WO2015145976A1 - Communication system, control instruction device, control implementation device, communication control method, and storage medium with program stored thereon - Google Patents

Communication system, control instruction device, control implementation device, communication control method, and storage medium with program stored thereon Download PDF

Info

Publication number
WO2015145976A1
WO2015145976A1 PCT/JP2015/000992 JP2015000992W WO2015145976A1 WO 2015145976 A1 WO2015145976 A1 WO 2015145976A1 JP 2015000992 W JP2015000992 W JP 2015000992W WO 2015145976 A1 WO2015145976 A1 WO 2015145976A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
communication status
packet
information
communication
Prior art date
Application number
PCT/JP2015/000992
Other languages
French (fr)
Japanese (ja)
Inventor
玲未 沼尻
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2016509947A priority Critical patent/JPWO2015145976A1/en
Publication of WO2015145976A1 publication Critical patent/WO2015145976A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the present invention relates to a communication system, a control instruction device, a control execution device, a communication control method, and a storage medium for storing a program.
  • Non-Patent Documents 1 and 2 OpenFlow is a technology that considers communication as an end-to-end flow and performs path control, failure recovery, load balancing, and optimization on a per-flow basis.
  • the OpenFlow switch specified in Non-Patent Document 2 includes a secure channel for communication with the OpenFlow controller, and operates according to a flow table that is appropriately added or rewritten from the OpenFlow controller. For each flow, a set of a match condition (Match Fields), flow statistical information (Counters), and an instruction (Instructions) that defines processing contents is defined for each flow (flow table). (For example, it is described in the section of “4.1 Flow Table” of Non-Patent Document 2).
  • the OpenFlow switch searches the flow table for an entry having a matching condition (see “4.3 Match Fields” in Non-Patent Document 2) that matches the header information of the received packet.
  • the OpenFlow switch updates the flow statistical information (counter) and executes the processing contents described in the instruction field of the entry on the received packet. To do.
  • the processing content is, for example, packet transmission from a designated port, flooding or discarding.
  • the OpenFlow switch sends an entry setting request to the OpenFlow controller via the secure channel, that is, a control for processing the received packet.
  • An information transmission request (Packet-In message) is transmitted.
  • the OpenFlow switch receives a flow entry whose processing content is defined and updates the flow table. As described above, the OpenFlow switch performs packet transfer using the entry stored in the flow table as control information.
  • Patent Document 1 discloses an example of an access control apparatus that performs role-based access control (Role-Based Access Control, hereinafter referred to as “RBAC”).
  • the access control device disclosed in Patent Literature 1 includes a user information table, a role information table, and an access control table.
  • the user information table stores a user and an attribute value that the user has in association with each other.
  • the role information table stores a combination of attribute values and a role defined by the combination of the attribute values in association with each other.
  • the access control table stores the content and role ID (Identifier) in association with each other.
  • the role ID defines an access condition for the content.
  • the access control device disclosed in Patent Literature 1 sets a list of users having attribute values corresponding to roles in the user list information table for each role based on the user information table and the role information table.
  • the access control unit identifies the role of the access condition based on the access control table, and sets the access authority depending on whether or not the access user is included in the user list of the specified role. judge.
  • the technique disclosed in the prior art document has a problem in that access control according to the current communication status of the node that is the transmission source or transmission destination of the packet cannot be performed. This is because the technology disclosed in the prior art document does not have a mechanism for detecting the current communication status of a certain node and performing access control.
  • Policy 1 While node A is accessing node C where customer confidential information is stored, communication from node A to node B is not permitted.
  • Policy 2 While node A is not accessing node C, communication from node A to node B is permitted.
  • An object of the present invention is to realize access control according to the current communication status of a node that is a transmission source of a packet or a node that is a transmission destination.
  • a first aspect of the present invention is a communication for storing a communication status between nodes that perform communication in a communication status storage unit via a control execution device that processes the packet based on an instruction to an inquiry regarding a packet processing method.
  • a communication status between a status management unit, a transmission source node or a transmission destination node of the packet to be inquired, and another node is obtained by referring to the communication status storage unit, and the transmission source node ,
  • the transmission destination node a determination unit that determines a processing method of the packet based on the communication status of at least one of the transmission source node and the transmission destination node, and the control of the determined processing method
  • a control instruction device comprising: an instruction unit that instructs the device.
  • a second aspect of the present invention is a communication system including a control execution device and a control instruction device, wherein the control execution device makes an inquiry to the control instruction device for a packet processing method, and the inquiry A packet processing unit that processes the packet based on an instruction to the communication status management, wherein the control instruction device stores a communication status between nodes that communicate via the control execution device in a communication status storage unit And a communication status between the source node or destination node of the packet to be inquired and another node by referring to the communication status storage unit, the source node, A processing method of the packet based on the communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node A determination unit for determining a, and a instructing unit for instructing the processing method described above determined for the control execution unit, a communication system.
  • a control execution apparatus that processes the packet and a control instruction apparatus that is communicably connected based on an instruction to an inquiry regarding a packet processing method are configured such that a node via the control execution apparatus A communication status storage unit that stores the communication status of the packet that is the target of the inquiry by referring to the communication status storage unit. Determining a processing method of the packet based on the communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node, and determining the determined processing method to the control execution device. It is a control method to instruct.
  • a control execution device that processes the packet and a computer that is communicably connected to a node between the nodes via the control execution device
  • a process for determining a processing method of the packet based on a communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node, and the process determined for the control execution apparatus A computer-readable storage medium storing a program for executing a process for instructing a method.
  • the object of the present invention is also achieved by a program stored in the computer-readable storage medium.
  • the present invention it is possible to realize access control according to the current communication status of a node that is a transmission source or transmission destination of a packet.
  • FIG. 1 is a block diagram showing a configuration of a communication system 1000 according to the first embodiment of the present invention.
  • FIG. 2 is a block diagram showing the configuration of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 3 is a diagram illustrating an example of information stored in the instruction cache 130 according to the first embodiment of the present invention.
  • FIG. 4 is a diagram illustrating an example of information stored in the communication status storage unit 240 according to the first embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example of information stored in the first table 250 according to the first embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example of information stored in the second table 260 according to the first embodiment of the present invention.
  • FIG. 1 is a block diagram showing a configuration of a communication system 1000 according to the first embodiment of the present invention.
  • FIG. 2 is a block diagram showing the configuration of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 3 is a diagram illustrating an
  • FIG. 7 is a diagram for explaining the outline of processing of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 8 is a diagram for explaining an overview of processing of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 9 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 10 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 11 is a diagram illustrating an example of information stored in the first table 251 according to the first embodiment of the present invention.
  • FIG. 12 is a diagram illustrating an example of information stored in the first table 252 according to the first embodiment of the present invention.
  • FIG. 13 is a block diagram showing a configuration of a communication system 1000A according to the second embodiment of the present invention.
  • FIG. 14 is a block diagram showing a configuration of a communication control apparatus 300B according to the third embodiment of the present invention.
  • FIG. 15 is a block diagram illustrating an example of a configuration of a computer that can implement a communication execution device and a control instruction device, or a communication control device, according to each embodiment of the present invention.
  • a node is, for example, a terminal (information processing apparatus).
  • the node may be a virtual node realized by virtualization software.
  • the packet transmission source node is a term indicating a node that has transmitted the packet.
  • the packet transmission destination node is a term indicating a node which is a destination of the packet.
  • information for identifying a transmission source node of a packet is referred to as a “transmission source node identifier”.
  • information for identifying a transmission destination node of a packet is referred to as a “transmission destination node identifier”.
  • the node identifier is, for example, an IP (Internet Protocol) address or a MAC (Media Access Control) address, but is not limited thereto.
  • FIG. 1 is a block diagram showing a configuration of a communication system 1000 according to the first embodiment.
  • the communication system 1000 includes a control execution device 100 and a control instruction device 200.
  • the control execution device 100 is, for example, a network switch (hereinafter also referred to as “switch”).
  • a network switch is a communication device capable of switching a communication path in a communication network (hereinafter also referred to as “network”) by switching, for example, a transfer destination device of a packet flowing through the communication network.
  • the control execution apparatus 100 is connected to a network and performs processing for transferring a received packet.
  • the control execution apparatus 100 receives an instruction regarding the packet processing method from the control instruction apparatus 200.
  • the control execution apparatus 100 transfers the received packet according to the packet processing method instructed from the control instruction apparatus 200.
  • the control instruction device 200 is a controller, for example.
  • the control instruction device 200 is connected to a network, and is connected to the control execution device 100 via the network.
  • the control instruction device 200 receives an inquiry from the control execution device 100 regarding the packet transfer method.
  • the control instruction device 200 gives an instruction for the inquiry to the control execution device 100.
  • FIG. 2 is a block diagram showing a detailed configuration of the control execution device 100 and the control instruction device 200 shown in FIG.
  • control execution apparatus 100 includes a packet processing unit 110, an inquiry unit 120, and an instruction cache 130.
  • the packet processing unit 110 processes the received packet based on the processing method stored in the instruction cache 130.
  • the inquiry unit 120 will be described.
  • the inquiry unit 120 inquires the control instruction apparatus 200 about the received packet processing method. Also, the inquiry unit 120 receives an instruction (that is, a packet processing method) for the inquiry from the control instruction apparatus 200.
  • the inquiry unit 120 writes the received packet processing method in the instruction cache 130. As a result, packets having the same characteristics are processed using the entries stored in the instruction cache 130.
  • the instruction cache 130 will be described.
  • the instruction cache 130 stores an entry indicating the packet processing method received from the control instruction apparatus 200. For example, when the control execution apparatus 100 is an open flow switch, the instruction cache 130 corresponds to a flow table.
  • FIG. 3 is a diagram illustrating an example of information stored in the instruction cache 130.
  • the instruction cache 130 stores a plurality of entries.
  • the entry associates the node identifier of the packet source node (ie, the source node identifier), the node identifier of the packet destination node (ie, the identifier of the destination node), and the processing method of the packet. Information. For example, when the transmission source node of the packet received by the control execution apparatus 100 is the node 4 and the transmission destination node is the node 5, the control execution apparatus 100 should transmit the packet to the port 1.
  • control instruction device 200 includes an instruction unit 210, a determination unit 220, a communication status management unit 230, a communication status storage unit 240, a first table 250, and a second table 260.
  • the first table 250 and the second table 260 represent storage units that store information in the form of a table, for example.
  • the first table 250 is also referred to as a first information storage unit 250.
  • the second table 260 is also expressed as a second information storage unit 260.
  • the instruction unit 210 will be described.
  • the instruction unit 210 receives an inquiry about the packet processing method from the control execution apparatus 100.
  • the instruction unit 210 instructs the control execution apparatus 100 how to process the packet.
  • the instruction unit 210 transmits an instruction to delete a specific entry stored in the instruction cache 130 to the control execution apparatus 100 at a predetermined timing.
  • the determination unit 220 will be described.
  • the determination unit 220 refers to the information stored in the header of the packet to acquire the transmission source node identifier and the transmission destination node identifier of the packet.
  • the determination unit 220 searches the communication status storage unit 240, the first table 250, and the second table 260 based on the transmission source node identifier and the transmission destination node identifier. Details of the first table 250 and the second table 260 will be described later.
  • the determination unit 220 determines a processing method for the packet based on the result obtained by the search.
  • the communication status management unit 230 will be described.
  • the control instruction apparatus 200 detects that a connection has been established between a transmission source node and a transmission destination node of a packet
  • the communication status management unit 230 stores an entry for the packet in the communication status storage unit 240. To do.
  • the entry includes information in which the transmission source node identifier and the transmission destination node identifier of the packet are associated with each other.
  • the communication status management unit 230 stores an entry for the packet in the communication status storage unit 240. To do.
  • the communication status management unit 230 deletes the entry for the packet from the communication status storage unit 240. To do.
  • the determination unit 220 determines to disconnect the connection between the transmission source node and the transmission destination node of a certain packet, the communication status management unit 230 deletes the entry for the packet from the communication status storage unit 240. To do.
  • the communication status management unit 230 only needs to operate so as to maintain a state in which the above-described entry is stored in the communication status storage unit 240.
  • the operation of the communication status management unit 230 is not limited to the specific example described above.
  • the communication status storage unit 240 stores an entry in which a transmission source node identifier and a transmission destination node identifier are associated with each other.
  • FIG. 4 is a diagram illustrating an example of entries held in the communication status storage unit 240.
  • the entry in the first line illustrated in FIG. 4 includes a source node identifier, a destination node identifier, and a service or protocol identifier.
  • the communication status storage unit 240 may store a plurality of identifiers such as identifiers of each layer of the network, for example.
  • the communication status storage unit 240 may store, for example, an MAC address that is an identifier of a layer 2 (L2) or an IP address that is an identifier of a layer 3 (L3) of an OSI (Open Systems Interconnection) reference model.
  • the communication status storage unit 240 may store a plurality of transmission destination identifiers. Further, the communication status storage unit 240 may store not only one but also a plurality of identifiers of the source and destination services and protocols.
  • the communication status storage unit 240 may store a port number instead of the transmission source node identifier or the transmission destination node identifier.
  • the first table 250 (that is, the first information storage unit 250) will be described.
  • the first table 250 stores information (that is, first information) in which the identifier of the node, the current communication status of the node, and the role in the current communication status of the node are associated with each other. Yes.
  • the first table 250 may store the first information in a table format.
  • the first table 250 may store the first information in a format other than the table format.
  • the role of the node in the current communication state may be simply referred to as “node role”.
  • a role is sometimes called a “role”.
  • the communication status represents, for example, whether or not a connection with another specific node has been established.
  • the communication status may be represented by, for example, a combination of a node identifier and a value indicating whether or not a connection with the node specified by the identifier is established.
  • each node an organization network that the node can access is determined.
  • a certain node is a node that handles customer data
  • another node is a node that is used only locally, so roles that are not necessarily the same are assigned to the respective nodes.
  • the role and importance of these nodes are collectively expressed as roles.
  • FIG. 5 is a diagram illustrating an example of information stored in the first table 250.
  • the information shown in the first row indicates that the role of node 1 is “B” while node 1 establishes a connection with node 3.
  • the information shown in the second row indicates that the role of node 1 is “A” while node 1 has not established a connection with node 3.
  • the communication system 1000 has a configuration in which the role (role) of the node dynamically changes according to the current communication state of the node.
  • the information shown in the fifth line indicates that the role of the node 10 is “D” regardless of the current communication status.
  • the symbol “*” shown in the fifth and sixth lines indicates a wild card.
  • the communication status represented by the wild card is suitable for any communication status. Therefore, when a role is associated with an identifier of any node and a communication status represented by a wild card, the role of the node represented by the identifier is determined regardless of the communication status. In other words, the role of a node whose communication status is represented by a wild card is determined regardless of the communication status. Thus, there may be a node whose role is determined regardless of the current communication status.
  • the node that is first determined to be suitable for the communication status of the transmission source node and the transmission source node and the role associated with the communication status are the roles of the transmission source node. It is.
  • the node identifier represented by the wildcard matches any node identifier. Therefore, when the role is associated with the identifier of the node represented by the wild card and any communication status, the role of the node in the communication status is determined regardless of the node.
  • the information shown in the sixth line indicates that the role of the node that has established a connection with the current node 7 is “E” regardless of which node it is. Show. Thus, the role of a node may be determined regardless of which node the node is.
  • the second table 260 (that is, the second information storage unit 260) will be described.
  • the second table 260 includes information (that is, second information) in which a combination of a role of a transmission source node of a packet and a role of a transmission destination node of the packet is associated with a processing method for the packet. I remember it.
  • the second table 260 may store the second information in a table format.
  • the second table 260 may store the second information in a format other than the table format.
  • the processing method stored in the second table 260 may be information in a format that the control execution device 100 can interpret, or information in a format that the control execution device 100 cannot interpret as it is.
  • FIG. 6 is a diagram illustrating an example of information stored in the second table 260.
  • the role of the transmission source node and the role of the transmission destination node are represented by the above-described symbol “*” (that is, a wild card) that matches both roles. May be.
  • the processing method is determined by the role of the transmission destination node regardless of the role of the transmission source node.
  • the processing method is determined by the role of the source node, regardless of the role of the destination node.
  • the information shown in the first line indicates that when the role of the transmission source node of the packet is “A” and the role of the transmission destination node is “B”, the processing method of the packet is “ALLOW”. And exclusive ”. “ALLOW and exclusive” represents, for example, that a packet is transmitted exclusively (that is, the packet is transmitted while occupying a communication path).
  • the information shown in the second line is that the packet processing method is “DENY” when the role of the transmission destination node is “C” regardless of the role of the packet transmission source node. It shows that. “DENY” represents, for example, that the transmission of the packet is rejected.
  • the second information stored in the second table 260 may be a database in which documents such as security standards and procedure manuals are databased.
  • the security standard is, for example, PCI DSS (Payment Card Industry Data Security Standard).
  • the security standard describes, for example, security items that should be protected during system operation.
  • the second table 260 stores, for example, information obtained by converting a security standard described in a natural language into a format that can be automatically determined by the control instruction device 200 as second information.
  • Outline of communication control processing 7 and 8 are diagrams for conceptually explaining an outline of communication control processing performed by the communication system 1000 according to the first embodiment.
  • FIGS. 7 and 8 indicate the flow of packets from the node that is the source of the arrow (that is, the start point) to the node that is the tip of the arrow (that is, the end point).
  • the dotted arrows in FIGS. 7 and 8 indicate that a connection is established between the node that is the source of the arrow and the node that is the destination of the arrow.
  • node 1 is going to transmit a packet to node 2 from now on. That is, node 1 is a transmission source node, and node 2 is a transmission destination node. In FIG. 7, node 1 and node 3 are in a state where a connection is established.
  • the communication system 1000 controls the flow of packets from the transmission source node to the transmission destination node according to the current communication status of the transmission source node. For example, the communication system 1000 controls the flow of packets from the node 1 to the node 2 depending on whether or not the node 1 is currently establishing a connection with the node 3.
  • node 1 is a node which is going to transmit a packet to node 2 from now on. That is, node 1 is a transmission source node, and node 2 is a transmission destination node. In FIG. 8, the nodes 2 and 3 are in a state where a connection is established.
  • the communication system 1000 may control the flow of packets from the transmission source node to the transmission destination node according to the current communication state of the transmission destination node. For example, the communication system 1000 controls the flow of packets from the node 1 to the node 2 depending on whether or not the node 2 is currently establishing a connection with the node 3.
  • the communication system 1000 considers both the current communication status of the transmission source node and the current communication status of the transmission destination node, and the flow of packets from the transmission source node to the transmission destination node. May be controlled.
  • FIG. 9 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment. In the following description, it is assumed that the transmission source node is node 1 and the transmission destination node is node 2.
  • the node 1 that is the transmission source node transmits the packet whose destination is the node 2 to the control execution apparatus 100. (Step S101).
  • the control execution apparatus 100 receives the packet.
  • the control execution apparatus 100 refers to the header of the packet and acquires the transmission source node identifier and the transmission destination node identifier of the packet.
  • the control execution apparatus 100 searches the instruction cache 130 based on the transmission source node identifier and the transmission destination node identifier. Specifically, the control execution apparatus 100 searches the instruction cache 130 to extract an entry (that is, an entry related to the packet) obtained from the packet and including the transmission source node identifier and the transmission destination node identifier. .
  • an entry related to the packet exists in the instruction cache 130 (YES in step S102).
  • the entry related to the packet stored in the instruction cache 130 includes a method for processing the packet.
  • the control execution apparatus 100 processes the packet according to the packet processing method stored in the instruction cache 130 (step S104).
  • control execution apparatus 100 inquires the control instruction apparatus 200 about the processing method of the packet.
  • the control instruction device 200 receives an inquiry about the packet processing method from the control execution device 100 and determines the packet processing method (step S103).
  • the control instruction device 200 instructs the control execution device 100 on the determined processing method.
  • the control instruction apparatus 200 may indicate the processing method to the control execution apparatus 100 by transmitting the determined processing method to the control execution apparatus 100. Details of the operation shown in step S103 will be described later.
  • the control execution apparatus 100 receives a processing method from the control instruction apparatus 200.
  • the control execution apparatus 100 processes the packet based on the received processing method (step S104).
  • the node 2 receives the packet (step S105).
  • FIG. 10 is a sequence diagram for explaining the operation shown in step S103 in more detail.
  • the instruction unit 210 receives an inquiry about the packet processing method from the control execution apparatus 100 (step S201).
  • the determination unit 220 refers to the header of the packet and acquires the transmission source node identifier and the transmission destination node identifier of the packet.
  • the determination unit 220 searches the communication status storage unit 240 using the acquired transmission source node identifier and transmission destination node identifier as keys (step S202). By performing such a search, the determination unit 220 extracts an entry including the transmission source node identifier of the packet. In addition, the determination unit 220 extracts an entry including the transmission destination node identifier of the packet.
  • the communication status storage unit 240 returns the current communication status of the transmission source node specified by the acquired transmission source node identifier to the determination unit 220.
  • the transmission source node of the packet is node 1.
  • the communication status storage unit 240 returns the current communication status of the transmission destination node specified by the acquired transmission destination node identifier to the determination unit 220.
  • the transmission destination node of the packet is the node 2.
  • the communication status of a node returned to the determination unit 220 by the communication status storage unit 240 may be information indicating another node with which the node has established a connection, for example.
  • the determination unit 220 may read the identifier of the node associated with the transmission source node identifier of the packet in the entry stored in the communication status storage unit 240 from the communication status storage unit 240. In addition, the determination unit 220 may read from the communication status storage unit 240 the node identifier associated with the destination node identifier of the packet in the entry stored in the communication status storage unit 240. As described above, when an entry including an identifier of a certain node is stored in the communication status storage unit 240, the determination unit 220 establishes a connection with another node whose identifier is included in the entry. Get the information. For example, when the communication status storage unit 240 stores only the entries shown in FIG.
  • the communication status storage unit 240 displays information that “the node 1 is currently establishing a connection with the node 3” as the determination unit 220. It may be returned to. In addition, the communication status storage unit 240 may return information that “the node 2 is not currently establishing a connection with any node” to the determination unit 220.
  • the determination unit 220 searches the first table 250 using the transmission source node identifier and the current communication status of the transmission source node as keys (step S204). Further, the determination unit 220 searches the first table 250 using the destination node identifier and the current communication status of the destination node as keys (step S204).
  • the determination unit 220 sets the role associated with the identifier of the node that matches the source node identifier and the communication status that matches the communication status of the returned source node as the role of the source node. What is necessary is just to extract from the information stored in the table 250. Further, the determination unit 220 sets the role associated with the identifier of the node that matches the destination node identifier and the communication status that matches the communication status of the returned destination node as the destination role. What is necessary is just to extract from the information stored in one table 250.
  • the source node identifier conforms to, for example, the same identifier as the source node identifier and the symbol “*” described above.
  • the destination node identifier conforms to, for example, the same identifier as the destination node identifier and the symbol “*” described above.
  • the communication status matches the same communication status as the communication status and the symbol “*” described above.
  • the information stored in the first table 250 may be set so that the roles of a plurality of transmission source nodes are not extracted with respect to the transmission source node identifier and the communication status of the transmission source node.
  • the determination unit 220 When the roles of a plurality of transmission source nodes are extracted with respect to the transmission source node identifier and the communication status of the transmission source node, the determination unit 220 performs one transmission from the extracted roles of the plurality of transmission source nodes.
  • the role of the original node may be selected according to a predetermined rule. In the example illustrated in FIG. 6, the determination unit 220 determines whether or not the node identifier and the communication status of the row in order from the first row match the source node identifier and the communication status, which are keys, respectively. What is necessary is just to determine.
  • the determination unit 220 may extract the role associated with the identifier and communication status of the node first determined to be compatible with the transmission source node identifier and the communication status as the role of the transmission source node. .
  • the determination unit 220 determines that the roles of the plurality of destination nodes extracted are as follows:
  • the role of one destination node may be selected according to a predetermined rule. In the case of the example illustrated in FIG. 6, the determination unit 220 determines whether or not the node identifier and the communication status of the row in order from the first row match the destination node identifier and the communication status, which are keys, respectively. What is necessary is just to determine.
  • the determination unit 220 may extract the role associated with the identifier of the node first determined to be compatible with the transmission source node identifier that is the key and the communication status as the role of the transmission destination node. .
  • the first table 250 returns the role of the transmission source node and the role of the transmission destination node to the determination unit 220 (step S205).
  • the determination unit 220 may read the role detected as the destination role from the first table 250. Furthermore, the determination unit 220 may read the role detected as the role of the transmission source node from the first table 250.
  • the first table 250 stores the information illustrated in FIG. 5, the role of the transmission source node (that is, the node 1) in the current communication state is “B”. Further, the role in the current communication state of the transmission destination node (ie, node 2) is “A”.
  • the determining unit 220 searches the second table 260 using the combination of the role of the transmission source node (B in the above example) and the role of the transmission destination node (A in the above example) as a key (step S206).
  • the determination unit 220 reads “the role of the transmission source node” and “the role of the transmission destination node” that match the combination of the role of the transmission source node and the role of the transmission destination node read from the first table 250. May be detected in the second table 260.
  • the determination unit 220 may extract the processing method associated with the detected combination of the “source node role” and the “destination node role” in the second table 260.
  • the role matches the role and the role represented by the symbol “*” described above.
  • the role of the transmission source node read from the first table 250 is, for example, the same role as that role in the second table 260, and “the role of the transmission source node”, which is the above-mentioned symbol “*”.
  • the role of the destination node read from the first table 250 is, for example, the same role as the role in the second table 260 and “the role of the destination node”, which is the above-mentioned symbol “*”.
  • the combination of “source node role” and “destination node role” that matches the source node role and destination node role included in the key combination is the key combination. Fits.
  • the information stored in the second table 260 may be set so that a plurality of processing methods are not extracted for one key.
  • the determination unit 220 may select one processing method from the extracted processing methods according to a predetermined method. For example, in the example illustrated in FIG. 6, the determination unit 220 may determine whether or not the role of the transmission source node and the role of the transmission destination node match the key in order from the first row. Then, the determination unit 220 may extract a processing method associated with the role of the transmission source node and the role of the transmission destination node that are first determined to be suitable for the key.
  • the second table 260 returns the processing method associated with the combination of the role of the transmission source node and the role of the transmission destination node to the determination unit 220 (step S207).
  • the determination unit 220 associates with the combination of “source role” and “destination role” that is read from the first table 250 and matches the combination of the role of the source node and the role of the destination node.
  • the processing method being used may be read from the second table 260. For example, when the second table 260 stores the information shown in FIG. 6, the processing method corresponding to the flow in which the role of the transmission source node is A and the role of the transmission destination node is B is “ALLOW and exclusive”. Is.
  • the determining unit 220 determines a processing method to be transmitted to the control execution apparatus 100 based on the processing method obtained by searching the second table 260 (step S208).
  • the determination unit 220 uses the processing method stored in the second table 260 as it is. May be sent to.
  • the determination unit 220 uses the processing method stored in the second table 260 as it is. May be sent to.
  • the determination unit 220 generates information that can be interpreted by the control execution apparatus 100 based on the processing method. Also good. Then, the determination unit 220 may transmit the generated information to the control execution apparatus 100 as a processing method.
  • the determination unit 220 determines whether the control execution device 100 interprets the predetermined processing method. Data representing an instruction that can be generated may be generated. Then, the determination unit 220 may determine the generated data as data to be transmitted to the control execution apparatus 100. The determination unit 220 may transmit the converted data representing the instruction to the control execution apparatus 100.
  • control instruction device 200 may transmit an instruction to discard the packet.
  • control instruction apparatus 200 may transmit an instruction to transfer the packet to a specific port.
  • the instruction unit 210 transmits the processing method determined by the determination unit 220 to the control execution apparatus 100 (step S209).
  • the communication status management unit 230 stores the entry related to the combination in the communication status storage unit 240. . Since the communication status storage unit 240 does not store an entry related to the combination of the identifier of the node 1 and the identifier of the node 2, the communication status management unit 230 stores the identifier of the node 1 and the identifier of the node 2 in the communication status storage unit 240. Add an entry for the combination.
  • the communication status management unit 230 sets an entry related to the combination of the transmission source node identifier and the transmission destination node identifier of the packet to the communication Not stored in the status storage unit 240. This is because no actual communication occurs when the packet is discarded.
  • the determination unit 220 may operate to search the communication status storage unit 240 using at least one of the transmission source node identifier and the transmission destination node identifier as a key.
  • the instruction unit 210 may transmit, to the control execution apparatus 100, an instruction to delete an entry related to the node from the instruction cache 130 at a timing when it is detected that the communication status of an arbitrary node has changed.
  • the instruction unit 210 instructs the control execution apparatus 100 to delete an entry related to the node from the instruction cache 130 at the timing when the determination unit 220 determines to change the communication status of an arbitrary node. You may send it.
  • control execution apparatus 100 may voluntarily delete the entry after a predetermined time has elapsed since the entry was registered in the instruction cache 130.
  • the control instruction device 200 may include a mechanism for detecting the end of communication between nodes (that is, disconnection of connection). The mechanism may determine whether an entry in the instruction cache 130 is necessary.
  • a mechanism for detecting the end of communication between nodes there is a method of checking a communication protocol end message of connection-type communication. For example, in TCP (Transmission Control Protocol), the end of communication can be detected by checking a FIN (finish) flag or an ACK (acknowledgement) flag from the opposite direction.
  • the control execution apparatus 100 transmits a message indicating that the entry in the instruction cache 130 has been deleted by detecting the end of communication (that is, the flow) to the control instruction apparatus 200.
  • the communication status management unit 230 can delete the corresponding entry stored in the communication status storage unit 240.
  • the OpenFlow switch (the control execution apparatus 100) disclosed in Non-Patent Document 2 uses the “Flow-removed” message to notify the OpenFlow controller (control instruction apparatus 200) that the flow entry has timed out. it can. More specifically, for example, an administrator sets a timeout in the flow entry of the flow table (instruction cache 130) of the OpenFlow switch. When a timeout is established, for example, by not receiving the packet for a certain period of time, the control execution apparatus 100 notifies the control instruction apparatus 200 of the timeout with a “Flow-removed” message.
  • the control instruction apparatus 200 Upon receiving the “Flow-removed” message, the control instruction apparatus 200 searches for an entry in the communication status storage unit 240 based on the transmission destination IP address and port number of the packet included in the timeout notification. The control instruction device 200 deletes the entry specified by the search.
  • the contents of the entry stored in the instruction cache 130 are automatically updated to the contents in accordance with the security policy in accordance with the communication status between the nodes.
  • the control execution apparatus 100 can be realized by an open flow switch, for example.
  • the control execution apparatus 100 may be implemented as a firewall or a network switch.
  • the control execution device 100 is not necessarily a physical device, and may be, for example, a personal firewall or a virtual switch implemented by software operating on a node, that is, on a communication terminal.
  • the function of the control execution apparatus 100 is realized by, for example, a CPU (Central Processing Unit) executing a computer program read into the memory.
  • CPU Central Processing Unit
  • the control instruction device 200 can be realized by an open flow controller, for example.
  • the function of the control instruction device 200 is realized, for example, when the CPU executes a computer program (software program, hereinafter simply referred to as “program”) read into the memory.
  • the control execution device 100 and the control instruction device 200 can be realized by using an open flow control device (controller) and a switch as described above.
  • the control execution apparatus 100 and the control instruction apparatus 200 can also be realized by a control instruction apparatus and a control execution apparatus having equivalent functions, which are not open flow control apparatuses (controllers) and switches.
  • each unit (processing unit) of the control execution device 100 and the control instruction device 200 illustrated in FIG. 2 performs the processing of each unit described above by using a computer that implements these devices and the hardware of the computer. It can also be realized by a computer program to be executed.
  • control execution device 100 and the control instruction device 200 are not necessarily separated from each other.
  • control execution device 100 and the control instruction device 200 may be the same device.
  • the control execution device 100 may have a function of operating as the control instruction device 200.
  • the communication status storage unit 240 is not necessarily installed in the same device as the device in which the communication status management unit 230 and the determination unit 220 are installed.
  • the communication status storage unit 240 only needs to be mounted so as to be accessible from the communication status management unit 230 and the determination unit 220.
  • the first table 250 and the second table 260 are not necessarily mounted in the same device as the device in which the determination unit 220 is mounted.
  • the first table 250 and the second table 260 may be mounted so as to be accessible from the determination unit 220.
  • control instruction apparatus 200 may refer to three tables as shown below.
  • a table storing information in which nodes, communication statuses and roles of the nodes are associated, 2) a table storing information in which a combination of a role of a transmission source node and a role of a transmission destination node and a flow defined by the combination are associated; 3) A table storing information in which a flow and an action for the flow are associated with each other.
  • the first table 251 (shown in FIG. 11) and the first table 252 (shown in FIG. 12) are other specific examples of the first table 250.
  • the first table 251 and the first table 252 will be described below.
  • FIG. 11 is a diagram for explaining information stored in the first table 251.
  • the first table 251 stores a node identifier of a node, a current communication status of the node, current position information of the node, and a role in association with each other.
  • the current location information of the node is information such as “inside Tokyo”, “in a specific building”, or “in a specific floor”, for example.
  • the current location information of the node includes, for example, the identifier of the physical node that operates the virtual node or the blade server that operates the virtual node. It may be information such as the position of the rack that is being used.
  • the control instruction device 200 acquires the current position information of the node.
  • the control instruction device 200 may acquire position information of a node from a position detection unit (not shown) that detects the position of the node using, for example, a GPS (Global Positioning System) provided in the node.
  • the determination unit 220 searches the first table 251 using the identifier of the node, the current communication status of the node, and the current position information of the node as keys.
  • the determination unit 220 obtains information regarding the role of the node as a search result.
  • the communication system 1000 can realize more detailed communication control that also considers the current position information of the transmission source node or transmission destination node. Can do.
  • the first table 251 has been described above.
  • FIG. 12 is a diagram for explaining information stored in the first table 252.
  • the first table 252 includes a node identifier, a current communication status of the node, “usage information” that is information indicating a user currently using the node, a role, Stores the associated information.
  • the usage information is, for example, information including at least one of the employee number, job title, department, age, etc. of the user currently using the node.
  • the control instruction device 200 acquires the current usage information of the node.
  • the control instruction apparatus 200 may acquire the usage information by, for example, reading user information stored in an ID card or the like owned by an individual using a card reader (not shown) or the like.
  • the determination unit 220 searches the first table 252 using the identifier of the node, the current communication status of the node, and the current usage information of the node as keys.
  • the determination unit 220 obtains information regarding the role of the node as a search result.
  • the communication system 1000 can realize more detailed communication control that also considers the current usage information of the transmission source node or transmission destination node. Can do.
  • the first table 252 which is another specific example of the first table 250 has been described above.
  • FIG. 13 is a block diagram illustrating a configuration of a communication system 1000A according to the second embodiment.
  • Communication system 1000A includes a control execution device 100A and a control instruction device 200A.
  • the control execution apparatus 100A includes a packet processing unit 110A and an inquiry unit 120A.
  • the inquiry unit 120A inquires of the control instruction apparatus 200A about the packet processing method.
  • the packet processing unit 110A processes the packet based on an instruction transmitted from the control instruction apparatus 200A in response to the inquiry.
  • the control execution apparatus 100A may be able to access a storage unit corresponding to the instruction cache 130 in the first embodiment.
  • the control instruction device 200A includes an instruction unit 210A, a determination unit 220A, and a communication status management unit 230A.
  • the communication status management unit 230A stores in the communication status storage unit 240A the communication status between nodes that communicate via the control execution apparatus 100A.
  • the determination unit 220A acquires the communication status between the transmission source node or the transmission destination node of the packet that is the target of the above-described inquiry and another node by referring to the communication status storage unit 240A.
  • the determination unit 220A determines a processing method of the packet based on the transmission state, the transmission destination node, and the communication status of at least one of the transmission source node and the transmission destination node.
  • the instruction unit 210A instructs the determined processing method to the control execution apparatus 100A.
  • the control instruction device 200A can access the communication status storage unit 240A, the storage unit corresponding to the first table 250 in the first embodiment, and the storage unit corresponding to the second table 260 in the first embodiment. It may be.
  • the communication status storage unit 240A may be mounted in the same device as the control instruction device 200A.
  • FIG. 14 is a block diagram illustrating a configuration of a communication control device 300B according to the third embodiment.
  • the communication control device 300B as one device is used as the control execution device 100 and the control instruction device 200 in the first embodiment, or the control execution device 100A and the control instruction device in the second embodiment. Operates as 200A.
  • the packet processing unit 310B processes the packet based on the instruction of the determination unit 320B.
  • the determination unit 320B obtains the communication status between the transmission source node or transmission destination node of the packet and another node by referring to the communication status storage unit 340B.
  • the determination unit 320B determines a processing method for the packet based on the transmission status of the transmission source node, the transmission destination node, and at least one of the transmission source node and the transmission destination node.
  • the communication status management unit 330B stores in the communication status storage unit 340B the communication status between nodes that communicate via the own device 300B.
  • the communication control device 300B can access a communication status storage unit 340B, a storage unit corresponding to the first table 250 in the first embodiment, and a storage unit corresponding to the second table 260 in the first embodiment. It may be.
  • the communication status storage unit 340B may be mounted in the same device as the communication control device 300B.
  • each block diagram is a configuration shown for convenience of explanation.
  • the present invention described by taking each embodiment as an example is not limited to the configuration shown in each block diagram in the implementation.
  • control execution apparatus 100 and the control instruction apparatus 200 according to the first embodiment can be realized by a computer and a program for controlling the computer, respectively.
  • Each of the control execution apparatus 100 and the control instruction apparatus 200 can be realized by dedicated hardware.
  • the control execution apparatus 100 and the control instruction apparatus 200 can be realized by a combination of a computer and a program for controlling the computer and dedicated hardware, respectively.
  • the control execution device 100A and the control instruction device 200A according to the second embodiment and the communication control device 300B according to the third embodiment can be realized by a computer and a program for controlling the computer, respectively.
  • the control execution device 100A, the control instruction device 200A, and the communication control device 300B can each be realized by dedicated hardware.
  • the control execution device 100A, the control instruction device 200A, and the communication control device 300B can be realized by a combination of a computer, a program for controlling the computer, and dedicated hardware, respectively.
  • FIG. 15 is a diagram illustrating an example of a hardware configuration of a computer 10000 that can implement the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, and the communication control apparatus 300B.
  • a computer 10000 includes a processor 10001, a memory 10002, a storage device 10003, and an I / O (Input / Output) interface 10004. Further, the computer 10000 can access the recording medium 10005.
  • the memory 10002 and the storage device 10003 are storage devices such as a RAM (Random Access Memory) and a hard disk, for example.
  • the recording medium 10005 is, for example, a storage device such as a RAM or a hard disk, a ROM (Read Only Memory), or a portable recording medium.
  • the storage device 10003 may be the recording medium 10005.
  • the processor 10001 can read and write data and programs from and to the memory 10002 and the storage device 10003.
  • the processor 10001 can access, for example, a node via the I / O interface 10004.
  • the processor 10001 can access the recording medium 10005.
  • the recording medium 10005 stores a program that causes the computer 10000 to operate as the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, or the communication control apparatus 300B.
  • the processor 10001 stores, in the memory 10002, a program that causes the computer 10000 stored in the recording medium 10005 to operate as the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, or the communication control apparatus 300B. To load. When the processor 10001 executes the program loaded in the memory 10002, the computer 10000 operates as the control execution device 100, the control instruction device 200, the control execution device 100A, the control instruction device 200A, or the communication control device 300B. To do.
  • the plurality of units listed below are realized by, for example, a dedicated program that can be read from a recording medium 10005 that stores the program into the memory 10002 and that can realize the function of each unit, and a processor 10001 that executes the program. be able to.
  • the plurality of parts described above are as follows, for example.
  • Packet processor 110 Inquiry unit 120, Instruction unit 210, Determination unit 220, Communication status management unit 230, Packet processor 110A, Inquiry unit 120A, Instruction unit 210A, Decision unit 220A, Communication status manager 230A, Packet processor 310B, Determination unit 320B, And a communication status management unit 330B.
  • the instruction cache 130, the communication status storage unit 240, the first table 250, and the second table 260 can be realized by a memory 10002 included in the computer 10000 or a storage device 10003 such as a hard disk device.
  • the communication status storage unit 240A and the communication status storage unit 340B can be realized by a memory 10002 included in the computer 10000 or a storage device 10003 such as a hard disk device.
  • some or all of the plurality of units listed below can be realized by a dedicated circuit that realizes the function of each unit.
  • the plurality of parts are as follows, for example.
  • Packet processor 110 Inquiry unit 120, Instruction cache 130, Instruction unit 210, Determination unit 220, Communication status management unit 230, Communication status storage unit 240, First table 250, Second table 260, Packet processor 110A, Inquiry unit 120A, Instruction unit 210A, Decision unit 220A, Communication status manager 230A, Communication status storage unit 240A, Packet processor 310B, Decision unit 320B, Communication status management unit 330B, And a communication status storage unit 340B.
  • the present invention described using the above embodiments as an example can be applied to access control between computers, for example.
  • the security policy in the company states that the security policy “prohibit information retrieval via the web when accessing confidential customer information” is described.
  • access control that satisfies such a fine security policy can be realized.
  • Control execution device 110 Packet processing unit 120 Inquiry unit 130 Instruction cache 200

Abstract

This invention implements access control appropriate to the current communication status of either the originating node of a packet or the destination node of said packet. This control instruction device comprises a communication-status management unit, a determination unit, and an instruction unit. The communication-status management unit stores, in a communication-status storage unit, the status of communication between nodes that communicate via a control implementation device. The determination unit refers to said communication-status storage unit to acquire the status of communication between either the originating node of a packet about which an inquiry was made or the destination node of said packet and another node. On the basis of the originating node, the destination node, and the communication status of the originating node and/or the destination node, the determination unit determines a processing method for the packet in question, and the instruction unit instructs the control implementation device to apply said processing method.

Description

通信システム、制御指示装置、制御実施装置、通信制御方法およびプログラムを記憶する記憶媒体Communication system, control instruction apparatus, control execution apparatus, communication control method, and storage medium for storing program
 本発明は、通信システム、制御指示装置、制御実施装置、通信制御方法およびプログラムを記憶する記憶媒体に関する。 The present invention relates to a communication system, a control instruction device, a control execution device, a communication control method, and a storage medium for storing a program.
 近年、プログラマブルフローまたはオープンフロー(OpenFlow)という技術が提案されている(非特許文献1、2参照)。オープンフローは、通信をエンドツーエンドのフローとして捉え、フロー単位で、経路制御、障害回復、負荷分散、そして最適化を行う技術である。非特許文献2に仕様化されているオープンフロースイッチは、オープンフローコントローラとの通信用のセキュアチャネルを備え、オープンフローコントローラから適宜追加または書き換え指示されるフローテーブルに従って動作する。フローテーブルには、フロー毎に、パケットヘッダと照合するマッチ条件(Match Fields)と、フロー統計情報(Counters)と、処理内容を定義したインストラクション(Instructions)と、の組が定義される(フローテーブルの定義は、例えば、非特許文献2の「4.1 Flow Table」の項に記載されている)。 Recently, a technique called programmable flow or open flow has been proposed (see Non-Patent Documents 1 and 2). OpenFlow is a technology that considers communication as an end-to-end flow and performs path control, failure recovery, load balancing, and optimization on a per-flow basis. The OpenFlow switch specified in Non-Patent Document 2 includes a secure channel for communication with the OpenFlow controller, and operates according to a flow table that is appropriately added or rewritten from the OpenFlow controller. For each flow, a set of a match condition (Match Fields), flow statistical information (Counters), and an instruction (Instructions) that defines processing contents is defined for each flow (flow table). (For example, it is described in the section of “4.1 Flow Table” of Non-Patent Document 2).
 例えば、オープンフロースイッチは、パケットを受信すると、フローテーブルから、受信パケットのヘッダ情報に適合するマッチ条件(非特許文献2の「4.3 Match Fields」参照)を持つエントリを検索する。検索の結果、受信パケットに適合するエントリが見つかった場合、オープンフロースイッチは、フロー統計情報(カウンタ)を更新するとともに、受信パケットに対して、当該エントリのインストラクションフィールドに記述された処理内容を実施する。処理内容は、例えば、指定ポートからのパケット送信、フラッディングまたは廃棄等である。一方、検索の結果、受信パケットに適合するエントリが見つからなかった場合、オープンフロースイッチは、セキュアチャネルを介して、オープンフローコントローラに対してエントリ設定の要求、即ち、受信パケットを処理するための制御情報の送信要求(Packet-Inメッセージ)を送信する。オープンフロースイッチは、処理内容が定められたフローエントリを受け取ってフローテーブルを更新する。このように、オープンフロースイッチは、フローテーブルに格納されたエントリを制御情報として用いてパケット転送を行う。 For example, when the OpenFlow switch receives a packet, the OpenFlow switch searches the flow table for an entry having a matching condition (see “4.3 Match Fields” in Non-Patent Document 2) that matches the header information of the received packet. When an entry that matches the received packet is found as a result of the search, the OpenFlow switch updates the flow statistical information (counter) and executes the processing contents described in the instruction field of the entry on the received packet. To do. The processing content is, for example, packet transmission from a designated port, flooding or discarding. On the other hand, if no entry matching the received packet is found as a result of the search, the OpenFlow switch sends an entry setting request to the OpenFlow controller via the secure channel, that is, a control for processing the received packet. An information transmission request (Packet-In message) is transmitted. The OpenFlow switch receives a flow entry whose processing content is defined and updates the flow table. As described above, the OpenFlow switch performs packet transfer using the entry stored in the flow table as control information.
 特許文献1には、ロールベースアクセス制御(Role-Based Access Control、以下、「RBAC」)を行うアクセス制御装置の一例が開示されている。特許文献1が開示するアクセス制御装置は、ユーザ情報テーブルと、ロール情報テーブルと、アクセス制御テーブルとを有する。ユーザ情報テーブルは、ユーザと当該ユーザが有する属性値とを関連付けて記憶している。ロール情報テーブルは、属性値の組み合わせと、当該属性値の組み合わせにより定義されるロールとを関連付けて記憶している。アクセス制御テーブルは、コンテンツとロールID(Identifier)とを関連付けて記憶している。ロールIDにより、当該コンテンツのアクセス条件が規定される。特許文献1が開示するアクセス制御装置は、ユーザ情報テーブルとロール情報テーブルとに基づいて、ロールに対応する属性値を有するユーザのリストを、当該ロール毎にユーザリスト情報テーブルに設定する。コンテンツへのアクセス要求が発生した場合、アクセス制御部は、アクセス制御テーブルに基づいてアクセス条件のロールを特定し、特定したロールのユーザリストにアクセスユーザが含まれるか否かに応じてアクセス権限を判定する。 Patent Document 1 discloses an example of an access control apparatus that performs role-based access control (Role-Based Access Control, hereinafter referred to as “RBAC”). The access control device disclosed in Patent Literature 1 includes a user information table, a role information table, and an access control table. The user information table stores a user and an attribute value that the user has in association with each other. The role information table stores a combination of attribute values and a role defined by the combination of the attribute values in association with each other. The access control table stores the content and role ID (Identifier) in association with each other. The role ID defines an access condition for the content. The access control device disclosed in Patent Literature 1 sets a list of users having attribute values corresponding to roles in the user list information table for each role based on the user information table and the role information table. When an access request to the content occurs, the access control unit identifies the role of the access condition based on the access control table, and sets the access authority depending on whether or not the access user is included in the user list of the specified role. judge.
特開2010-117885号公報JP 2010-1117885 A
 以下の分析は、本発明の発明者によって与えられた。非特許文献1および非特許文献2が開示する技術を用いて通信経路上のオープンフロースイッチにロールを考慮したフローエントリを設定することにより、特許文献1が開示するようなロールベースのアクセス制御はもちろんのこと、経路制御まで実現可能となる。 The following analysis was given by the inventor of the present invention. By using the technology disclosed in Non-Patent Document 1 and Non-Patent Document 2 to set a flow entry that considers the role in the OpenFlow switch on the communication path, role-based access control as disclosed in Patent Document 1 is performed. Of course, even path control can be realized.
 しかしながら、先行技術文献が開示する技術では、パケットの送信元または送信先であるノードの現在の通信状況に応じたアクセス制御はできないという問題点がある。その理由は、先行技術文献が開示する技術には、あるノードの現在の通信状況を検出して、アクセス制御を行う仕組みが存在しないからである。 However, the technique disclosed in the prior art document has a problem in that access control according to the current communication status of the node that is the transmission source or transmission destination of the packet cannot be performed. This is because the technology disclosed in the prior art document does not have a mechanism for detecting the current communication status of a certain node and performing access control.
 例えば、下記に示すようなポリシ1およびポリシ2を含むセキュリティガイドラインを定めている会社があると想定する、
 ・ポリシ1:顧客の機密情報が格納されているノードCにノードAがアクセスしている間は、ノードAからノードBへの通信を許可しない、
 ・ポリシ2:ノードCにノードAがアクセスしていない間は、ノードAからノードBへの通信を許可する。 For example, assume that a company has security guidelines that include policy 1 and policy 2 as shown below.
Policy 1: While node A is accessing node C where customer confidential information is stored, communication from node A to node B is not permitted.
Policy 2: While node A is not accessing node C, communication from node A to node B is permitted.
 先行技術文献が開示する技術では、上記のセキュリティガイドラインに沿ったアクセス制御を実現することはできない。本発明は、パケットの送信元であるノードまたは送信先であるノードの現在の通信状況に応じたアクセス制御を実現することを目的の一つとする。 The technology disclosed in the prior art documents cannot realize access control according to the above security guidelines. An object of the present invention is to realize access control according to the current communication status of a node that is a transmission source of a packet or a node that is a transmission destination.
 本発明の第1の側面は、パケットの処理方法に関する問い合わせに対する指示に基づいて、前記パケットを処理する制御実施装置を介して、通信を行うノード間の通信状況を通信状況記憶部に記憶する通信状況管理部と、前記問い合わせの対象であるパケットの送信元ノードまたは送信先ノードと、他のノードとの間の通信状況を、前記通信状況記憶部を参照することにより取得し、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の前記通信状況に基づいて、当該パケットの処理方法を決定する決定部と、前記決定した処理方法を前記制御実施装置に対して指示する指示部と、を備える、制御指示装置である。 A first aspect of the present invention is a communication for storing a communication status between nodes that perform communication in a communication status storage unit via a control execution device that processes the packet based on an instruction to an inquiry regarding a packet processing method. A communication status between a status management unit, a transmission source node or a transmission destination node of the packet to be inquired, and another node is obtained by referring to the communication status storage unit, and the transmission source node , The transmission destination node, a determination unit that determines a processing method of the packet based on the communication status of at least one of the transmission source node and the transmission destination node, and the control of the determined processing method A control instruction device comprising: an instruction unit that instructs the device.
 本発明の第2の側面は、制御実施装置と制御指示装置とを含む通信システムであって、前記制御実施装置は、パケットの処理方法を前記制御指示装置に対して問い合わせる問い合わせ部と、前記問い合わせに対する指示に基づいて前記パケットを処理するパケット処理部と、を備え、前記制御指示装置は、前記制御実施装置を介して通信を行うノード間の通信状況を通信状況記憶部に記憶する通信状況管理部と、前記問い合わせの対象であるパケットの送信元ノードまたは送信先ノードと、他のノードとの間の通信状況を、前記通信状況記憶部を参照することにより取得し、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の前記通信状況に基づいて、当該パケットの処理方法を決定する決定部と、前記決定した処理方法を前記制御実施装置に対して指示する指示部と、を備える、通信システムである。 A second aspect of the present invention is a communication system including a control execution device and a control instruction device, wherein the control execution device makes an inquiry to the control instruction device for a packet processing method, and the inquiry A packet processing unit that processes the packet based on an instruction to the communication status management, wherein the control instruction device stores a communication status between nodes that communicate via the control execution device in a communication status storage unit And a communication status between the source node or destination node of the packet to be inquired and another node by referring to the communication status storage unit, the source node, A processing method of the packet based on the communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node A determination unit for determining a, and a instructing unit for instructing the processing method described above determined for the control execution unit, a communication system.
 本発明の第3の側面は、パケットの処理方法に関する問い合わせに対する指示に基づいて、前記パケットを処理する制御実施装置と、通信可能に接続される制御指示装置が、前記制御実施装置を介したノード間の通信状況を通信状況記憶部に記憶し、前記通信状況記憶部を参照することにより、前記問い合わせの対象であるパケットの送信元ノードまたは送信先ノードの通信状況を取得し、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の通信状況に基づいて、当該パケットの処理方法を決定し、前記制御実施装置に対して前記決定した処理方法を指示する、制御方法である。 According to a third aspect of the present invention, a control execution apparatus that processes the packet and a control instruction apparatus that is communicably connected based on an instruction to an inquiry regarding a packet processing method are configured such that a node via the control execution apparatus A communication status storage unit that stores the communication status of the packet that is the target of the inquiry by referring to the communication status storage unit. Determining a processing method of the packet based on the communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node, and determining the determined processing method to the control execution device. It is a control method to instruct.
 本発明の第4の側面は、パケットの処理方法に関する問い合わせに対する指示に基づいて、前記パケットを処理する制御実施装置と、通信可能に接続されるコンピュータに、前記制御実施装置を介したノード間の通信状況を通信状況記憶部に記憶する処理と、前記通信状況記憶部を参照することにより、前記問い合わせの対象であるパケットの送信元ノードまたは送信先ノードの通信状況を取得し、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の通信状況に基づいて、当該パケットの処理方法を決定する処理と、前記制御実施装置に対して前記決定した処理方法を指示する処理と、を実行させるプログラムを記憶するコンピュータ読み取り可能な記憶媒体である。 According to a fourth aspect of the present invention, based on an instruction to an inquiry regarding a packet processing method, a control execution device that processes the packet and a computer that is communicably connected to a node between the nodes via the control execution device A process of storing a communication status in a communication status storage unit, and referring to the communication status storage unit, obtains a communication status of a transmission source node or a transmission destination node of the packet to be inquired, and the transmission source node , A process for determining a processing method of the packet based on a communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node, and the process determined for the control execution apparatus A computer-readable storage medium storing a program for executing a process for instructing a method.
 また、本発明の目的は、上記コンピュータ読み取り可能な記憶媒体に格納されるプログラムによっても達成される。 The object of the present invention is also achieved by a program stored in the computer-readable storage medium.
 本発明によれば、パケットの送信元または送信先であるノードの、現在の通信状況に応じたアクセス制御を実現することができる。 According to the present invention, it is possible to realize access control according to the current communication status of a node that is a transmission source or transmission destination of a packet.
図1は、本発明の第1の実施形態にかかる通信システム1000の構成を示すブロック図である。FIG. 1 is a block diagram showing a configuration of a communication system 1000 according to the first embodiment of the present invention. 図2は、本発明の第1の実施形態にかかる通信システム1000の構成を示すブロック図である。FIG. 2 is a block diagram showing the configuration of the communication system 1000 according to the first embodiment of the present invention. 図3は、本発明の第1の実施形態にかかる指示キャッシュ130が記憶する情報の一例を示す図である。FIG. 3 is a diagram illustrating an example of information stored in the instruction cache 130 according to the first embodiment of the present invention. 図4は、本発明の第1の実施形態にかかる通信状況記憶部240が記憶する情報の一例を示す図である。FIG. 4 is a diagram illustrating an example of information stored in the communication status storage unit 240 according to the first embodiment of the present invention. 図5は、本発明の第1の実施形態にかかる第1のテーブル250が記憶する情報の一例を示す図である。FIG. 5 is a diagram illustrating an example of information stored in the first table 250 according to the first embodiment of the present invention. 図6は、本発明の第1の実施形態にかかる第2のテーブル260が記憶する情報の一例を示す図である。FIG. 6 is a diagram illustrating an example of information stored in the second table 260 according to the first embodiment of the present invention. 図7は、本発明の第1の実施形態にかかる通信システム1000の処理の概要を説明する図である。FIG. 7 is a diagram for explaining the outline of processing of the communication system 1000 according to the first embodiment of the present invention. 図8は、本発明の第1の実施形態にかかる通信システム1000の処理の概要を説明する図である。FIG. 8 is a diagram for explaining an overview of processing of the communication system 1000 according to the first embodiment of the present invention. 図9は、本発明の第1の実施形態にかかる通信システム1000の動作の一例を説明するシーケンス図である。FIG. 9 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment of the present invention. 図10は、本発明の第1の実施形態にかかる通信システム1000の動作の一例を説明するシーケンス図である。FIG. 10 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment of the present invention. 図11は、本発明の第1の実施形態にかかる第1のテーブル251が記憶する情報の一例を示す図である。FIG. 11 is a diagram illustrating an example of information stored in the first table 251 according to the first embodiment of the present invention. 図12は、本発明の第1の実施形態にかかる第1のテーブル252が記憶する情報の一例を示す図である。FIG. 12 is a diagram illustrating an example of information stored in the first table 252 according to the first embodiment of the present invention. 図13は、本発明の第2の実施形態にかかる通信システム1000Aの構成を示すブロック図である。FIG. 13 is a block diagram showing a configuration of a communication system 1000A according to the second embodiment of the present invention. 図14は、本発明の第3の実施形態にかかる通信制御装置300Bの構成を示すブロック図である。FIG. 14 is a block diagram showing a configuration of a communication control apparatus 300B according to the third embodiment of the present invention. 図15は、本発明の各実施形態に係る、通信実施装置及び制御指示装置、又は、通信制御装置を実現できるコンピュータの構成の例を表すブロック図である。FIG. 15 is a block diagram illustrating an example of a configuration of a computer that can implement a communication execution device and a control instruction device, or a communication control device, according to each embodiment of the present invention.
 以下、本発明の実施形態について図面を参照して詳細に説明する。なお、この概要に付記した図面参照符号は、理解を助けるための一例として各要素に便宜上付記したものであり、本発明を図示の態様に限定することを意図するものではない。 Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that the reference numerals of the drawings attached to this summary are attached to the respective elements for convenience as an example for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.
 (用語の説明)
 ノードとは、例えば端末(情報処理装置)である。ノードは、例えば、仮想化ソフトウェアによって実現される仮想ノードであってもよい。 (Explanation of terms)
A node is, for example, a terminal (information processing apparatus). For example, the node may be a virtual node realized by virtualization software.
 パケットの送信元ノードとは、当該パケットを送信したノードを示す用語である。パケットの送信先ノードとは、当該パケットの宛先であるノードを示す用語である。以下、パケットの送信元ノードを識別する情報を「送信元ノード識別子」と記載する。以下、パケットの送信先ノードを識別する情報を「送信先ノード識別子」と記載する。ノード識別子は、例えばIP(Internet Protocol)アドレスやMAC(Media Access Control)アドレスであるが、これらのみには限定されない。 The packet transmission source node is a term indicating a node that has transmitted the packet. The packet transmission destination node is a term indicating a node which is a destination of the packet. Hereinafter, information for identifying a transmission source node of a packet is referred to as a “transmission source node identifier”. Hereinafter, information for identifying a transmission destination node of a packet is referred to as a “transmission destination node identifier”. The node identifier is, for example, an IP (Internet Protocol) address or a MAC (Media Access Control) address, but is not limited thereto.
 <第1の実施形態>
 図1は、第1の実施形態にかかる通信システム1000の構成を示すブロック図である。図1に示すように、通信システム1000は、制御実施装置100と、制御指示装置200とを含む。 <First Embodiment>
FIG. 1 is a block diagram showing a configuration of a communication system 1000 according to the first embodiment. As shown in FIG. 1, the communication system 1000 includes a control execution device 100 and a control instruction device 200.
 制御実施装置100は、例えばネットワークスイッチ(以下では、「スイッチ」とも表記する)である。ネットワークスイッチは、通信ネットワーク(以下では、「ネットワーク」とも表記する)において、例えば、その通信ネットワークを流れるパケットの、転送先の機器を切り替えることによって、通信経路を切り替えることができる通信装置である。制御実施装置100は、ネットワークに接続されており、受信したパケットを転送する処理を行う。制御実施装置100は、制御指示装置200からパケット処理方法についての指示を受け付ける。制御実施装置100は、制御指示装置200から指示されたパケット処理方法に従って、受信したパケットを転送する。 The control execution device 100 is, for example, a network switch (hereinafter also referred to as “switch”). A network switch is a communication device capable of switching a communication path in a communication network (hereinafter also referred to as “network”) by switching, for example, a transfer destination device of a packet flowing through the communication network. The control execution apparatus 100 is connected to a network and performs processing for transferring a received packet. The control execution apparatus 100 receives an instruction regarding the packet processing method from the control instruction apparatus 200. The control execution apparatus 100 transfers the received packet according to the packet processing method instructed from the control instruction apparatus 200.
 制御指示装置200は例えばコントローラである。制御指示装置200は、ネットワークに接続されており、ネットワークを介して制御実施装置100と接続されている。制御指示装置200は、パケット転送方法について制御実施装置100から問い合わせを受ける。制御指示装置200は、当該問い合わせに対する指示を制御実施装置100に与える。 The control instruction device 200 is a controller, for example. The control instruction device 200 is connected to a network, and is connected to the control execution device 100 via the network. The control instruction device 200 receives an inquiry from the control execution device 100 regarding the packet transfer method. The control instruction device 200 gives an instruction for the inquiry to the control execution device 100.
 図2は、図1に示す制御実施装置100および制御指示装置200の詳細な構成を示すブロック図である。 FIG. 2 is a block diagram showing a detailed configuration of the control execution device 100 and the control instruction device 200 shown in FIG.
 (制御実施装置100の構成)
 図2に示すように、制御実施装置100は、パケット処理部110と、問い合わせ部120と、指示キャッシュ130と、を備える。 (Configuration of control execution apparatus 100)
As illustrated in FIG. 2, the control execution apparatus 100 includes a packet processing unit 110, an inquiry unit 120, and an instruction cache 130.
 パケット処理部110について説明する。パケット処理部110は、受信したパケットを、指示キャッシュ130に記憶されている処理方法に基づいて処理する。 The packet processing unit 110 will be described. The packet processing unit 110 processes the received packet based on the processing method stored in the instruction cache 130.
 問い合わせ部120について説明する。受信したパケットの処理方法が指示キャッシュ130に記憶されていなかった場合、問い合わせ部120は、受信したパケットの処理方法を制御指示装置200に問い合わせる。また、問い合わせ部120は、前記問い合わせに対する指示(すなわちパケット処理方法)を制御指示装置200から受信する。問い合わせ部120は、受信したパケット処理方法を指示キャッシュ130に書き込む。これにより、同一の特徴を持つパケットは、指示キャッシュ130に記憶されたエントリを用いて処理される。 The inquiry unit 120 will be described. When the received packet processing method is not stored in the instruction cache 130, the inquiry unit 120 inquires the control instruction apparatus 200 about the received packet processing method. Also, the inquiry unit 120 receives an instruction (that is, a packet processing method) for the inquiry from the control instruction apparatus 200. The inquiry unit 120 writes the received packet processing method in the instruction cache 130. As a result, packets having the same characteristics are processed using the entries stored in the instruction cache 130.
 指示キャッシュ130について説明する。指示キャッシュ130は、制御指示装置200から受信したパケット処理方法を示すエントリを記憶する。例えば制御実施装置100がオープンフロースイッチである場合、指示キャッシュ130はフローテーブルに相当する。 The instruction cache 130 will be described. The instruction cache 130 stores an entry indicating the packet processing method received from the control instruction apparatus 200. For example, when the control execution apparatus 100 is an open flow switch, the instruction cache 130 corresponds to a flow table.
 図3は、指示キャッシュ130が記憶する情報の一例を示す図である。図3に示すように、指示キャッシュ130は複数のエントリを記憶している。エントリは、パケットの送信元ノードのノード識別子(すなわち、送信元ノード識別子)と、当該パケットの送信先ノードのノード識別子(すなわち、送信先ノードの識別子)と、当該パケットの処理方法とが、関連付けられている情報である。例えば、制御実施装置100が受信したパケットの送信元ノードがノード4であり、かつ、送信先ノードがノード5である場合、制御実施装置100は当該パケットをポート1へ送信すべきことを、図3に示した表における1行目のエントリは示している。 FIG. 3 is a diagram illustrating an example of information stored in the instruction cache 130. As shown in FIG. 3, the instruction cache 130 stores a plurality of entries. The entry associates the node identifier of the packet source node (ie, the source node identifier), the node identifier of the packet destination node (ie, the identifier of the destination node), and the processing method of the packet. Information. For example, when the transmission source node of the packet received by the control execution apparatus 100 is the node 4 and the transmission destination node is the node 5, the control execution apparatus 100 should transmit the packet to the port 1. The entry in the first row in the table shown in FIG.
 (制御指示装置200)
 図2を参照する説明に戻る。図2に示すように、制御指示装置200は、指示部210と、決定部220と、通信状況管理部230と、通信状況記憶部240と、第1のテーブル250と、第2のテーブル260とを、備える。本実施形態の説明では、第1のテーブル250及び第2のテーブル260は、例えばテーブルの形式で、情報を記憶する記憶部を表す。本実施形態の説明において、第1のテーブル250は、第1の情報記憶部250とも表記される。同様に、第2のテーブル260は、第2の情報記憶部260とも表記される。 (Control instruction device 200)
Returning to the description with reference to FIG. As shown in FIG. 2, the control instruction device 200 includes an instruction unit 210, a determination unit 220, a communication status management unit 230, a communication status storage unit 240, a first table 250, and a second table 260. Is provided. In the description of the present embodiment, the first table 250 and the second table 260 represent storage units that store information in the form of a table, for example. In the description of the present embodiment, the first table 250 is also referred to as a first information storage unit 250. Similarly, the second table 260 is also expressed as a second information storage unit 260.
 指示部210について説明する。指示部210は、制御実施装置100からパケットの処理方法について問い合わせを受ける。また、指示部210は、制御実施装置100に対して当該パケットの処理方法を指示する。また、指示部210は、指示キャッシュ130が記憶している特定のエントリを削除する指示を、所定のタイミングで制御実施装置100に対して送信する。 The instruction unit 210 will be described. The instruction unit 210 receives an inquiry about the packet processing method from the control execution apparatus 100. In addition, the instruction unit 210 instructs the control execution apparatus 100 how to process the packet. In addition, the instruction unit 210 transmits an instruction to delete a specific entry stored in the instruction cache 130 to the control execution apparatus 100 at a predetermined timing.
 決定部220について説明する。決定部220は、当該パケットのヘッダに格納された情報を参照することにより、当該パケットの送信元ノード識別子と、送信先ノード識別子とを取得する。決定部220は、送信元ノード識別子および送信先ノード識別子に基づいて、通信状況記憶部240、第1のテーブル250および第2のテーブル260を検索する。第1のテーブル250および第2のテーブル260の詳細については後述する。決定部220は、検索して得られた結果に基づいて当該パケットの処理方法を決定する。 The determination unit 220 will be described. The determination unit 220 refers to the information stored in the header of the packet to acquire the transmission source node identifier and the transmission destination node identifier of the packet. The determination unit 220 searches the communication status storage unit 240, the first table 250, and the second table 260 based on the transmission source node identifier and the transmission destination node identifier. Details of the first table 250 and the second table 260 will be described later. The determination unit 220 determines a processing method for the packet based on the result obtained by the search.
 通信状況管理部230について説明する。あるパケットの送信元ノードと送信先ノードとの間にコネクションが確立されたことを制御指示装置200が検出した場合、通信状況管理部230は、当該パケットについてのエントリを通信状況記憶部240に記憶する。エントリは、当該パケットの送信元ノード識別子と送信先ノード識別子とが関連付けられている情報を含む。 The communication status management unit 230 will be described. When the control instruction apparatus 200 detects that a connection has been established between a transmission source node and a transmission destination node of a packet, the communication status management unit 230 stores an entry for the packet in the communication status storage unit 240. To do. The entry includes information in which the transmission source node identifier and the transmission destination node identifier of the packet are associated with each other.
 または、あるパケットの送信元ノードと送信先ノードとの間にコネクションを確立することを決定部220が許可した場合、通信状況管理部230は、当該パケットについてのエントリを通信状況記憶部240に記憶する。 Alternatively, when the determination unit 220 permits the connection between a transmission source node and a transmission destination node of a packet to be established, the communication status management unit 230 stores an entry for the packet in the communication status storage unit 240. To do.
 あるパケットの送信元ノードと送信先ノードとの間のコネクションが切断されたことを制御指示装置200が検出した場合、通信状況管理部230は、当該パケットについてのエントリを通信状況記憶部240から削除する。または、あるパケットの送信元ノードと送信先ノードとの間のコネクションを切断することを決定部220が決定した場合、通信状況管理部230は、当該パケットについてのエントリを通信状況記憶部240から削除する。 When the control instruction apparatus 200 detects that the connection between the transmission source node and the transmission destination node of a packet has been disconnected, the communication status management unit 230 deletes the entry for the packet from the communication status storage unit 240. To do. Alternatively, when the determination unit 220 determines to disconnect the connection between the transmission source node and the transmission destination node of a certain packet, the communication status management unit 230 deletes the entry for the packet from the communication status storage unit 240. To do.
 すなわち、通信状況記憶部240にエントリが記憶されていることは、当該エントリにおける送信元ノードと送信先ノードとの間に、現在コネクションが確立されている状態であることを示す。通信状況管理部230は、通信状況記憶部240に上記のようなエントリが記憶されている状態が保たれるように動作すればよい。通信状況管理部230の動作は、上述した具体例には限定されない。 That is, that the entry is stored in the communication status storage unit 240 indicates that a connection is currently established between the transmission source node and the transmission destination node in the entry. The communication status management unit 230 only needs to operate so as to maintain a state in which the above-described entry is stored in the communication status storage unit 240. The operation of the communication status management unit 230 is not limited to the specific example described above.
 通信状況記憶部240について説明する。通信状況記憶部240は、送信元ノード識別子と送信先ノード識別子が関連付けられているエントリを記憶している。図4は、通信状況記憶部240に保持されるエントリの一例を示す図である。図4に例示する1行目のエントリは、送信元ノード識別子と、送信先ノード識別子と、サービスまたはプロトコルの識別子とを含む。 The communication status storage unit 240 will be described. The communication status storage unit 240 stores an entry in which a transmission source node identifier and a transmission destination node identifier are associated with each other. FIG. 4 is a diagram illustrating an example of entries held in the communication status storage unit 240. The entry in the first line illustrated in FIG. 4 includes a source node identifier, a destination node identifier, and a service or protocol identifier.
 通信状況記憶部240は、例えば、ネットワークの各レイヤの識別子など、複数の識別子を記憶してもよい。通信状況記憶部240は、例えば、OSI(Open Systems Interconnection)参照モデルのレイヤ2(L2)の識別子であるMACアドレスやレイヤ3(L3)の識別子であるIPアドレスを記憶してもよい。通信状況記憶部240は、同様に、送信先の識別子も複数記憶してもよい。また、通信状況記憶部240は、送信元および送信先のサービスやプロトコルの識別子についても、1つだけではなく、複数記憶してもよい。 The communication status storage unit 240 may store a plurality of identifiers such as identifiers of each layer of the network, for example. The communication status storage unit 240 may store, for example, an MAC address that is an identifier of a layer 2 (L2) or an IP address that is an identifier of a layer 3 (L3) of an OSI (Open Systems Interconnection) reference model. Similarly, the communication status storage unit 240 may store a plurality of transmission destination identifiers. Further, the communication status storage unit 240 may store not only one but also a plurality of identifiers of the source and destination services and protocols.
 通信状況記憶部240は、送信元ノード識別子または送信先ノード識別子に代えて、ポート番号を記憶していてもよい。 The communication status storage unit 240 may store a port number instead of the transmission source node identifier or the transmission destination node identifier.
 第1のテーブル250(すなわち、第1の情報記憶部250)について説明する。第1のテーブル250は、ノードの識別子と、当該ノードの現在の通信状況と、当該ノードの現在の通信状況におけるロールと、が関連付けられている情報(すなわち、第1の情報)を記憶している。第1のテーブル250は、第1の情報を、テーブル形式で記憶していてもよい。第1のテーブル250は、第1の情報を、テーブル形式以外の形式で記憶していてもよい。以下、当該ノードの現在の通信状況におけるロールを、単に「ノードのロール」と記載する場合がある。ロールは「役割」と呼ばれる場合もある。通信状況は、例えば、他の特定のノードとのコネクションが確立されているか否かを表す。通信状況は、例えば、ノードの識別子と、その識別子によって特定されるノードとのコネクションが確立されているか否かを表す値と、の組み合わせによって表されていてもよい。 The first table 250 (that is, the first information storage unit 250) will be described. The first table 250 stores information (that is, first information) in which the identifier of the node, the current communication status of the node, and the role in the current communication status of the node are associated with each other. Yes. The first table 250 may store the first information in a table format. The first table 250 may store the first information in a format other than the table format. Hereinafter, the role of the node in the current communication state may be simply referred to as “node role”. A role is sometimes called a “role”. The communication status represents, for example, whether or not a connection with another specific node has been established. The communication status may be represented by, for example, a combination of a node identifier and a value indicating whether or not a connection with the node specified by the identifier is established.
 ここで、ロールについて簡単に説明する。ノードのそれぞれについて、ノードがアクセスできる組織ネットワークが決まっている。また、例えば、あるノードは顧客データを扱うノードであり、他のノードはローカルでのみ用いられるノードである、というように、必ずしも同一ではない役割がそれぞれのノードに割り当てられている。これらのノードの役割や重要度は、まとめて、ロールとして表現されている。 Here, the role is explained briefly. For each node, an organization network that the node can access is determined. In addition, for example, a certain node is a node that handles customer data, and another node is a node that is used only locally, so roles that are not necessarily the same are assigned to the respective nodes. The role and importance of these nodes are collectively expressed as roles.
 図5は、第1のテーブル250が記憶する情報の一例を示す図である。図5に示すテーブルにおいて、1行目に示す情報は、ノード1がノード3とコネクションを確立している間は、ノード1のロールは「B」であることを示す。図5に示すテーブルにおいて、2行目に示す情報は、ノード1がノード3とコネクションを確立していない間は、ノード1のロールは「A」であることを示す。 FIG. 5 is a diagram illustrating an example of information stored in the first table 250. In the table shown in FIG. 5, the information shown in the first row indicates that the role of node 1 is “B” while node 1 establishes a connection with node 3. In the table shown in FIG. 5, the information shown in the second row indicates that the role of node 1 is “A” while node 1 has not established a connection with node 3.
 このように、本実施形態にかかる通信システム1000は、ノードが現在どのような通信状況にあるかに応じて、当該ノードのロール(役割)が動的に変化する構成を有している。 As described above, the communication system 1000 according to the present embodiment has a configuration in which the role (role) of the node dynamically changes according to the current communication state of the node.
 図5に示すテーブルにおいて、5行目に示す情報は、ノード10のロールは、現在の通信状況によらず、「D」であることを示す。なお、図5において5行目および6行目に示す記号「*」は、ワイルドカードを示す。ワイルドカードによって表されている通信状況は、いずれの通信状況にも適合する。従って、ロールが、いずれかのノードの識別子と、ワイルドカードによって表される通信状況とに関連付けられている場合、その識別子によって表されるノードのロールは、通信状況によらずに定まる。言い換えると、通信状況がワイルドカードによって表されているノードのロールは、通信状況によらずに定まる。このように、現在の通信状況によらずにロールが決まるノードがあってもよい。なお、図5に示すテーブルでは、後述のように、送信元ノード及び送信元ノードの通信状況に最初に適合すると判定されたノード及び通信状況に関連付けられているロールが、その送信元ノードのロールである。 In the table shown in FIG. 5, the information shown in the fifth line indicates that the role of the node 10 is “D” regardless of the current communication status. In FIG. 5, the symbol “*” shown in the fifth and sixth lines indicates a wild card. The communication status represented by the wild card is suitable for any communication status. Therefore, when a role is associated with an identifier of any node and a communication status represented by a wild card, the role of the node represented by the identifier is determined regardless of the communication status. In other words, the role of a node whose communication status is represented by a wild card is determined regardless of the communication status. Thus, there may be a node whose role is determined regardless of the current communication status. In the table shown in FIG. 5, as will be described later, the node that is first determined to be suitable for the communication status of the transmission source node and the transmission source node and the role associated with the communication status are the roles of the transmission source node. It is.
 ワイルドカードによって表されているノードの識別子は、いずれのノードの識別子にも適合する。従って、ロールが、ワイルドカードによって表されるノードの識別子と、いずれかの通信状況とに関連付けられている場合、その通信状況にあるノードのロールは、ノードによらずに定まる。図5に示すテーブルにおいて、6行目に示す情報は、現在ノード7とコネクションを確立しているノードのロールは、そのノードがいずれのノードであるかに関わらず、「E」であることを示す。このように、ノードのロールが、そのノードがいずれのノードであるかに関わらず、決まる場合があってもよい。 The node identifier represented by the wildcard matches any node identifier. Therefore, when the role is associated with the identifier of the node represented by the wild card and any communication status, the role of the node in the communication status is determined regardless of the node. In the table shown in FIG. 5, the information shown in the sixth line indicates that the role of the node that has established a connection with the current node 7 is “E” regardless of which node it is. Show. Thus, the role of a node may be determined regardless of which node the node is.
 第2のテーブル260(すなわち、第2の情報記憶部260)について説明する。第2のテーブル260は、パケットの送信元ノードのロールとそのパケットの送信先ノードのロールとの組み合わせと、当該パケットに対する処理方法と、が関連付けられている情報(すなわち、第2の情報)を記憶している。第2のテーブル260は、第2の情報を、テーブル形式で記憶していてもよい。第2のテーブル260は、第2の情報を、テーブル形式以外の形式で記憶していてもよい。第2のテーブル260が記憶している処理方法は、制御実施装置100が解釈可能な形式の情報でもよいし、制御実施装置100がそのままでは解釈できない形式の情報でもよい。図6は、第2のテーブル260が記憶する情報の一例を示す図である。 The second table 260 (that is, the second information storage unit 260) will be described. The second table 260 includes information (that is, second information) in which a combination of a role of a transmission source node of a packet and a role of a transmission destination node of the packet is associated with a processing method for the packet. I remember it. The second table 260 may store the second information in a table format. The second table 260 may store the second information in a format other than the table format. The processing method stored in the second table 260 may be information in a format that the control execution device 100 can interpret, or information in a format that the control execution device 100 cannot interpret as it is. FIG. 6 is a diagram illustrating an example of information stored in the second table 260.
 第2のテーブル260が記憶する第2の情報において送信元ノードのロール及び送信先ノードのロールは、いずれのロールにも適合する、上述の記号「*」(すなわち、ワイルドカード)によって表されていてもよい。例えば、送信元ノードのロールがワイルドカードによって表されている場合、送信元ノードのロールによらず、送信先ノードのロールによって処理方法が定まる。送信先ノードのロールがワイルドカードによって表されている場合、送信先ノードのロールによらず、送信元ノードのロールによって処理方法が定まる。 In the second information stored in the second table 260, the role of the transmission source node and the role of the transmission destination node are represented by the above-described symbol “*” (that is, a wild card) that matches both roles. May be. For example, when the role of the transmission source node is represented by a wild card, the processing method is determined by the role of the transmission destination node regardless of the role of the transmission source node. When the role of the destination node is represented by a wild card, the processing method is determined by the role of the source node, regardless of the role of the destination node.
 図6に示すテーブルにおいて、1行目に示す情報は、パケットの送信元ノードのロールが「A」であり、送信先ノードのロールが「B」であるとき、当該パケットの処理方法は「ALLOWおよび排他」であることを示す。「ALLOWおよび排他」は、例えば、パケットを排他的に送信すること(すなわち、そのパケットを、通信路を占有して送信すること)を表す。図6に示すテーブルにおいて、2行目に示す情報は、パケットの送信元ノードのロールによらず、送信先ノードのロールが「C」であるとき、当該パケットの処理方法は「DENY」であることを示す。「DENY」は、例えば、そのパケットの送信を拒否することを表す。 In the table shown in FIG. 6, the information shown in the first line indicates that when the role of the transmission source node of the packet is “A” and the role of the transmission destination node is “B”, the processing method of the packet is “ALLOW”. And exclusive ”. “ALLOW and exclusive” represents, for example, that a packet is transmitted exclusively (that is, the packet is transmitted while occupying a communication path). In the table shown in FIG. 6, the information shown in the second line is that the packet processing method is “DENY” when the role of the transmission destination node is “C” regardless of the role of the packet transmission source node. It shows that. “DENY” represents, for example, that the transmission of the packet is rejected.
 第2のテーブル260が記憶する第2の情報は、セキュリティ標準や手順書などのドキュメントなどがデータベース化されたデータベースであってもよい。セキュリティ標準は、例えばPCI DSS(Payment Card Industry Data Security Standard)などである。セキュリティ標準には、例えば、システム運用時に守るべきセキュリティ事項が記述されている。その場合、第2のテーブル260は、例えば、自然言語で記述されたセキュリティ標準を、制御指示装置200が自動判定できるような形式に変換した情報を、第2の情報として記憶する。 The second information stored in the second table 260 may be a database in which documents such as security standards and procedure manuals are databased. The security standard is, for example, PCI DSS (Payment Card Industry Data Security Standard). The security standard describes, for example, security items that should be protected during system operation. In that case, the second table 260 stores, for example, information obtained by converting a security standard described in a natural language into a format that can be automatically determined by the control instruction device 200 as second information.
 (通信制御処理の概要)
 図7および図8は、第1の実施形態にかかる通信システム1000が行う通信制御処理の概要を、概念的に説明する図である。 (Outline of communication control processing)
7 and 8 are diagrams for conceptually explaining an outline of communication control processing performed by the communication system 1000 according to the first embodiment.
 図7および図8における実線の矢印は、その矢印の元(すなわち始点側)であるノードからその矢印の先(すなわち終点側)であるノードへのパケットの流れを示す。図7および図8における点線の矢印は、その矢印の元であるノードとその矢印の先であるノードとの間でコネクションが確立されている状態であることを表す。 7 and FIG. 8 indicate the flow of packets from the node that is the source of the arrow (that is, the start point) to the node that is the tip of the arrow (that is, the end point). The dotted arrows in FIGS. 7 and 8 indicate that a connection is established between the node that is the source of the arrow and the node that is the destination of the arrow.
 図7において、ノード1は、パケットをこれからノード2宛てに送信しようとしている。すなわち、ノード1は送信元ノードであり、ノード2は送信先ノードである。図7において、ノード1とノード3とは、コネクションが確立されている状態にある。 In FIG. 7, node 1 is going to transmit a packet to node 2 from now on. That is, node 1 is a transmission source node, and node 2 is a transmission destination node. In FIG. 7, node 1 and node 3 are in a state where a connection is established.
 第1の実施形態にかかる通信システム1000は、送信元ノードの現在の通信状況に応じて、送信元ノードから送信先ノードへのパケットの流れを制御する。例えば、通信システム1000は、ノード1が現在ノード3とコネクションを確立しているか否かに応じて、ノード1からノード2へのパケットの流れを制御する。 The communication system 1000 according to the first embodiment controls the flow of packets from the transmission source node to the transmission destination node according to the current communication status of the transmission source node. For example, the communication system 1000 controls the flow of packets from the node 1 to the node 2 depending on whether or not the node 1 is currently establishing a connection with the node 3.
 図8において、ノード1は、これからパケットをノード2宛てに送信しようとしているノードである。すなわち、ノード1は送信元ノードであり、ノード2は送信先ノードである。図8において、ノード2とノード3とは、コネクションが確立されている状態である。 In FIG. 8, node 1 is a node which is going to transmit a packet to node 2 from now on. That is, node 1 is a transmission source node, and node 2 is a transmission destination node. In FIG. 8, the nodes 2 and 3 are in a state where a connection is established.
 第1の実施形態にかかる通信システム1000は、送信先ノードの現在の通信状況に応じて、送信元ノードから送信先ノードへのパケットの流れを制御してもよい。例えば、通信システム1000は、ノード2が現在ノード3とコネクションを確立しているか否かに応じて、ノード1からノード2へのパケットの流れを制御する。 The communication system 1000 according to the first embodiment may control the flow of packets from the transmission source node to the transmission destination node according to the current communication state of the transmission destination node. For example, the communication system 1000 controls the flow of packets from the node 1 to the node 2 depending on whether or not the node 2 is currently establishing a connection with the node 3.
 第1の実施形態にかかる通信システム1000は、送信元ノードの現在の通信状況と、送信先ノードの現在の通信状況との両方を考慮して、送信元ノードから送信先ノードへのパケットの流れを制御してもよい。 The communication system 1000 according to the first embodiment considers both the current communication status of the transmission source node and the current communication status of the transmission destination node, and the flow of packets from the transmission source node to the transmission destination node. May be controlled.
 (通信システム1000の動作の説明)
 通信システム1000の動作の一例を、図9を用いて説明する。図9は、第1の実施形態にかかる通信システム1000の動作の一例を説明するシーケンス図である。以下、送信元ノードがノード1であり、送信先ノードがノード2であるとして説明をする。 (Description of operation of communication system 1000)
An example of the operation of the communication system 1000 will be described with reference to FIG. FIG. 9 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment. In the following description, it is assumed that the transmission source node is node 1 and the transmission destination node is node 2.
 送信元ノードであるノード1は、宛先がノード2であるパケットを、制御実施装置100に送信する。(ステップS101)。 The node 1 that is the transmission source node transmits the packet whose destination is the node 2 to the control execution apparatus 100. (Step S101).
 制御実施装置100は当該パケットを受信する。制御実施装置100は、当該パケットのヘッダを参照し、当該パケットの送信元ノード識別子と送信先ノード識別子とを取得する。制御実施装置100は、送信元ノード識別子と送信先ノード識別子とに基づいて、指示キャッシュ130を検索する。具体的には、制御実施装置100は、指示キャッシュ130を検索することによって、当該パケットから取得した、送信元ノード識別子と送信先ノード識別子とを含むエントリ(すなわち、当該パケットに関するエントリ)を抽出する。その送信元ノード識別子によって特定される送信元ノードと、その送信先ノード識別子によって特定される送信先ノードとの間で、コネクションが既に確立している場合、当該パケットに関するエントリが指示キャッシュ130に存在する(ステップS102においてYES)。前述のように、指示キャッシュ130に記憶されている、当該パケットに関するエントリは、当該パケットの処理方法を含む。制御実施装置100は、指示キャッシュ130に記憶されている、当該パケットの処理方法に従って当該パケットを処理する(ステップS104)。 The control execution apparatus 100 receives the packet. The control execution apparatus 100 refers to the header of the packet and acquires the transmission source node identifier and the transmission destination node identifier of the packet. The control execution apparatus 100 searches the instruction cache 130 based on the transmission source node identifier and the transmission destination node identifier. Specifically, the control execution apparatus 100 searches the instruction cache 130 to extract an entry (that is, an entry related to the packet) obtained from the packet and including the transmission source node identifier and the transmission destination node identifier. . If a connection has already been established between the transmission source node specified by the transmission source node identifier and the transmission destination node specified by the transmission destination node identifier, an entry related to the packet exists in the instruction cache 130 (YES in step S102). As described above, the entry related to the packet stored in the instruction cache 130 includes a method for processing the packet. The control execution apparatus 100 processes the packet according to the packet processing method stored in the instruction cache 130 (step S104).
 指示キャッシュ130に当該パケットに関するエントリが存在しない場合(ステップS102においてNO)、制御実施装置100は、当該パケットの処理方法について制御指示装置200に問い合わせる。 If there is no entry related to the packet in the instruction cache 130 (NO in step S102), the control execution apparatus 100 inquires the control instruction apparatus 200 about the processing method of the packet.
 制御指示装置200は、制御実施装置100からパケットの処理方法についての問い合わせを受け付け、そのパケットの処理方法を決定する(ステップS103)。制御指示装置200は、決定した処理方法を制御実施装置100に指示する。制御指示装置200は、例えば、決定した処理方法を制御実施装置100に送信することによって、その処理方法を制御実施装置100に指示すればよい。ステップS103に示す動作の詳細は後述する。 The control instruction device 200 receives an inquiry about the packet processing method from the control execution device 100 and determines the packet processing method (step S103). The control instruction device 200 instructs the control execution device 100 on the determined processing method. For example, the control instruction apparatus 200 may indicate the processing method to the control execution apparatus 100 by transmitting the determined processing method to the control execution apparatus 100. Details of the operation shown in step S103 will be described later.
 制御実施装置100は、制御指示装置200から処理方法を受信する。制御実施装置100は、受信した処理方法に基づいて、当該パケットを処理する(ステップS104)。 The control execution apparatus 100 receives a processing method from the control instruction apparatus 200. The control execution apparatus 100 processes the packet based on the received processing method (step S104).
 処理方法が、例えば、ノード1からノード2への通信を許可することを表す場合、ノード2は当該パケットを受信する(ステップS105)。 If the processing method indicates, for example, that communication from the node 1 to the node 2 is permitted, the node 2 receives the packet (step S105).
 次に、図9におけるステップS103に示した動作を、より詳細に説明する。図10は、ステップS103に示した動作をさらに詳細に説明するシーケンス図である。 Next, the operation shown in step S103 in FIG. 9 will be described in more detail. FIG. 10 is a sequence diagram for explaining the operation shown in step S103 in more detail.
 指示部210は、制御実施装置100からパケットの処理方法について問い合わせを受信する(ステップS201)。 The instruction unit 210 receives an inquiry about the packet processing method from the control execution apparatus 100 (step S201).
 次に決定部220は、当該パケットのヘッダ等を参照して、当該パケットの送信元ノード識別子および送信先ノード識別子を取得する。決定部220は、取得した送信元ノード識別子および送信先ノード識別子をキーとして、通信状況記憶部240を検索する(ステップS202)。そのように検索することによって、決定部220は、当該パケットの送信元ノード識別子を含むエントリを抽出する。加えて、決定部220は、当該パケットの送信先ノード識別子を含むエントリを抽出する。 Next, the determination unit 220 refers to the header of the packet and acquires the transmission source node identifier and the transmission destination node identifier of the packet. The determination unit 220 searches the communication status storage unit 240 using the acquired transmission source node identifier and transmission destination node identifier as keys (step S202). By performing such a search, the determination unit 220 extracts an entry including the transmission source node identifier of the packet. In addition, the determination unit 220 extracts an entry including the transmission destination node identifier of the packet.
 通信状況記憶部240は、取得した送信元ノード識別子によって特定される送信元ノードの現在の通信状況を決定部220に返す。図9に示す例では、当該パケットの送信元ノードはノード1である。また、通信状況記憶部240は、取得した送信先ノード識別子によって特定される送信先ノードの現在の通信状況を決定部220に返す。図9に示す例では、当該パケットの送信先ノードはノード2である。通信状況記憶部240によって決定部220に返される、ノードの通信状況は、例えば、そのノードがコネクションを確立している他のノードを表す情報であってもよい。決定部220は、通信状況記憶部240が記憶するエントリにおいて当該パケットの送信元ノード識別子に関連付けられているノードの識別子を、通信状況記憶部240から読み出せばよい。加えて、決定部220は、通信状況記憶部240が記憶するエントリにおいて当該パケットの送信先ノード識別子に関連付けられているノードの識別子を、通信状況記憶部240から読み出せばよい。以上のように、あるノードの識別子を含むエントリが通信状況記憶部240に記憶されている場合、決定部220は、当該ノードはそのエントリに識別子が含まれる他のノードとコネクションを確立しているという情報を得る。例えば、通信状況記憶部240が図4に示すエントリのみを記憶している場合、通信状況記憶部240は、「ノード1は現在ノード3とコネクションを確立している」という情報を、決定部220に返してもよい。加えて、通信状況記憶部240は、「ノード2は現在いずれのノードともコネクションを確立していない」という情報を、決定部220に返してもよい。 The communication status storage unit 240 returns the current communication status of the transmission source node specified by the acquired transmission source node identifier to the determination unit 220. In the example shown in FIG. 9, the transmission source node of the packet is node 1. In addition, the communication status storage unit 240 returns the current communication status of the transmission destination node specified by the acquired transmission destination node identifier to the determination unit 220. In the example illustrated in FIG. 9, the transmission destination node of the packet is the node 2. The communication status of a node returned to the determination unit 220 by the communication status storage unit 240 may be information indicating another node with which the node has established a connection, for example. The determination unit 220 may read the identifier of the node associated with the transmission source node identifier of the packet in the entry stored in the communication status storage unit 240 from the communication status storage unit 240. In addition, the determination unit 220 may read from the communication status storage unit 240 the node identifier associated with the destination node identifier of the packet in the entry stored in the communication status storage unit 240. As described above, when an entry including an identifier of a certain node is stored in the communication status storage unit 240, the determination unit 220 establishes a connection with another node whose identifier is included in the entry. Get the information. For example, when the communication status storage unit 240 stores only the entries shown in FIG. 4, the communication status storage unit 240 displays information that “the node 1 is currently establishing a connection with the node 3” as the determination unit 220. It may be returned to. In addition, the communication status storage unit 240 may return information that “the node 2 is not currently establishing a connection with any node” to the determination unit 220.
 決定部220は、送信元ノード識別子、および、送信元ノードの現在の通信状況をキーとして、第1のテーブル250を検索する(ステップS204)。また、決定部220は、送信先ノード識別子、および、送信先ノードの現在の通信状況をキーとして、第1のテーブル250を検索する(ステップS204)。 The determination unit 220 searches the first table 250 using the transmission source node identifier and the current communication status of the transmission source node as keys (step S204). Further, the determination unit 220 searches the first table 250 using the destination node identifier and the current communication status of the destination node as keys (step S204).
 決定部220は、送信元ノード識別子に適合するノードの識別子と、返された送信元ノードの通信状況に適合する通信状況と、に関連付けられているロールを、送信元ノードのロールとして、第1のテーブル250に格納されている情報から抽出すればよい。さらに、決定部220は、送信先ノード識別子に適合するノードの識別子と、返された送信先ノードの通信状況に適合する通信状況と、に関連付けられているロールを、送信先のロールとして、第1のテーブル250に格納されている情報から抽出すればよい。送信元ノード識別子は、例えば、送信元ノード識別子と同一の識別子、及び、前述の記号「*」に適合する。送信先ノード識別子は、例えば、送信先ノード識別子と同一の識別子、及び、前述の記号「*」に適合する。通信状況は、その通信状況と同じ通信状況、及び、前述の記号「*」に適合する。第1のテーブル250に格納されている情報は、送信元ノード識別子、および、送信元ノードの通信状況に対して、複数の送信元ノードのロールが抽出されないように設定されていてもよい。 The determination unit 220 sets the role associated with the identifier of the node that matches the source node identifier and the communication status that matches the communication status of the returned source node as the role of the source node. What is necessary is just to extract from the information stored in the table 250. Further, the determination unit 220 sets the role associated with the identifier of the node that matches the destination node identifier and the communication status that matches the communication status of the returned destination node as the destination role. What is necessary is just to extract from the information stored in one table 250. The source node identifier conforms to, for example, the same identifier as the source node identifier and the symbol “*” described above. The destination node identifier conforms to, for example, the same identifier as the destination node identifier and the symbol “*” described above. The communication status matches the same communication status as the communication status and the symbol “*” described above. The information stored in the first table 250 may be set so that the roles of a plurality of transmission source nodes are not extracted with respect to the transmission source node identifier and the communication status of the transmission source node.
 送信元ノード識別子、および、送信元ノードの通信状況に対して、複数の送信元ノードのロールが抽出される場合、決定部220は、抽出された複数の送信元ノードのロールから、1つの送信元ノードのロールを、所定のルールに従って選択してもよい。図6に示す例の場合、決定部220は、1番目の行から順に、その行のノードの識別子と通信状況とが、それぞれ、キーである送信元ノード識別子と通信状況とに適合するか否かを判定すればよい。決定部220は、キーである送信元ノード識別子と通信状況と適合することが最初に判定されたノードの識別子と通信状況とに関連付けられているロールを、送信元ノードのロールとして抽出すればよい。 When the roles of a plurality of transmission source nodes are extracted with respect to the transmission source node identifier and the communication status of the transmission source node, the determination unit 220 performs one transmission from the extracted roles of the plurality of transmission source nodes. The role of the original node may be selected according to a predetermined rule. In the example illustrated in FIG. 6, the determination unit 220 determines whether or not the node identifier and the communication status of the row in order from the first row match the source node identifier and the communication status, which are keys, respectively. What is necessary is just to determine. The determination unit 220 may extract the role associated with the identifier and communication status of the node first determined to be compatible with the transmission source node identifier and the communication status as the role of the transmission source node. .
 同様に、送信先ノード識別子、および、送信先ノードの通信状況に対して、複数の送信先ノードのロールが抽出される場合、決定部220は、抽出された複数の送信先ノードのロールから、1つの送信先ノードのロールを、所定のルールに従って選択してもよい。図6に示す例の場合、決定部220は、1番目の行から順に、その行のノードの識別子と通信状況とが、それぞれ、キーである送信先ノード識別子と通信状況とに適合するか否かを判定すればよい。決定部220は、キーである送信元ノード識別子と通信状況と適合することが最初に判定されたノードの識別子と通信状況とに関連付けられているロールを、送信先ノードのロールとして抽出すればよい。 Similarly, when the roles of a plurality of destination nodes are extracted with respect to the destination node identifier and the communication status of the destination nodes, the determination unit 220 determines that the roles of the plurality of destination nodes extracted are as follows: The role of one destination node may be selected according to a predetermined rule. In the case of the example illustrated in FIG. 6, the determination unit 220 determines whether or not the node identifier and the communication status of the row in order from the first row match the destination node identifier and the communication status, which are keys, respectively. What is necessary is just to determine. The determination unit 220 may extract the role associated with the identifier of the node first determined to be compatible with the transmission source node identifier that is the key and the communication status as the role of the transmission destination node. .
 第1のテーブル250は、送信元ノードのロール、および、送信先ノードのロールを、決定部220に返す(ステップS205)。決定部220は、送信先のロールとして検出されたロールを、第1のテーブル250から読み出せばよい。さらに、決定部220は、送信元ノードのロールとして検出されたロールを、第1のテーブル250から読み出せばよい。第1のテーブル250が図5に示す情報を記憶している場合、送信元ノード(すなわちノード1)の現在の通信状況におけるロールは「B」である。また、送信先ノード(すなわちノード2)の現在の通信状況におけるロールは「A」である。 The first table 250 returns the role of the transmission source node and the role of the transmission destination node to the determination unit 220 (step S205). The determination unit 220 may read the role detected as the destination role from the first table 250. Furthermore, the determination unit 220 may read the role detected as the role of the transmission source node from the first table 250. When the first table 250 stores the information illustrated in FIG. 5, the role of the transmission source node (that is, the node 1) in the current communication state is “B”. Further, the role in the current communication state of the transmission destination node (ie, node 2) is “A”.
 決定部220は、送信元ノードのロール(上述の例ではB)および送信先ノードのロール(上述の例ではA)の組み合わせをキーとして、第2のテーブル260を検索する(ステップS206)。決定部220は、第1のテーブル250から読み出された、送信元ノードのロールと送信先ノードのロールとの組み合わせに適合する、「送信元ノードのロール」と「送信先ノードのロール」との組み合わせを第2のテーブル260において検出すればよい。決定部220は、検出した「送信元ノードのロール」と「送信先ノードのロール」との組み合わせに関連付けられている処理方法を、第2のテーブル260において抽出すればよい。 The determining unit 220 searches the second table 260 using the combination of the role of the transmission source node (B in the above example) and the role of the transmission destination node (A in the above example) as a key (step S206). The determination unit 220 reads “the role of the transmission source node” and “the role of the transmission destination node” that match the combination of the role of the transmission source node and the role of the transmission destination node read from the first table 250. May be detected in the second table 260. The determination unit 220 may extract the processing method associated with the detected combination of the “source node role” and the “destination node role” in the second table 260.
 ロールは、そのロール及び前述の記号「*」によって表されるロールに適合する。第1のテーブル250から読み出された送信元ノードのロールは、第2のテーブル260において、例えば、そのロールと同じロール、及び、前述の記号「*」である、「送信元のノードのロール」と適合する。第1のテーブル250から読み出された送信先ノードのロールは、第2のテーブル260において、例えば、そのロールと同じロール、及び、前述の記号「*」である、「送信先のノードのロール」と適合する。キーである組み合わせに含まれる送信元ノードのロール及び送信先ノードのロールにそれぞれ適合する、「送信元のノードのロール」及び「送信先のノードのロール」の組み合わせが、そのキーである組み合わせに適合する。第2のテーブル260に格納されている情報は、一つのキーに対して、複数の処理方法が抽出されないように設定されていてもよい。 The role matches the role and the role represented by the symbol “*” described above. The role of the transmission source node read from the first table 250 is, for example, the same role as that role in the second table 260, and “the role of the transmission source node”, which is the above-mentioned symbol “*”. " The role of the destination node read from the first table 250 is, for example, the same role as the role in the second table 260 and “the role of the destination node”, which is the above-mentioned symbol “*”. " The combination of “source node role” and “destination node role” that matches the source node role and destination node role included in the key combination is the key combination. Fits. The information stored in the second table 260 may be set so that a plurality of processing methods are not extracted for one key.
 決定部220は、一つのキーに対して複数の処理方法が抽出される場合、所定の方法に従って、抽出された複数の処理方法から1つの処理方法を選択してもよい。決定部220は、例えば、図6に示す例において、1番目の行から順に、送信元ノードのロール及び送信先ノードのロールが、キーに適合するか否かを判定してもよい。そして、決定部220は、キーに適合していると最初に判定された送信元ノードのロール及び送信先ノードのロールに関連付けられている処理方法を抽出してもよい。 When a plurality of processing methods are extracted for one key, the determination unit 220 may select one processing method from the extracted processing methods according to a predetermined method. For example, in the example illustrated in FIG. 6, the determination unit 220 may determine whether or not the role of the transmission source node and the role of the transmission destination node match the key in order from the first row. Then, the determination unit 220 may extract a processing method associated with the role of the transmission source node and the role of the transmission destination node that are first determined to be suitable for the key.
 第2のテーブル260は、送信元ノードのロール及び送信先ノードのロールの組み合わせに関連付けられている処理方法を、決定部220に返す(ステップS207)。決定部220は、第1のテーブル250から読み出された、送信元ノードのロールと送信先ノードのロールとの組み合わせに適合する、「送信元ロール」と「送信先ロール」との組み合わせに関連付けられている処理方法を、第2のテーブル260から読み出せばよい。例えば、第2のテーブル260が図6に示す情報を記憶している場合、送信元ノードのロールがA、かつ、送信先ノードのロールがBであるフローに対応する処理方法は「ALLOWおよび排他」である。 The second table 260 returns the processing method associated with the combination of the role of the transmission source node and the role of the transmission destination node to the determination unit 220 (step S207). The determination unit 220 associates with the combination of “source role” and “destination role” that is read from the first table 250 and matches the combination of the role of the source node and the role of the destination node. The processing method being used may be read from the second table 260. For example, when the second table 260 stores the information shown in FIG. 6, the processing method corresponding to the flow in which the role of the transmission source node is A and the role of the transmission destination node is B is “ALLOW and exclusive”. Is.
 決定部220は、第2のテーブル260を検索することによって得られた処理方法に基づいて、制御実施装置100に送信すべき処理方法を決定する(ステップS208)。第2のテーブル260に記憶されている処理方法が制御実施装置100にとって解釈可能な情報である場合、決定部220は例えば、第2のテーブル260が記憶している処理方法をそのまま制御実施装置100に送信してもよい。第2のテーブル260に記憶されている処理方法が制御実施装置100にとって解釈可能な情報ではない場合、決定部220は、当該処理方法に基づいて制御実施装置100にとって解釈可能な情報を生成してもよい。そして、決定部220は、当該生成した情報を処理方法として制御実施装置100に送信してもよい。例えば、第2のテーブル260に記憶されている処理方法が制御実施装置100にとって解釈可能なデータではない場合、決定部220は、その処理方法に対してあらかじめ定められた、制御実施装置100が解釈できる指示を表すデータを生成すればよい。そして、決定部220は、生成したデータを、制御実施装置100に送信するデータに決定すればよい。決定部220は、変換された、指示を表すデータを、制御実施装置100に送信すればよい。 The determining unit 220 determines a processing method to be transmitted to the control execution apparatus 100 based on the processing method obtained by searching the second table 260 (step S208). When the processing method stored in the second table 260 is information that can be interpreted by the control execution apparatus 100, the determination unit 220, for example, uses the processing method stored in the second table 260 as it is. May be sent to. When the processing method stored in the second table 260 is not information that can be interpreted by the control execution apparatus 100, the determination unit 220 generates information that can be interpreted by the control execution apparatus 100 based on the processing method. Also good. Then, the determination unit 220 may transmit the generated information to the control execution apparatus 100 as a processing method. For example, when the processing method stored in the second table 260 is not data that can be interpreted by the control execution device 100, the determination unit 220 determines whether the control execution device 100 interprets the predetermined processing method. Data representing an instruction that can be generated may be generated. Then, the determination unit 220 may determine the generated data as data to be transmitted to the control execution apparatus 100. The determination unit 220 may transmit the converted data representing the instruction to the control execution apparatus 100.
 例えば、第2のテーブル260に「DENY」という処理方法が記憶されている場合、制御指示装置200は、当該パケットを破棄する旨の指示を送信することが考えられる。例えば、第2のテーブル260に「ALLOW」という処理方法が記憶されている場合、制御指示装置200は、当該パケットを特定のポートに転送する旨の指示を送信することが考えられる。 For example, when the processing method “DENY” is stored in the second table 260, the control instruction device 200 may transmit an instruction to discard the packet. For example, when the processing method “ALLOW” is stored in the second table 260, the control instruction apparatus 200 may transmit an instruction to transfer the packet to a specific port.
 指示部210は、決定部220が決定した処理方法を制御実施装置100に送信する(ステップS209)。 The instruction unit 210 transmits the processing method determined by the determination unit 220 to the control execution apparatus 100 (step S209).
 また、通信状況記憶部240に、当該パケットの送信元ノード及び送信先ノードの組み合わせに関するエントリが格納されていない場合、通信状況管理部230は、その組み合わせに関するエントリを通信状況記憶部240に格納する。通信状況記憶部240にはノード1の識別子とノード2の識別子の組み合わせに関するエントリは記憶されていないので、通信状況管理部230は、通信状況記憶部240にノード1の識別子とノード2の識別子の組み合わせに関するエントリを追加する。 When the communication status storage unit 240 does not store an entry related to the combination of the transmission source node and the transmission destination node of the packet, the communication status management unit 230 stores the entry related to the combination in the communication status storage unit 240. . Since the communication status storage unit 240 does not store an entry related to the combination of the identifier of the node 1 and the identifier of the node 2, the communication status management unit 230 stores the identifier of the node 1 and the identifier of the node 2 in the communication status storage unit 240. Add an entry for the combination.
 なお、もし、当該パケットの送信を許可しないという処理方法が決定部220により決定された場合、通信状況管理部230は、当該パケットの送信元ノード識別子および送信先ノード識別子の組み合わせに関するエントリを、通信状況記憶部240に記憶しない。なぜなら、そのパケットが破棄されることによって、実際の通信は発生しないからである。 If the determination unit 220 determines a processing method that does not permit transmission of the packet, the communication status management unit 230 sets an entry related to the combination of the transmission source node identifier and the transmission destination node identifier of the packet to the communication Not stored in the status storage unit 240. This is because no actual communication occurs when the packet is discarded.
 以上、第1の実施形態にかかる通信システム1000の動作の一例を説明した。 The example of the operation of the communication system 1000 according to the first embodiment has been described above.
 なお、上述したステップS202に示した動作において、決定部220は、送信元ノード識別子および送信先ノード識別子のうち少なくとも一方をキーとして通信状況記憶部240を検索するよう動作してもよい。 In the operation shown in step S202 described above, the determination unit 220 may operate to search the communication status storage unit 240 using at least one of the transmission source node identifier and the transmission destination node identifier as a key.
 (指示キャッシュ130に掃き出しが行われるタイミング)
 指示部210は、任意のノードの通信状況が変化したことを検出したタイミングにおいて、当該ノードに関連するエントリを指示キャッシュ130から削除する指示を、制御実施装置100に対して送信してもよい。 (Timing when the instruction cache 130 is swept out)
The instruction unit 210 may transmit, to the control execution apparatus 100, an instruction to delete an entry related to the node from the instruction cache 130 at a timing when it is detected that the communication status of an arbitrary node has changed.
 または、指示部210は、任意のノードの通信状況を変化させることを決定部220が決定したタイミングにおいて、当該ノードに関連するエントリを指示キャッシュ130から削除する指示を、制御実施装置100に対して送信してもよい。 Alternatively, the instruction unit 210 instructs the control execution apparatus 100 to delete an entry related to the node from the instruction cache 130 at the timing when the determination unit 220 determines to change the communication status of an arbitrary node. You may send it.
 あるいは、制御実施装置100は、指示キャッシュ130にエントリが登録されてから所定時間経過後、当該エントリを自発的に削除してもよい。 Alternatively, the control execution apparatus 100 may voluntarily delete the entry after a predetermined time has elapsed since the entry was registered in the instruction cache 130.
 あるいは、制御指示装置200は、ノード間の通信終了(すなわちコネクションの切断)を検出する機構を含んでいてもよい。その機構が、指示キャッシュ130のエントリの要否を判断してもよい。そのような、ノード間の通信終了を検出する機構としては、コネクション型通信の通信プロトコルの終了メッセージをチェックする方法が挙げられる。例えば、TCP(Transmission Control Protocol)では、FIN(finish)フラグやその逆方向からのACK(acknowledgment)フラグのチェックにより、通信の終了を検出することができる。この場合も、制御実施装置100は、制御指示装置200に対して、通信(すなわち、フロー)の終了を検出したことによって指示キャッシュ130のエントリを削除したことを示すメッセージを送信することが望ましい。通信状況管理部230は、そのメッセージを受信するのに応じて、通信状況記憶部240に記憶されている対応するエントリを削除することができる。 Alternatively, the control instruction device 200 may include a mechanism for detecting the end of communication between nodes (that is, disconnection of connection). The mechanism may determine whether an entry in the instruction cache 130 is necessary. As a mechanism for detecting the end of communication between nodes, there is a method of checking a communication protocol end message of connection-type communication. For example, in TCP (Transmission Control Protocol), the end of communication can be detected by checking a FIN (finish) flag or an ACK (acknowledgement) flag from the opposite direction. Also in this case, it is desirable that the control execution apparatus 100 transmits a message indicating that the entry in the instruction cache 130 has been deleted by detecting the end of communication (that is, the flow) to the control instruction apparatus 200. In response to receiving the message, the communication status management unit 230 can delete the corresponding entry stored in the communication status storage unit 240.
 例えば、非特許文献2が開示するオープンフロースイッチ(制御実施装置100)は、「Flow-removed」メッセージを用いて、オープンフローコントローラ(制御指示装置200)に対し、フローエントリがタイムアウトしたことを通知できる。より具体的には、例えば管理者などが、オープンフロースイッチのフローテーブル(指示キャッシュ130)のフローエントリにタイムアウトを設定しておく。そして、一定期間該当パケットを受信しないなどによってタイムアウトが成立したとき、制御実施装置100は、制御指示装置200に対して、「Flow-removed」メッセージによってタイムアウトの通知を行う。「Flow-removed」メッセージを受け取った制御指示装置200は、タイムアウトの通知に含まれている、パケットの送信先IPアドレス、及びポート番号を基に、通信状況記憶部240のエントリを検索する。制御指示装置200は、検索することによって特定されたエントリの削除を実行する。 For example, the OpenFlow switch (the control execution apparatus 100) disclosed in Non-Patent Document 2 uses the “Flow-removed” message to notify the OpenFlow controller (control instruction apparatus 200) that the flow entry has timed out. it can. More specifically, for example, an administrator sets a timeout in the flow entry of the flow table (instruction cache 130) of the OpenFlow switch. When a timeout is established, for example, by not receiving the packet for a certain period of time, the control execution apparatus 100 notifies the control instruction apparatus 200 of the timeout with a “Flow-removed” message. Upon receiving the “Flow-removed” message, the control instruction apparatus 200 searches for an entry in the communication status storage unit 240 based on the transmission destination IP address and port number of the packet included in the timeout notification. The control instruction device 200 deletes the entry specified by the search.
 このように、ノード間の通信状況に応じて、指示キャッシュ130が記憶するエントリの内容が自動的にセキュリティポリシに沿った内容に更新される。 Thus, the contents of the entry stored in the instruction cache 130 are automatically updated to the contents in accordance with the security policy in accordance with the communication status between the nodes.
 (ハードウェア構成の一例)
 制御実施装置100は、例えばオープンフロースイッチにより実現することができる。制御実施装置100は、ファイアーウォールやネットワークスイッチとして実装されてもよい。制御実施装置100は必ずしも物理的な装置である必要はなく、例えば、ノード上、すなわち、通信端末上で動作するソフトウェアで実装されたパーソナルファイアウォールや仮想スイッチであってもよい。制御実施装置100の機能は、例えばCPU(Central Processing Unit)が、メモリに読み出されたコンピュータプログラムを実行することにより実現される。 (Example of hardware configuration)
The control execution apparatus 100 can be realized by an open flow switch, for example. The control execution apparatus 100 may be implemented as a firewall or a network switch. The control execution device 100 is not necessarily a physical device, and may be, for example, a personal firewall or a virtual switch implemented by software operating on a node, that is, on a communication terminal. The function of the control execution apparatus 100 is realized by, for example, a CPU (Central Processing Unit) executing a computer program read into the memory.
 制御指示装置200は、例えばオープンフローコントローラにより実現することができる。制御指示装置200の機能は、例えばCPUが、メモリに読み出されたコンピュータプログラム(ソフトウェアプログラム、以下単に「プログラム」と記載する)を実行することにより実現される。 The control instruction device 200 can be realized by an open flow controller, for example. The function of the control instruction device 200 is realized, for example, when the CPU executes a computer program (software program, hereinafter simply referred to as “program”) read into the memory.
 制御実施装置100および制御指示装置200は、上述のようにオープンフローの制御装置(コントローラ)およびスイッチを用いることにより実現できる。制御実施装置100および制御指示装置200は、オープンフローの制御装置(コントローラ)およびスイッチではない、同等の機能を持つ制御指示装置と制御実施装置によっても実現できる。 The control execution device 100 and the control instruction device 200 can be realized by using an open flow control device (controller) and a switch as described above. The control execution apparatus 100 and the control instruction apparatus 200 can also be realized by a control instruction apparatus and a control execution apparatus having equivalent functions, which are not open flow control apparatuses (controllers) and switches.
 なお、図2に示した制御実施装置100および制御指示装置200の各部(処理手段)は、これらの装置を実現するコンピュータと、そのコンピュータに、そのハードウェアを用いて、上述した各部の処理を実行させるコンピュータプログラムとにより実現することもできる。 Note that each unit (processing unit) of the control execution device 100 and the control instruction device 200 illustrated in FIG. 2 performs the processing of each unit described above by using a computer that implements these devices and the hardware of the computer. It can also be realized by a computer program to be executed.
 制御実施装置100および制御指示装置200は、必ずしも互いに分離されている必要はない。例えば、制御実施装置100と制御指示装置200とが同一の装置であってもよい。そして、制御実施装置100が、制御指示装置200として動作する機能を備えていてもよい。 The control execution device 100 and the control instruction device 200 are not necessarily separated from each other. For example, the control execution device 100 and the control instruction device 200 may be the same device. The control execution device 100 may have a function of operating as the control instruction device 200.
 (第1の実施形態が奏する効果)
 第1の実施形態にかかる通信システム1000によれば、パケットの送信元または送信先であるノードの、現在の通信状況に応じたアクセス制御を実現することができる。 (Effects of the first embodiment)
According to the communication system 1000 according to the first embodiment, it is possible to realize access control according to the current communication status of a node that is a transmission source or transmission destination of a packet.
 (第1の実施形態の変形例)
 通信状況記憶部240は、通信状況管理部230および決定部220が実装されている装置と必ずしも同一の装置内に実装されている必要はない。通信状況記憶部240は、通信状況管理部230および決定部220からアクセス可能であるように実装されていればよい。 (Modification of the first embodiment)
The communication status storage unit 240 is not necessarily installed in the same device as the device in which the communication status management unit 230 and the determination unit 220 are installed. The communication status storage unit 240 only needs to be mounted so as to be accessible from the communication status management unit 230 and the determination unit 220.
 第1のテーブル250および第2のテーブル260は、決定部220が実装されている装置と必ずしも同一の装置内に実装されている必要はない。第1のテーブル250および第2のテーブル260は、決定部220からアクセス可能であるように実装されていればよい。 The first table 250 and the second table 260 are not necessarily mounted in the same device as the device in which the determination unit 220 is mounted. The first table 250 and the second table 260 may be mounted so as to be accessible from the determination unit 220.
 また、制御指示装置200が参照するテーブルの個数(すなわち数量)は、必ずしも上述した個数には限定されない。例えば、制御指示装置200は下記に示すような3つのテーブルを参照してもよい。 Further, the number of tables (that is, the number) referred to by the control instruction apparatus 200 is not necessarily limited to the number described above. For example, the control instruction apparatus 200 may refer to three tables as shown below.
 1)ノードと、ノードの通信状況とロールと、が関連付けられている情報を記憶しているテーブル、
 2)送信元ノードのロールと送信先ノードのロールとの組み合わせと、当該組み合わせにより定義されるフローと、が関連付けられている情報を記憶しているテーブル、
 3)フローと、当該フローに対するアクションと、が関連付けられている情報を記憶しているテーブル。 1) a table storing information in which nodes, communication statuses and roles of the nodes are associated,
2) a table storing information in which a combination of a role of a transmission source node and a role of a transmission destination node and a flow defined by the combination are associated;
3) A table storing information in which a flow and an action for the flow are associated with each other.
 第1のテーブル250が記憶している情報には、様々なバリエーションが考えられる。第1のテーブル251(図11に示される)および第1のテーブル252(図12に示される)は、第1のテーブル250の、他の具体例である。第1のテーブル251および第1のテーブル252について、以下、説明する。 Various variations are conceivable for the information stored in the first table 250. The first table 251 (shown in FIG. 11) and the first table 252 (shown in FIG. 12) are other specific examples of the first table 250. The first table 251 and the first table 252 will be described below.
 図11は、第1のテーブル251が記憶している情報を説明する図である。図11に示すように、第1のテーブル251は、ノードのノード識別子と、当該ノードの現在の通信状況と、当該ノードの現在の位置情報と、ロールと、を関連付けて記憶している。 FIG. 11 is a diagram for explaining information stored in the first table 251. As illustrated in FIG. 11, the first table 251 stores a node identifier of a node, a current communication status of the node, current position information of the node, and a role in association with each other.
 当該ノードの現在の位置情報は、当該ノードが携帯端末である場合には、例えば、「東京都内」、「特定のビル内」または「特定のフロア内」などの情報である。 If the node is a mobile terminal, the current location information of the node is information such as “inside Tokyo”, “in a specific building”, or “in a specific floor”, for example.
 当該ノードの現在の位置情報は、当該ノードが仮想ノードである場合には、例えば、当該仮想ノードを稼動している物理ノードの識別子、又は、当該仮想ノードを稼動しているブレードサーバが置かれているラックの位置などの情報であってもよい。 If the node is a virtual node, the current location information of the node includes, for example, the identifier of the physical node that operates the virtual node or the blade server that operates the virtual node. It may be information such as the position of the rack that is being used.
 制御指示装置200は、当該ノードの現在の位置情報を取得する。制御指示装置200は、例えばノードが備える、GPS(Global Positioning System)等を利用してノードの位置を検出する位置検出部(図示されない)から、当該ノードの位置情報を取得してもよい。決定部220は、当該ノードの識別子、当該ノードの現在の通信状況、および、当該ノードの現在の位置情報をキーとして第1のテーブル251を検索する。決定部220は、検索結果として、当該ノードのロールに関する情報を得る。 The control instruction device 200 acquires the current position information of the node. The control instruction device 200 may acquire position information of a node from a position detection unit (not shown) that detects the position of the node using, for example, a GPS (Global Positioning System) provided in the node. The determination unit 220 searches the first table 251 using the identifier of the node, the current communication status of the node, and the current position information of the node as keys. The determination unit 220 obtains information regarding the role of the node as a search result.
 第1のテーブル251が図11に示すような情報を記憶していることによって、通信システム1000は送信元ノードまたは送信先ノードの現在の位置情報をも考慮した、さらに細かい通信制御を実現することができる。以上、第1のテーブル251について説明した。 By storing information as shown in FIG. 11 in the first table 251, the communication system 1000 can realize more detailed communication control that also considers the current position information of the transmission source node or transmission destination node. Can do. The first table 251 has been described above.
 次に、第1のテーブル250の別の具体例である第1のテーブル252について説明する。図12は、第1のテーブル252が記憶している情報を説明する図である。図12に示すように、第1のテーブル252は、ノード識別子と、当該ノードの現在の通信状況と、当該ノードを現在利用しているユーザを表す情報である「利用情報」と、ロールと、が関連付けられた情報を記憶している。 Next, the first table 252 which is another specific example of the first table 250 will be described. FIG. 12 is a diagram for explaining information stored in the first table 252. As shown in FIG. 12, the first table 252 includes a node identifier, a current communication status of the node, “usage information” that is information indicating a user currently using the node, a role, Stores the associated information.
 利用情報は、例えば、当該ノードを現在利用しているユーザの社員番号、役職、所属部門、及び、年齢などの少なくとのいずれかを含む情報である。 The usage information is, for example, information including at least one of the employee number, job title, department, age, etc. of the user currently using the node.
 制御指示装置200は、当該ノードの現在の利用情報を取得する。制御指示装置200は、例えば図示しないカードリーダ等が、個人が所有するIDカード等に格納されている利用者情報を読み取ることによって、利用情報を取得してもよい。決定部220は、当該ノードの識別子、当該ノードの現在の通信状況、および、当該ノードの現在の利用情報をキーとして第1のテーブル252を検索する。決定部220は、検索結果として、当該ノードのロールに関する情報を得る。 The control instruction device 200 acquires the current usage information of the node. The control instruction apparatus 200 may acquire the usage information by, for example, reading user information stored in an ID card or the like owned by an individual using a card reader (not shown) or the like. The determination unit 220 searches the first table 252 using the identifier of the node, the current communication status of the node, and the current usage information of the node as keys. The determination unit 220 obtains information regarding the role of the node as a search result.
 第1のテーブル252が図12に示すような情報を記憶していることによって、通信システム1000は送信元ノードまたは送信先ノードの現在の利用情報をも考慮した、さらに細かい通信制御を実現することができる。以上、第1のテーブル250の別の具体例である第1のテーブル252について説明した。 By storing information as shown in FIG. 12 in the first table 252, the communication system 1000 can realize more detailed communication control that also considers the current usage information of the transmission source node or transmission destination node. Can do. The first table 252 which is another specific example of the first table 250 has been described above.
 <第2の実施形態>
 図13は、第2の実施形態にかかる通信システム1000Aの構成を説明するブロック図である。通信システム1000Aは、制御実施装置100Aと、制御指示装置200Aとを含む。制御実施装置100Aは、パケット処理部110Aと、問い合わせ部120Aとを備える。問い合わせ部120Aは、パケットの処理方法を、制御指示装置200Aに対して問い合わせる。パケット処理部110Aは、問い合わせに対して制御指示装置200Aから送信される指示に基づいて前記パケットを処理する。 <Second Embodiment>
FIG. 13 is a block diagram illustrating a configuration of a communication system 1000A according to the second embodiment. Communication system 1000A includes a control execution device 100A and a control instruction device 200A. The control execution apparatus 100A includes a packet processing unit 110A and an inquiry unit 120A. The inquiry unit 120A inquires of the control instruction apparatus 200A about the packet processing method. The packet processing unit 110A processes the packet based on an instruction transmitted from the control instruction apparatus 200A in response to the inquiry.
 制御実施装置100Aは、第1の実施形態における指示キャッシュ130に相当する記憶部にアクセス可能であってもよい。 The control execution apparatus 100A may be able to access a storage unit corresponding to the instruction cache 130 in the first embodiment.
 制御指示装置200Aは、指示部210Aと、決定部220Aと、通信状況管理部230Aとを備える。 The control instruction device 200A includes an instruction unit 210A, a determination unit 220A, and a communication status management unit 230A.
 通信状況管理部230Aは、制御実施装置100Aを介して通信を行うノード間の通信状況を、通信状況記憶部240Aに記憶する。 The communication status management unit 230A stores in the communication status storage unit 240A the communication status between nodes that communicate via the control execution apparatus 100A.
 決定部220Aは、前述の問い合わせの対象であるパケットの送信元ノードまたは送信先ノードと、他のノードとの間の通信状況を、通信状況記憶部240Aを参照することにより取得する。決定部220Aは、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の前記通信状況に基づいて、当該パケットの処理方法を決定する。 The determination unit 220A acquires the communication status between the transmission source node or the transmission destination node of the packet that is the target of the above-described inquiry and another node by referring to the communication status storage unit 240A. The determination unit 220A determines a processing method of the packet based on the transmission state, the transmission destination node, and the communication status of at least one of the transmission source node and the transmission destination node.
 指示部210Aは、決定した処理方法を制御実施装置100Aに対して指示する。 The instruction unit 210A instructs the determined processing method to the control execution apparatus 100A.
 制御指示装置200Aは、通信状況記憶部240A、第1の実施形態における第1のテーブル250に相当する記憶部、および、第1の実施形態における第2のテーブル260に相当する記憶部にアクセス可能であってもよい。通信状況記憶部240Aは、制御指示装置200Aと同一の装置内に実装されていてもよい。 The control instruction device 200A can access the communication status storage unit 240A, the storage unit corresponding to the first table 250 in the first embodiment, and the storage unit corresponding to the second table 260 in the first embodiment. It may be. The communication status storage unit 240A may be mounted in the same device as the control instruction device 200A.
 <第3の実施形態>
 図14は、第3の実施形態にかかる通信制御装置300Bの構成を表すブロック図である。第3の実施形態では、1つの装置である通信制御装置300Bが、第1の実施形態における制御実施装置100および制御指示装置200として、または第2の実施形態における制御実施装置100Aおよび制御指示装置200Aとして動作する。 <Third Embodiment>
FIG. 14 is a block diagram illustrating a configuration of a communication control device 300B according to the third embodiment. In the third embodiment, the communication control device 300B as one device is used as the control execution device 100 and the control instruction device 200 in the first embodiment, or the control execution device 100A and the control instruction device in the second embodiment. Operates as 200A.
 パケット処理部310Bは、決定部320Bの指示に基づいてパケットを処理する。決定部320Bは、パケットの送信元ノードまたは送信先ノードと、他のノードとの間の通信状況を、通信状況記憶部340Bを参照することにより取得する。決定部320Bは、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の前記通信状況に基づいて、当該パケットの処理方法を決定する。 The packet processing unit 310B processes the packet based on the instruction of the determination unit 320B. The determination unit 320B obtains the communication status between the transmission source node or transmission destination node of the packet and another node by referring to the communication status storage unit 340B. The determination unit 320B determines a processing method for the packet based on the transmission status of the transmission source node, the transmission destination node, and at least one of the transmission source node and the transmission destination node.
 通信状況管理部330Bは、自装置300Bを介して通信を行うノード間の通信状況を、通信状況記憶部340Bに記憶する。 The communication status management unit 330B stores in the communication status storage unit 340B the communication status between nodes that communicate via the own device 300B.
 通信制御装置300Bは、通信状況記憶部340B、第1の実施形態における第1のテーブル250に相当する記憶部、および、第1の実施形態における第2のテーブル260に相当する記憶部にアクセス可能であってもよい。通信状況記憶部340Bは、通信制御装置300Bと同一の装置内に実装されていてもよい。 The communication control device 300B can access a communication status storage unit 340B, a storage unit corresponding to the first table 250 in the first embodiment, and a storage unit corresponding to the second table 260 in the first embodiment. It may be. The communication status storage unit 340B may be mounted in the same device as the communication control device 300B.
 また、上述した各実施の形態および変形例は、適宜組み合わせて実施されることが可能である。 Further, the above-described embodiments and modifications can be implemented in appropriate combination.
 各ブロック図に示したブロック分けは、説明の便宜上から表された構成である。各実施形態を例に説明された本発明は、その実装に際して、各ブロック図に示した構成には限定されない。 The block division shown in each block diagram is a configuration shown for convenience of explanation. The present invention described by taking each embodiment as an example is not limited to the configuration shown in each block diagram in the implementation.
 <他の実施形態>
 上述のように、第1の実施形態に係る制御実施装置100、及び制御指示装置200は、それぞれ、コンピュータ及びコンピュータを制御するプログラムにより実現することができる。制御実施装置100、及び制御指示装置200は、それぞれ、専用のハードウェアにより実現することもできる。制御実施装置100、及び制御指示装置200は、それぞれ、又は、コンピュータ及びコンピュータを制御するプログラムと専用のハードウェアの組合せにより実現することができる。同様に、第2の実施形態に係る制御実施装置100A及び制御指示装置200Aと、第3の実施形態に係る通信制御装置300Bとは、それぞれ、コンピュータ及びコンピュータを制御するプログラムにより実現することができる。制御実施装置100A、制御指示装置200A及び通信制御装置300Bは、それぞれ、専用のハードウェアにより実現することもできる。あるいは、制御実施装置100A、制御指示装置200A及び通信制御装置300Bは、それぞれ、コンピュータ及びコンピュータを制御するプログラムと専用のハードウェアの組合せにより実現することができる。 <Other embodiments>
As described above, the control execution apparatus 100 and the control instruction apparatus 200 according to the first embodiment can be realized by a computer and a program for controlling the computer, respectively. Each of the control execution apparatus 100 and the control instruction apparatus 200 can be realized by dedicated hardware. The control execution apparatus 100 and the control instruction apparatus 200 can be realized by a combination of a computer and a program for controlling the computer and dedicated hardware, respectively. Similarly, the control execution device 100A and the control instruction device 200A according to the second embodiment and the communication control device 300B according to the third embodiment can be realized by a computer and a program for controlling the computer, respectively. . The control execution device 100A, the control instruction device 200A, and the communication control device 300B can each be realized by dedicated hardware. Alternatively, the control execution device 100A, the control instruction device 200A, and the communication control device 300B can be realized by a combination of a computer, a program for controlling the computer, and dedicated hardware, respectively.
 図15は、制御実施装置100、及び制御指示装置200、制御実施装置100A、制御指示装置200A及び通信制御装置300Bを実現することができる、コンピュータ10000のハードウェア構成の一例を表す図である。図15を参照すると、コンピュータ10000は、プロセッサ10001と、メモリ10002と、記憶装置10003と、I/O(Input/Output)インタフェース10004とを含む。また、コンピュータ10000は、記録媒体10005にアクセスすることができる。メモリ10002と記憶装置10003は、例えば、RAM(Random Access Memory)、ハードディスクなどの記憶装置である。記録媒体10005は、例えば、RAM、ハードディスクなどの記憶装置、ROM(Read Only Memory)、可搬記録媒体である。記憶装置10003が記録媒体10005であってもよい。プロセッサ10001は、メモリ10002と、記憶装置10003に対して、データやプログラムの読み出しと書き込みを行うことができる。プロセッサ10001は、I/Oインタフェース10004を介して、例えば、ノードにアクセスすることができる。プロセッサ10001は、記録媒体10005にアクセスすることができる。記録媒体10005には、コンピュータ10000を、制御実施装置100、及び制御指示装置200、制御実施装置100A、制御指示装置200A又は通信制御装置300Bとして動作させるプログラムが格納されている。 FIG. 15 is a diagram illustrating an example of a hardware configuration of a computer 10000 that can implement the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, and the communication control apparatus 300B. Referring to FIG. 15, a computer 10000 includes a processor 10001, a memory 10002, a storage device 10003, and an I / O (Input / Output) interface 10004. Further, the computer 10000 can access the recording medium 10005. The memory 10002 and the storage device 10003 are storage devices such as a RAM (Random Access Memory) and a hard disk, for example. The recording medium 10005 is, for example, a storage device such as a RAM or a hard disk, a ROM (Read Only Memory), or a portable recording medium. The storage device 10003 may be the recording medium 10005. The processor 10001 can read and write data and programs from and to the memory 10002 and the storage device 10003. The processor 10001 can access, for example, a node via the I / O interface 10004. The processor 10001 can access the recording medium 10005. The recording medium 10005 stores a program that causes the computer 10000 to operate as the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, or the communication control apparatus 300B.
 プロセッサ10001は、記録媒体10005に格納されている、コンピュータ10000を、制御実施装置100、及び制御指示装置200、制御実施装置100A、制御指示装置200A又は通信制御装置300Bとして動作させるプログラムを、メモリ10002にロードする。そして、プロセッサ10001が、メモリ10002にロードされたプログラムを実行することにより、コンピュータ10000は、制御実施装置100、及び制御指示装置200、制御実施装置100A、制御指示装置200A又は通信制御装置300Bとして動作する。 The processor 10001 stores, in the memory 10002, a program that causes the computer 10000 stored in the recording medium 10005 to operate as the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, or the communication control apparatus 300B. To load. When the processor 10001 executes the program loaded in the memory 10002, the computer 10000 operates as the control execution device 100, the control instruction device 200, the control execution device 100A, the control instruction device 200A, or the communication control device 300B. To do.
 以下に列記する複数の部は、例えば、プログラムを記憶する記録媒体10005からメモリ10002に読み込まれた、各部の機能を実現することができる専用のプログラムと、そのプログラムを実行するプロセッサ10001により実現することができる。上述の複数の部は、例えば以下の通りである。 The plurality of units listed below are realized by, for example, a dedicated program that can be read from a recording medium 10005 that stores the program into the memory 10002 and that can realize the function of each unit, and a processor 10001 that executes the program. be able to. The plurality of parts described above are as follows, for example.
 パケット処理部110、
 問い合わせ部120、
 指示部210、
 決定部220、
 通信状況管理部230、
 パケット処理部110A、
 問い合わせ部120A、
 指示部210A、
 決定部220A、
 通信状況管理部230A、
 パケット処理部310B、
 決定部320B、
 及び通信状況管理部330B。 Packet processor 110,
Inquiry unit 120,
Instruction unit 210,
Determination unit 220,
Communication status management unit 230,
Packet processor 110A,
Inquiry unit 120A,
Instruction unit 210A,
Decision unit 220A,
Communication status manager 230A,
Packet processor 310B,
Determination unit 320B,
And a communication status management unit 330B.
 また、指示キャッシュ130、通信状況記憶部240、第1のテーブル250、及び第2のテーブル260は、コンピュータ10000が含むメモリ10002やハードディスク装置等の記憶装置10003により実現することができる。また、通信状況記憶部240A、及び通信状況記憶部340Bは、コンピュータ10000が含むメモリ10002やハードディスク装置等の記憶装置10003により実現することができる。 In addition, the instruction cache 130, the communication status storage unit 240, the first table 250, and the second table 260 can be realized by a memory 10002 included in the computer 10000 or a storage device 10003 such as a hard disk device. Further, the communication status storage unit 240A and the communication status storage unit 340B can be realized by a memory 10002 included in the computer 10000 or a storage device 10003 such as a hard disk device.
 あるいは、以下に列記する複数の部の一部又は全部を、各部の機能を実現する専用の回路によって実現することもできる。それらの複数の部は、例えば以下の通りである。 Alternatively, some or all of the plurality of units listed below can be realized by a dedicated circuit that realizes the function of each unit. The plurality of parts are as follows, for example.
 パケット処理部110、
 問い合わせ部120、
 指示キャッシュ130、
 指示部210、
 決定部220、
 通信状況管理部230、
 通信状況記憶部240、
 第1のテーブル250、
 第2のテーブル260、
 パケット処理部110A、
 問い合わせ部120A、
 指示部210A、
 決定部220A、
 通信状況管理部230A、
 通信状況記憶部240A、
 パケット処理部310B、
 決定部320B、
 通信状況管理部330B、
 及び通信状況記憶部340B。 Packet processor 110,
Inquiry unit 120,
Instruction cache 130,
Instruction unit 210,
Determination unit 220,
Communication status management unit 230,
Communication status storage unit 240,
First table 250,
Second table 260,
Packet processor 110A,
Inquiry unit 120A,
Instruction unit 210A,
Decision unit 220A,
Communication status manager 230A,
Communication status storage unit 240A,
Packet processor 310B,
Decision unit 320B,
Communication status management unit 330B,
And a communication status storage unit 340B.
 以上、本発明を実施するための形態について説明したが、上記実施の形態は本発明の理解を容易にするためのものであり、本発明を限定して解釈するためのものではない。本発明はその趣旨を逸脱することなく変更、改良され得るとともに、本発明にはその等価物も含まれる。 As mentioned above, although the form for implementing this invention was demonstrated, the said embodiment is for making an understanding of this invention easy, and is not for limiting and interpreting this invention. The present invention can be changed and improved without departing from the gist thereof, and equivalents thereof are also included in the present invention.
 なお、上記の特許文献および非特許文献の各開示を、本書に引用をもって繰り込むものとする。本発明の全開示(請求の範囲を含む)の枠内において、さらにその基本的技術思想に基づいて、実施形態ないし実施例の変更・調整が可能である。 It should be noted that the disclosures of the above patent documents and non-patent documents are incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiments and examples can be changed and adjusted based on the basic technical concept.
 この出願は、2014年3月28日に出願された日本出願特願2014-067522を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2014-067522 filed on Mar. 28, 2014, the entire disclosure of which is incorporated herein.
 上述した各実施形態を例に説明した本発明は、例えば、コンピュータ間のアクセス制御に応用することができる。例えば、社内のセキュリティガイドラインに「顧客の機密情報にアクセス業務を行っている際は、ウェブによる情報検索を禁止する」というセキュリティポリシが記載されている場合を想定する。このような場合、本発明を応用することで、このような細かいセキュリティポリシを満たすようなアクセス制御を実現することができる。 The present invention described using the above embodiments as an example can be applied to access control between computers, for example. For example, it is assumed that the security policy in the company states that the security policy “prohibit information retrieval via the web when accessing confidential customer information” is described. In such a case, by applying the present invention, access control that satisfies such a fine security policy can be realized.
 また、本発明を応用することにより、オープンフロースイッチが備えるフローテーブルのフィルタリングルールを、セキュリティガイドラインに沿った内容で生成することができる。 Also, by applying the present invention, it is possible to generate a filtering rule for a flow table provided in the OpenFlow switch with contents in accordance with security guidelines.
 また、本発明を応用することにより、ある端末からある端末への通信が、セキュリティ標準を満たした通信であるかを判定できる。 Also, by applying the present invention, it is possible to determine whether communication from a certain terminal to a certain terminal is communication satisfying the security standard.
 1000  通信システム
 100  制御実施装置
 110  パケット処理部
 120  問い合わせ部
 130  指示キャッシュ
 200  制御指示装置
 210  指示部
 220  決定部
 230  通信状況管理部
 240  通信状況記憶部
 250  第1のテーブル
 251  第1のテーブル
 252  第1のテーブル
 260  第2のテーブル
 1000A  通信システム
 100A  制御実施装置
 110A  パケット処理部
 120A  問い合わせ部
 200A  制御指示装置
 210A  指示部
 220A  決定部
 230A  通信状況管理部
 240A  通信状況記憶部
 300B  通信制御装置
 310B  パケット処理部
 320B  決定部
 330B  通信状況管理部
 340B  通信状況記憶部
 10000  コンピュータ
 10001  プロセッサ
 10002  メモリ
 10003  記憶装置
 10004  I/Oインタフェース
 10005  記録媒体 1000 Communication system 100 Control execution device 110 Packet processing unit 120 Inquiry unit 130 Instruction cache 200 Control instruction device 210 Instruction unit 220 Determination unit 230 Communication status management unit 240 Communication status storage unit 250 First table 251 First table 252 First Table 260A second table 1000A communication system 100A control execution device 110A packet processing unit 120A inquiry unit 200A control instruction device 210A instruction unit 220A determination unit 230A communication status management unit 240A communication status storage unit 300B communication control device 310B packet processing unit 320B Determination unit 330B communication status management unit 340B communication status storage unit 10000 computer 10001 processor 10002 memory 10003憶 device 10004 I / O interface 10005 recording medium

Claims (10)

  1.  パケットの処理方法に関する問い合わせに対する指示に基づいて、前記パケットを処理する制御実施装置を介して、通信を行うノード間の通信状況を通信状況記憶手段に記憶する通信状況管理手段と、
     前記問い合わせの対象であるパケットの送信元ノードまたは送信先ノードと、他のノードとの間の通信状況を、前記通信状況記憶手段を参照することにより取得し、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の前記通信状況に基づいて、当該パケットの処理方法を決定する決定手段と、
     前記決定した処理方法を前記制御実施装置に対して指示する指示手段と、
     を備える、制御指示装置。     Based on an instruction for an inquiry regarding a packet processing method, a communication status management unit that stores a communication status between nodes performing communication in a communication status storage unit via a control execution device that processes the packet;
    The communication status between the source node or destination node of the packet to be inquired and another node is obtained by referring to the communication status storage means, and the source node, the destination node And a determining means for determining a processing method of the packet based on the communication status of at least one of the transmission source node and the transmission destination node;
    Instruction means for instructing the control execution apparatus of the determined processing method;
    A control instruction device.
  2.  前記決定手段は、
     ノードと、当該ノードと他のノードとの間の通信状況と、当該ノードの当該通信状況におけるロールと、が関連付けられている情報である第1の情報と、
     パケットの送信元ノードのロールと送信先ノードのロールとの組み合わせと、当該パケットの処理方法と、が関連付けられている情報である第2の情報と、
     を参照することにより、パケットの処理方法を決定する、
     請求項1に記載の制御指示装置。     The determining means includes
    First information that is information in which a node, a communication status between the node and another node, and a role of the node in the communication status are associated with each other;
    Second information, which is information associated with a combination of a role of a packet source node and a role of a destination node, and a processing method of the packet;
    To determine how to handle the packet,
    The control instruction apparatus according to claim 1.
  3.  前記通信状況は、あるノードが他のノードとコネクションを現在確立している状況か否かを表す情報である、請求項1または2のいずれかに記載の制御指示装置。 3. The control instruction apparatus according to claim 1, wherein the communication status is information indicating whether or not a certain node is currently establishing a connection with another node.
  4.  前記第1の情報は、ノードと、当該ノードが特定のノードとコネクションを現在確立している状態か否かを示す情報と、当該ノードの当該通信状況におけるロールと、がさらに関連付けられている情報である、
     請求項3に記載の制御指示装置。     The first information is information in which a node, information indicating whether or not the node is currently establishing a connection with a specific node, and a role in the communication status of the node are further associated with each other Is,
    The control instruction apparatus according to claim 3.
  5.  前記第1の情報は、ノードと、当該ノードの現在の位置情報と、当該ノードの通信状況と、当該ノードの当該位置情報および当該通信状況におけるロールと、がさらに関連付けられている情報であり、
     前記決定手段は、前記送信元ノードの現在の位置情報を取得し、当該位置情報に基づいて前記第1の情報を参照し、パケットの処理方法を決定する、請求項2ないし4のいずれかに記載の制御指示装置。     The first information is information in which the node, the current location information of the node, the communication status of the node, the location information of the node and the role in the communication status are further associated,
    5. The determination unit according to claim 2, wherein the determination unit acquires current position information of the transmission source node, refers to the first information based on the position information, and determines a packet processing method. The control instruction device described.
  6.  前記第1の情報は、ノードと、当該ノードを現在利用しているユーザを表す情報である利用状況と、当該ノードの通信状況と、当該ノードの当該利用状況および当該通信状況におけるロールと、がさらに関連付けられている情報であり、
     前記決定手段は、前記送信元ノードの利用状況を取得し、当該利用状況に基づいて前記第1の情報を参照し、パケットの処理方法を決定する、請求項2ないし4のいずれかに記載の制御指示装置。     The first information includes a node, a usage status that is information representing a user currently using the node, a communication status of the node, a usage status of the node, and a role in the communication status. Further associated information,
    The said determination means acquires the utilization condition of the said transmission source node, refers to said 1st information based on the said utilization condition, and determines the processing method of a packet. Control instruction device.
  7.   制御実施装置と制御指示装置とを含む通信システムであって、
      前記制御実施装置は、
     パケットの処理方法を前記制御指示装置に対して問い合わせる問い合わせ手段と、
     前記問い合わせに対する指示に基づいて前記パケットを処理するパケット処理手段と、を備え、
      前記制御指示装置は、
     前記制御実施装置を介して通信を行うノード間の通信状況を通信状況記憶手段に記憶する通信状況管理手段と、
     前記問い合わせの対象であるパケットの送信元ノードまたは送信先ノードと、他のノードとの間の通信状況を、前記通信状況記憶手段を参照することにより取得し、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の前記通信状況に基づいて、当該パケットの処理方法を決定する決定手段と、
     前記決定した処理方法を前記制御実施装置に対して指示する指示手段と、
     を備える、通信システム。     A communication system including a control execution device and a control instruction device,
    The control execution device includes:
    Inquiry means for making an inquiry to the control instruction device about a packet processing method;
    Packet processing means for processing the packet based on an instruction to the inquiry,
    The control instruction device includes:
    Communication status management means for storing in a communication status storage means a communication status between nodes that communicate via the control execution device;
    The communication status between the source node or destination node of the packet to be inquired and another node is obtained by referring to the communication status storage means, and the source node, the destination node And a determining means for determining a processing method of the packet based on the communication status of at least one of the transmission source node and the transmission destination node;
    Instruction means for instructing the control execution apparatus of the determined processing method;
    A communication system comprising:
  8.  パケットの処理方法に関する問い合わせに対する指示に基づいて、前記パケットを処理する制御実施装置と、通信可能に接続される制御指示装置が、前記制御実施装置を介したノード間の通信状況を通信状況記憶手段に記憶し、
     前記通信状況記憶手段を参照することにより、前記問い合わせの対象であるパケットの送信元ノードまたは送信先ノードの通信状況を取得し、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の通信状況に基づいて、当該パケットの処理方法を決定し、
     前記制御実施装置に対して前記決定した処理方法を指示する、
     制御方法。     A control execution device that processes the packet and a control instruction device that is communicably connected based on an instruction to an inquiry regarding a packet processing method, and a communication status storage unit that indicates a communication status between nodes via the control execution device Remember
    By referring to the communication status storage means, the communication status of the source node or destination node of the packet to be inquired is acquired, and the source node, the destination node, and the source node and Based on the communication status of at least one of the destination nodes, determine a method for processing the packet,
    Instructing the control execution device about the determined processing method;
    Control method.
  9.  パケットの処理方法に関する問い合わせに対する指示に基づいて、前記パケットを処理する制御実施装置と、通信可能に接続されるコンピュータに、
     前記制御実施装置を介したノード間の通信状況を通信状況記憶手段に記憶する処理と、
     前記通信状況記憶手段を参照することにより、前記問い合わせの対象であるパケットの送信元ノードまたは送信先ノードの通信状況を取得し、前記送信元ノード、前記送信先ノード、並びに、前記送信元ノードおよび前記送信先ノードのうち少なくとも一方の通信状況に基づいて、当該パケットの処理方法を決定する処理と、
     前記制御実施装置に対して前記決定した処理方法を指示する処理と、
     を実行させるプログラムを記憶するコンピュータ読み取り可能な記憶媒体。     Based on an instruction for an inquiry about a packet processing method, a control execution device that processes the packet and a computer that is communicably connected to the computer,
    Processing for storing a communication status between nodes via the control execution device in a communication status storage unit;
    By referring to the communication status storage means, the communication status of the source node or destination node of the packet to be inquired is acquired, and the source node, the destination node, and the source node and A process for determining a processing method of the packet based on a communication status of at least one of the destination nodes;
    A process of instructing the control execution apparatus about the determined processing method;
    A computer-readable storage medium storing a program for executing the program.
  10.  請求項1ないし6のいずれかに記載の制御指示装置と通信可能に接続される前記制御実施装置。 The control execution device connected to be communicable with the control instruction device according to any one of claims 1 to 6.
PCT/JP2015/000992 2014-03-28 2015-02-26 Communication system, control instruction device, control implementation device, communication control method, and storage medium with program stored thereon WO2015145976A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016509947A JPWO2015145976A1 (en) 2014-03-28 2015-02-26 Communication system, control instruction apparatus, control execution apparatus, communication control method, and storage medium for storing program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014067522 2014-03-28
JP2014-067522 2014-03-28

Publications (1)

Publication Number Publication Date
WO2015145976A1 true WO2015145976A1 (en) 2015-10-01

Family

ID=54194532

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/000992 WO2015145976A1 (en) 2014-03-28 2015-02-26 Communication system, control instruction device, control implementation device, communication control method, and storage medium with program stored thereon

Country Status (2)

Country Link
JP (1) JPWO2015145976A1 (en)
WO (1) WO2015145976A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020136707A1 (en) * 2018-12-25 2020-07-02 三菱電機株式会社 Ecu, monitoring ecu, and can system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012086816A1 (en) * 2010-12-24 2012-06-28 日本電気株式会社 Communication system, control device, policy management device, communication method, and program
WO2013150925A1 (en) * 2012-04-03 2013-10-10 日本電気株式会社 Network system, controller, and packet authentication method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012086816A1 (en) * 2010-12-24 2012-06-28 日本電気株式会社 Communication system, control device, policy management device, communication method, and program
WO2013150925A1 (en) * 2012-04-03 2013-10-10 日本電気株式会社 Network system, controller, and packet authentication method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
REMI ANDO ET AL.: "Communication State-Based Access Control for Preventing Stepping-Stone Attacks", IPSJ SYMPOSIUM SERIES, vol. 2013, no. 4, 14 October 2013 (2013-10-14), pages 1018 - 1025 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020136707A1 (en) * 2018-12-25 2020-07-02 三菱電機株式会社 Ecu, monitoring ecu, and can system
JPWO2020136707A1 (en) * 2018-12-25 2021-03-11 三菱電機株式会社 ECU, monitoring ECU and CAN system

Also Published As

Publication number Publication date
JPWO2015145976A1 (en) 2017-04-13

Similar Documents

Publication Publication Date Title
US9178910B2 (en) Communication system, control apparatus, policy management apparatus, communication method, and program
JP5811171B2 (en) COMMUNICATION SYSTEM, DATABASE, CONTROL DEVICE, COMMUNICATION METHOD, AND PROGRAM
JP5621778B2 (en) Content-based switch system and content-based switch method
JP5880560B2 (en) Communication system, forwarding node, received packet processing method and program
JPWO2011162215A1 (en) COMMUNICATION SYSTEM, CONTROL DEVICE, NODE CONTROL METHOD, AND PROGRAM
JP6424820B2 (en) Device management system, device management method and program
JP5445262B2 (en) Quarantine network system, quarantine management server, remote access relay method to virtual terminal and program thereof
JP5720340B2 (en) Control server, communication system, control method and program
JP5725236B2 (en) Communication system, node, packet transfer method and program
KR101527377B1 (en) Service chaining system based on software defined networks
JP2011159247A (en) Network system, controller, and network control method
WO2014061583A1 (en) Communication node, control device, communication system, packet processing method, and program
JP5747997B2 (en) Control device, communication system, virtual network management method and program
WO2015145976A1 (en) Communication system, control instruction device, control implementation device, communication control method, and storage medium with program stored thereon
JP6330814B2 (en) COMMUNICATION SYSTEM, CONTROL INSTRUCTION DEVICE, COMMUNICATION CONTROL METHOD, AND PROGRAM
WO2014034119A1 (en) Access control system, access control method, and program
WO2014020902A1 (en) Communication system, control apparatus, communication method, and program
JP6649002B2 (en) Access management system and access management method
JP2016116146A (en) Network connection control device, network connection control method, network connection control program, and network connection control system
WO2015129727A1 (en) Communication terminal, communication method and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15768087

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016509947

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase
122 Ep: pct application non-entry in european phase

Ref document number: 15768087

Country of ref document: EP

Kind code of ref document: A1