart phone wirelessly connected to the forwarding node 200.
  • Fig. 3 includes tables each showing an example of the identification information held by the resource.
  • the upper stage of Fig. 3 indicates an example of the identification information 510 of the resource 410, while the lower stage of Fig. 3 indicates an example of the identification information 520 of the resource 420.
  • Each of the information has a same format, and is constituted from a set of the name of the resource, and the MAC address and the IP address of the resource.
  • the identification information 510 of the resource 410 for example, has the name of the resource of "aaa”, the MAC address of "aa:aa:aa:aa:aaa:aaa”, and the IP address of "1.1.1.1".
  • the resource name is essential for the identification information of each resource, and the MAC address and the IP address are arbitrary.
  • the identification 520 of the resource 420 in Fig. 3 is constituted from the resource name of "bbb" alone.
  • the authentication apparatus 600 refers to the identification information of each resource held in the identification information storage apparatus 700, authenticates each resource, and then transmits a result of the authentication to the policy management apparatus 310.
  • the authentication apparatus 600 receives from the resource 410 the identification information 510 held in the resource 410.
  • the authentication apparatus 600 receives from the resource 420 the identification information 520 held in the resource 420. Then, the authentication apparatus 600 checks the resource identification information held in the identification information storage apparatus 700 against the identification information received from each of the resources, and determines (authenticates) whether or not each resource is a valid resource capable of being connected to the network.
  • the authentication apparatus 600 transmits a result of the authentication to the policy management apparatus 310.
  • the authentication apparatus 600 and the identification information storage apparatus 700 are separately provided.
  • a storage apparatus such as a hard disk provided for the authentication apparatus 600 can also be used as the identification information storage apparatus 700.
  • Fig. 4 is a table showing a configuration of each identification information (resource identification information) held in the identification information storage apparatus 700.
  • each of the resource identification information is shown where the name of a resource, a role ID, a MAC address, an IP address, a connection switch, and a connection port are associated with one another.
  • the MAC address, the IP address, the connection switch, and the connection port are arbitrary items, and are to be used for an authentication process only when values of the MAC address, the IP address, the connection switch, and the connection port are set. For this reason, when the resource having the resource name of ddd is authenticated, the values of the MAC address and the connection switch are not to be used.
  • the policy management apparatus 310 refers to information held in the policy storage apparatus 320 to determine a communication policy for the resource connected to the forwarding node, and then transmits a result of the determination to the control apparatus 100.
  • the policy management apparatus 310 determines the communication policy for the corresponding resource.
  • the policy management apparatus 310 and the policy storage apparatus 320 are separately provided.
  • a storage apparatus such as a hard disk provided for the policy management apparatus 310 can also be used as the policy storage apparatus 320.
  • Fig. 5 is a table showing examples of communication policies held in the policy storage apparatus 320.
  • the examples in Fig. 5 show a table storing entries in each of which a resource group ID given to a resource group and an access right are set, for each role identified by a role ID.
  • a user having the role ID of role_0001 is allowed to make access to both of the resource group ID of resource_group_0001 and the resource group ID of resource_group_0002.
  • a user having the role ID of role_0002 is prohibited to make access to the resource group ID of resource_group_0001, and is allowed to make access to the resource group ID of resource_group_0002.
  • Fig. 6 is a table showing examples of resource information held in the policy storage apparatus 320.
  • the ID of each resource belonging to the resource group ID described above is associated with a detailed attribute of the resource.
  • the resource having the resource ID of resource_0001, the resource having the resource ID of resource_0002, and the resource having the resource ID of resource_0003 are included in the group identified by the resource group ID of resource_group_0001.
  • the name, the IP address, and the MAC address of each resource, or a port number of each resource used for a service can be identified.
  • the policy management apparatus 310 determines the communication policy for the resource authenticated by the authentication apparatus 600 by referring to the communication policies and the resource information as described above, and then notifies the communication policy to the control apparatus 100.
  • the resource group ID linked to the corresponding role ID and the content of the access right to the resource group ID can be identified from information on the policies in Fig. 5, using the role ID included in the authentication information received from the authentication apparatus 600. Then, the resource that can be accessed from a certain resource or the resource for which access from the certain resource is prohibited can be identified, using the information on each resource belonging to the resource group ID in the resource information in Fig. 6.
  • Fig. 7 shows examples of communication policies to be generated from the information shown in Figs. 4, 5, and 6 and to be provided to the control apparatus 100.
  • the resource name of aaa of the resource connected to the network this time is set in the transmission source resource name field of a first entry in Fig. 7.
  • the names of resources (“bbb”, “ppp”, “qqq”, and "sss") that can be accessed or cannot be accessed based on the role ID of the resource are set in a destination resource name field.
  • the same value as that of the access right for the role ID of role_0001 of the policy information in Fig. 5 is set in an access right field.
  • the service and the port number set in the resource attribute field of Fig. 6 are set in a condition (option) field.
  • the condition (option) field in Fig. 7 is an item that can be arbitrarily set, and can be arbitrarily omitted.
  • the policy management apparatus 310 includes a mechanism (herein referred to a communication policy editing function) configured to receive generation, a change in setting, or the like of the communication policy from a user, and provides a result of the generation, the change in setting, or the like to the control apparatus 100.
  • the communication policy editing function is an application program for implementing the communication policy editing function, for example, by which the user can freely generate, modify, and delete the communication policy.
  • the policy management apparatus 310 stores updated communication policy information in the policy storage apparatus 320, and also generates a communication policy for a resource, based on the updated communication policy information and the resource information. The policy management apparatus 310 then transmits the communication policy for the resource to the control apparatus 100.
  • the user can freely perform a management operation such as generation, modification, deletion or the like of the communication policy.
  • a policy management mechanism may be provided to the user as a Web-based system, may be provided as an independent application running on a PC, or may be provided in the form of a CLI (Command Line Interface) rather than as an application using a GUI (Graphical User Interface).
  • the policy management mechanism may be provided in any form.
  • the control apparatus 100 When the control apparatus 100 receives the communication policy for the resource from the policy management apparatus 310, the control apparatus 100 generates control information for causing a request (Packet-In message in Non Patent Literature 2) to be transmitted, and then sets the control information in the forwarding node 20.
  • the request is for setting the control information for processing a packet from the resource to which the communication policy is to be applied to.
  • the control apparatus 100 calculates the forwarding path of the packet between terminal points defined in the communication policy, based on information on the packet included in the request for setting the control information. Then, the control apparatus 100 generates the control information for causing each forwarding node on this forwarding path to execute forwarding of the packet along the forwarding path, and then sets the control information in the forwarding node on the forwarding path.
  • Fig. 8 is a block diagram showing a detailed configuration of the control apparatus 100 in this exemplary embodiment.
  • the control apparatus 100 is configured to include a node communication unit 11 for communicating with the forwarding node 200, a control message processing unit 12, a control information management unit 13, a control information storage unit 14, a forwarding node management unit 15, a path-action calculation unit 16, a topology management unit 17, a resource location management unit 18, a communication policy management unit 19, and a communication policy storage unit 20.
  • Each of these units operates as follows.
  • the control message processing unit 12 analyzes a control message received from each forwarding node, and delivers control message information to corresponding processing means in the control apparatus 100.
  • the control information management unit 13 manages what control information is set in which forwarding node. Specifically, the control information management unit 13 registers the control information generated by the path-action calculation unit 16 in the control information storage unit 14 and sets the control information in the forwarding node. Further, the control information management unit 13 handles a change in the control information set in the forwarding node that uses a notification of deletion of the control information from the forwarding node or the like, and then updates the information registered in the control information storage unit 14.
  • the forwarding node management unit 15 manages capabilities of the forwarding node (such as the number and the type of ports, the type of an action to be supported and the like) to be controlled by the control apparatus 100.
  • the path-action calculation unit 16 When receiving the communication policy for the resource from the communication policy management unit 19, the path-action calculation unit 16 first refers to the topology of the network held in the topology management unit 17, generates the control information for causing the forwarding node 200 that receives a packet from the resource to execute the request for setting the control information with respect to the packet from the resource, and then sets the control information in the forwarding node 200.
  • the path-action calculation unit 16 When receiving the request for setting the control information based on the above-mentioned control information, the path-action calculation unit 16 generates the forwarding path of the packet and the control information for implementing the forwarding path, based on the information on the packet included in the request for setting the control information. Specifically, the path-action calculation unit 16 calculates the forwarding path of the packet between the resources, based on the information on the location of the resource managed by the resource location management unit 18 and the information on the network topology constructed by the topology management unit 17.
  • the path-action calculation unit 16 obtains information on the port of each forwarding node on the forwarding path and the like from the forwarding node management unit 15, and then determines an action to be executed by the forwarding node on the path for implementing the calculated forwarding path and a matching condition for identifying a flow to which the action is to be applied.
  • the matching condition can be generated by using the information on the packet included in the request for setting the control information, the condition (option) in Fig. 7, and the like.
  • each control information is generated, which defines an action of forwarding a packet addressed from the transmission source resource name of aaa to the destination resource name of bbb from the port connected to the forwarding node as a next hop or the resource.
  • control information for implementing not only packet forwarding for the packet for which the control information setting request has been made, but also packet forwarding to any resource for which the resource has the access right may be generated and set (it may be so configured that an inquiry about information on a destination resource or the like is made to the identification information storage device or the policy management apparatus 310, as necessary).
  • the topology management unit 17 constructs the network topology information, based on a connection relationship of the forwarding node 200 collected through the node communication unit 11.
  • the resource location management unit 18 manages information for identifying the location of each resource connected to the communication system.
  • the description will be given, assuming that the name of a resource is used as information for identifying the resource and the forwarding node identifier and the port of each forwarding node to which the resource is connected is used as information for identifying the location of the resource.
  • the resource and the location of the resource may be of course identified, using information carried from the policy management apparatus 310 or the authentication apparatus 600, for example, in place of these information.
  • the communication policy management unit 19 When receiving the communication policy from the policy management apparatus 310, the communication policy management unit 19 stores the communication policy in the communication policy storage unit 20, and transmits the communication policy to the path-action calculation unit 16.
  • the communication policies shown in Fig. 7 are stored in the communication policy storage unit 20. Then, in response to a request from the path-action calculation unit 16, the communication policy for the resource associated with the request can be provided.
  • the control apparatus 100 as described above can also be implemented, based on an OpenFlow controller described in each of Non Patent Literatures 1 and 2 and by addition of a function of generating a processing rule (flow entry) using receipt of the above-mentioned communication policy as a trigger.
  • Each unit (processing means) of the control apparatus 100 in Fig. 8 can also be implemented by a computer program configured to cause a computer constituting the control apparatus 100 to store each of the above-mentioned information and to execute each process described above, using hardware of the computer.
  • Figs. 9 and 10 are sequence diagrams showing a series of operations of this exemplary embodiment.
  • the description will be given about a process where the resource 410 is newly connected to the forwarding node 200, and setting for transmitting a packet from the resource 410 to the resource 420 is automatically performed.
  • step S001 in Fig. 9 the resource 410 transmits information of the identification information 510 held by the resource 410 to the authentication apparatus 600 through the forwarding node.
  • the authentication apparatus 600 receives the identification information 510 of the resource 410, and then performs an authentication process for determining whether or not to connect the resource 410 to the network by referring to each resource identification information stored in the identification information storage apparatus 700 (in step S002 in Fig. 9).
  • the authentication apparatus 600 determines as a result of the authentication process that the resource 410 may be connected to the network (when the authentication is all right), the authentication apparatus 600 transmits to the policy management apparatus 310 the information (authentication information) corresponding to the resource 410 in the identification information storage apparatus 700 (in step S003 in Fig. 9).
  • the authentication apparatus 600 may notify to the control apparatus 100 that the authentication has failed. With this arrangement, control information for discarding a packet from the corresponding resource can be set in the control apparatus 100.
  • the policy management apparatus 310 determines the communication policy for the resource 410, by referring to the information held in the policy storage apparatus 320 (in step S004 in Fig. 9), and then transmits the communication policy to the control apparatus 100 (in step S005 in Fig. 9).
  • the control apparatus 100 When receiving the communication policy for the resource 410 from the policy management apparatus 310, the control apparatus 100 generates control information for causing a request for setting control information to be made with respect to the packet using the resource 410 as a transmission source or a packet using the resource 410 as a destination (in step S006 in Fig. 9). Then, the control apparatus 100 transmits a control message instructing setting of the control information to the forwarding node 200 (in step S007 in Fig. 9). According to the control message from the control apparatus 100, the forwarding node 200 sets the control information therein (in step S008 in Fig. 9), and then finishes a series of the processes.
  • the description will be directed to subsequent process operations when the packet is transmitted from the resource 410 to the resource 420, using Fig. 10.
  • the resource 410 transmits the packet addressed to the resource 420 (in step S101 in Fig. 10).
  • the packet transmitted from the resource 410 arrives at the forwarding node 200.
  • the forwarding node 200 requests the control apparatus 100 to set the control information, according to the control information set in step S008 in Fig. 9 (in step S103 in Fig. 10).
  • the control apparatus 100 that has received the request for setting the control information calculates the forwarding path of the packet addressed from the resource 410 to the resource 420 by referring to the information stored in the topology storage unit 17, the resource location management unit 18, and the communication policy storage unit 20. Further, the control apparatus 100 generates the control information for causing the forwarding node 200 on the calculated forwarding path to forward the packet from the resource 410 to the resource 420 (in step S104 in Fig. 10).
  • Fig. 11 shows an example of the control information to be generated in step S104 in Fig. 10.
  • a matching condition for identifying the packet addressed from the resource 410 to the resource 420 by a combination of the MAC address and the IP address of each of the resources 410 and 420 and an action to be applied to the packet that matches this matching condition are set.
  • the control apparatus 100 transmits to the forwarding node 200 a control message that instructs setting of the control information and forwarding of the packet received from the resource 410 (in step S105 in Fig. 10).
  • the forwarding node 200 sets the control information therein (in step S106 in Fig. 10) and transmits the packet received from the resource 410 to the resource 420 (in step S107 in Fig. 10).
  • the forwarding node 200 refers to the control information set in step S106 in Fig. 10, determines the forwarding destination of the received packet (in step S202 in Fig. 10), and then forwards the packet (in step S203 in Fig. 10). With the arrangement as described above, communication between the resource 410 and the resource 420 becomes possible.
  • necessary communication setting can be completed just by performing authentication using the name of a resource to be newly connected to the network, without setting the IP address or notifying the MAC address in advance according to the environment of the network.
  • the communication policy for the resource can be automatically determined according to the communication policy (communication policy for each role in Fig. 5) set in advance, so that the burden of the management operation of a network manager or the like can be reduced.
  • Figs. 3 to 7 were shown, and the description was given, assuming that the role ID of a resource is inferred to perform access control.
  • a configuration not using the role ID can also be employed.
  • a communication policy defining permission/prohibition of access is determined, based on a resource name given for each resource, an access ID such as a MAC address, resource location information, or the like, and the access control can be performed based on this communication policy.
  • the description was given, assuming that the resource 410 performs an authentication procedure with the authentication apparatus 600 through the forwarding node 200.
  • a configuration where the resource 410 directly communicates with the authentication apparatus 600 to perform the authentication procedure can also be employed.
  • the control information when the resource 410 is connected, only the control information for causing the request for setting the control information to be made with respect to the packet from the resource 410 is set (refer to Fig. 9). Then, the control information is set in a stage where an actual communication flow has occurred (refer to Fig. 10). In the stage from steps S006 to S008 in Fig. 9, calculation of the path (starting from or ending at the resource 410) and generation of the control information that are necessary may be performed, and then, the control information may be set in the forwarding node 200.
  • the access control system in the first mode further includes: an identification information storage apparatus configured to associate and store the identification information of the resource and a role ID; the authentication apparatus performs the authentication process by checking the identification information obtained from the resource against content stored in the identification information storage apparatus, and transmits the role ID to the policy management apparatus when the authentication succeeds; and the policy management apparatus determines the communication policy for the resource, using information indicating permission/inhibition of access set for each role ID.
  • the information indicating the permission/inhibition of access includes permission/inhibition of access to each resource group that groups resources; and the policy management apparatus refers to the permission/inhibition of access to each resource group, thereby determining the communication policy for the resource.
  • the control apparatus when receiving the communication policy for the resource from the policy management apparatus, the control apparatus sets, in the forwarding node connected to the resource, control information for causing the forwarding node to make a request for setting the control information to the control apparatus with respect to the packet using the resource as a transmission source or a destination; and when communication using the resource as the transmission source or the destination occurs, the control apparatus sets, in each forwarding node on a forwarding path of the packet using the resource as the transmission source or the destination, the control information for forwarding the packet using the resource as the transmission source or the destination, based on the communication policy for the resource.
  • ⁇ Fifth Mode> In the access control system in any one of the first to third modes, when receiving the communication policy for the resource from the policy management apparatus, the control apparatus calculates the forwarding path of the packet located between the resources starting from or ending at the resource, based on the communication policy for the resource, and sets, in each forwarding node on the forwarding path, the control information for forwarding the packet located between the resources.
  • ⁇ Sixth Mode> See the access control method according to the second aspect described above.
  • ⁇ Seventh Mode> See the program according to the third aspect described above).
  • the sixth and seventh modes can be developed into the second to fifth modes, like the first mode.
  • control apparatus forwarding node 310 policy management apparatus 320 policy storage apparatus 410, 420 resource 510, 520 identification information 600 authentication apparatus 700 identification information storage apparatus

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention vise à réduire la charge de gestion du contrôle d'accès entre des ressources et améliorer la commodité de la commande d'accès au sein d'un réseau utilisant OpenFlow. Un système de commande d'accès selon l'invention comprend un appareil de commande configuré de façon à générer des informations de commande définissant un contenu de traitement à appliquer à un paquet reçu et ensuite inscrire les informations de commande dans un nœud de transmission, le nœud de transmission configuré de façon à traiter le paquet reçu en se référant aux informations de commande, un appareil d'authentification configuré de façon à authentifier une ressource connectée au nœud de transmission, à l'aide d'informations d'identification obtenues à partir de la ressource, et un appareil de gestion de politique configuré de façon à déterminer une politique de communication pour la ressource, à l'aide d'un résultat de l'authentification et des informations d'identification. L'appareil de commande génère les informations de commande associées à la politique de communication et inscrit ensuite les informations de commande dans le nœud de transmission.
PCT/JP2013/005109 2012-08-30 2013-08-29 Système de commande d'accès, procédé de commande d'accès et programme WO2014034119A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2015511530A JP2015530763A (ja) 2012-08-30 2013-08-29 アクセス制御システム、アクセス制御方法及びプログラム

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2012190316 2012-08-30
JP2012-190316 2012-08-30

Publications (1)

Publication Number Publication Date
WO2014034119A1 true WO2014034119A1 (fr) 2014-03-06

Family

ID=50182953

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/005109 WO2014034119A1 (fr) 2012-08-30 2013-08-29 Système de commande d'accès, procédé de commande d'accès et programme

Country Status (2)

Country Link
JP (1) JP2015530763A (fr)
WO (1) WO2014034119A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016163927A1 (fr) * 2015-04-10 2016-10-13 Telefonaktiebolaget Lm Ericsson (Publ) Procédés et dispositifs pour le contrôle d'accès de flux de données dans un système de réseautage défini par logiciel
WO2020134711A1 (fr) * 2018-12-29 2020-07-02 华为技术有限公司 Appareil et procédé de transfert de message

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101763653B1 (ko) * 2016-01-04 2017-08-14 아토리서치(주) 네트워크 자원을 인식하고 관리하는 방법 및 장치

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012077603A1 (fr) * 2010-12-09 2012-06-14 日本電気株式会社 Système informatique, contrôleur et procédé de surveillance de réseau
WO2012086816A1 (fr) * 2010-12-24 2012-06-28 日本電気株式会社 Système de communication, dispositif de contrôle, dispositif de gestion de règles, procédé de communication et programme associé

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8032558B2 (en) * 2007-01-10 2011-10-04 Novell, Inc. Role policy management

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012077603A1 (fr) * 2010-12-09 2012-06-14 日本電気株式会社 Système informatique, contrôleur et procédé de surveillance de réseau
WO2012086816A1 (fr) * 2010-12-24 2012-06-28 日本電気株式会社 Système de communication, dispositif de contrôle, dispositif de gestion de règles, procédé de communication et programme associé

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016163927A1 (fr) * 2015-04-10 2016-10-13 Telefonaktiebolaget Lm Ericsson (Publ) Procédés et dispositifs pour le contrôle d'accès de flux de données dans un système de réseautage défini par logiciel
US10313397B2 (en) 2015-04-10 2019-06-04 Telefonaktiebolaget Lm Ericsson (Publ) Methods and devices for access control of data flows in software defined networking system
WO2020134711A1 (fr) * 2018-12-29 2020-07-02 华为技术有限公司 Appareil et procédé de transfert de message

Also Published As

Publication number Publication date
JP2015530763A (ja) 2015-10-15

Similar Documents

Publication Publication Date Title
JP5862577B2 (ja) 通信システム、制御装置、ポリシ管理装置、通信方法およびプログラム
US9397949B2 (en) Terminal, control device, communication method, communication system, communication module, program, and information processing device
US9338090B2 (en) Terminal, control device, communication method, communication system, communication module, program, and information processing device
JP5880560B2 (ja) 通信システム、転送ノード、受信パケット処理方法およびプログラム
JP5811171B2 (ja) 通信システム、データベース、制御装置、通信方法およびプログラム
JP5811179B2 (ja) 通信システム、制御装置、ポリシ管理装置、通信方法およびプログラム
US9935876B2 (en) Communication system, control apparatus, communication apparatus, communication control method, and program
US9887920B2 (en) Terminal, control device, communication method, communication system, communication module, program, and information processing device
WO2014142299A1 (fr) Terminal de communication, appareil de contrôle de communication, système de communication, procédé et programme de contrôle de communication
WO2012141086A1 (fr) Système informatique, contrôleur et procédé de commande de politique d'accès au réseau
WO2013035342A1 (fr) Système de service de gestion de réseaux, appareil de commande, procédé et programme
JP2014516215A (ja) 通信システム、制御装置、処理規則設定方法およびプログラム
JPWO2014112616A1 (ja) 制御装置、通信装置、通信システム、スイッチの制御方法及びプログラム
US20130275620A1 (en) Communication system, control apparatus, communication method, and program
WO2013141200A1 (fr) Nœud de communication, procédé et programme de traitement de paquets
WO2014034119A1 (fr) Système de commande d'accès, procédé de commande d'accès et programme
WO2014061583A1 (fr) Nœud de communication, dispositif de commande, système de communication, procédé de traitement de paquets, et programme
US10469498B2 (en) Communication system, control instruction apparatus, communication control method and program
WO2014020902A1 (fr) Système de communication, appareil de commande, procédé de communication, et programme
WO2015129727A1 (fr) Terminal de communications, procédé de communications et programme

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13834141

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015511530

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13834141

Country of ref document: EP

Kind code of ref document: A1