WO2017037265A1 - Suivi de connexion répartie et équilibrage de charge - Google Patents

Suivi de connexion répartie et équilibrage de charge Download PDF

Info

Publication number
WO2017037265A1
WO2017037265A1 PCT/EP2016/070776 EP2016070776W WO2017037265A1 WO 2017037265 A1 WO2017037265 A1 WO 2017037265A1 EP 2016070776 W EP2016070776 W EP 2016070776W WO 2017037265 A1 WO2017037265 A1 WO 2017037265A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory
connection tracking
data storage
network
connection
Prior art date
Application number
PCT/EP2016/070776
Other languages
English (en)
Inventor
Eshed GAL-OR
Eran Gampel
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2017037265A1 publication Critical patent/WO2017037265A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1029Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers using data related to the state of servers by a load balancer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the present invention relates to a system for managing at least one network service, to a method for managing network services, and to a computer program product for implementing said method when carried out on a computing device.
  • the present invention suggests a distributed connection tracking mechanism, which is achieved by sharing connection tracking data across multiple network nodes of a network.
  • some conventional network services are operated in the so-called “silo” model, in which no information is shared between different network services.
  • a so-called “service chain” e.g. a chain of the network services: firewall network address translation (NAT) load-balancer hypervisor application
  • all forwarding elements through which the packets pass, need to repeat certain computations required to maintain network connection states of each of the packets.
  • NAT firewall network address translation
  • all forwarding elements through which the packets pass, need to repeat certain computations required to maintain network connection states of each of the packets.
  • NAT firewall network address translation
  • a performance/latency toll is inevitable.
  • the computed data could be shared between the network services of the service chain, the overall system performance could be significantly improved.
  • additional costs pertaining to reduced computation efforts in e.g. a data center could be reduced.
  • Vendor lock-in i.e. all network services are pre-integrated into a closed system.
  • Limited scalability i.e. the scalability is based on the scale-up limitations of the product. ⁇ Limited features and a constrained product roadmap.
  • connection tracking mechanisms e.g. as employed in a conventional Linux kernel
  • a local memory data structure typically a hash table
  • network connection states of packets e.g. ESTABLISHED, RELATED, etc.
  • additional metadata e.g. ESTABLISHED, RELATED, etc.
  • the present invention aims to improve the conventional network service models.
  • the present invention has thereby particularly the object to improve the scalability of stateful network services.
  • the present invention also seeks to avoid that computations required for maintaining network connection states of packets are unnecessarily repeated. Accordingly, the present invention intends to increase the overall system performance, and to decrease latencies.
  • the present invention also intends to avoid all the above-mentioned disadvantages of the so-called "all-in-one" solutions.
  • the object of the present invention is achieved by the solution provided in the enclosed independent claims. Advantageous implementations of the present invention are further defined in the dependent claims.
  • the present invention proposes to decouple the location in a system, where the network connection state management runs, from the location, where the network service logic runs.
  • the present invention proposes changing the way, in which the connection tracking mechanism writes and reads data.
  • all read or write operations are directed to an external data storage or memory, without changing any of the lower and higher layers of the network service or the internal behavior of the network system, respectively.
  • a first aspect of the present invention provides a system for managing at least one network service, comprising at least one network node including at least one connection tracking module configured to perform connection tracking on at least one packet belonging to a network service session, at least one external data storage or memory configured to store connection tracking data obtained by the at least one connection tracking module, and to share the stored connection tracking data across all network nodes.
  • the connection tracking data may comprise a state of the at least one packet (e.g. a network connection state, like ESTABLISHED, RELATED etc.), forwarding information of the at least one packet, inspection data of the at least one packet, or similar information.
  • the connection tracking data is written and read to/from the external data storage or memory.
  • the external storage or memory is preferably able to provide a read/write performance comparable to a local memory in a network node (e.g. by utilizing any of various technologies gaining popularity, like distributed hash table (DHT), Random Access Memory cloud (RAM cloud), Silicon Photonics (SiPh), Network Virtual Memory (NVM), etc.).
  • DHT distributed hash table
  • RAM cloud Random Access Memory cloud
  • SiPh Silicon Photonics
  • NVM Network Virtual Memory
  • the external data storage or memory thus ensures that the reads and/or writes are fast enough to maintain the speed of the connection tracking logic (typically, in the order of microseconds). This allows an efficient sharing of the connection tracking data across all the network nodes.
  • connection tracking data of all packets can be shared among all network nodes of the system, it is possible that once a network service session has been started in a specific instance of the network service, e.g. on a certain network node, consecutive packets of the same network service session must not necessarily be routed to the same instance, but can also be routed to other instances, e.g. to instances on other network nodes.
  • the at least one network node includes at least one internal data storage or memory configured to store the connection tracking data obtained by the at least one connection tracking module.
  • each network node is configured to access and update the connection tracking data stored in the at least one external data storage or memory.
  • the shared connection tracking data can be kept updated at all times, so that each network node of the system has access, for instance, to all current network connection states of packets. Thereby, the freedom to route consecutive packets belonging to the same network service session as a previous packet to any desired instance on any network node of the system is achieved.
  • a software hook is implemented in each connection tracking module.
  • the software hook being configured to write and/or read connection tracking data to and/or from the at least one external data storage or memory.
  • a software hook represents a simple but fast and efficient implementation for intercepting computed connection tracking data, and writing it to / reading it from the external data storage or memory.
  • the at least one external data storage or memory is configured to store connection metadata, and to share the stored connection metadata across all network nodes.
  • the shared connection metadata allows an even more efficient routing of multiple packets of a network service session through different instances, for example, on different network nodes.
  • the scalability of the system is further supported.
  • each network node is configured to add connection metadata, which is aggregated in the network node by processing the at least one packet, to the connection metadata stored in the at least one external data storage or memory.
  • connection metadata stored in the external storage or memory may be connection metadata obtained in each network node.
  • identical connection metadata obtained likewise in different network nodes must be stored only once since it is shared across all network nodes.
  • Each network node has access to the most recent connection metadata from each other network node.
  • an auxiliary network is configured to support all read and/or write operations of connection tracking data between the at least one network node and the at least one external data storage or memory.
  • the auxiliary network By means of the auxiliary network, the system performance of sharing the connection tracking data, and optionally also the connection metadata, across all network nodes is improved.
  • each network node is configured to run at least an instance of at least one network service session.
  • a network service session can run in one or more instances on one or more network nodes in parallel. This allows increasing the system performance, for instance, by load balancing.
  • a distributed connection state is provided across all instances of the at least one network service session running on at least one network node. Consequently, each new packet of a network service session can be routed to any network node of the system without any performance loss.
  • the system is thus well scalable (for both scale-in and scale out).
  • a second aspect of the present invention provides a method for managing network services, comprising the steps of performing connection tracking in at least one network node on at least one packet belonging to a network service session, storing obtained connection tracking data in at least one external data storage or memory outside of the at least one network node, and sharing the connection tracking data stored in the at least one external data storage or memory across all network nodes.
  • the method comprises the steps of receiving a packet belonging to a network service session at one network node, intercepting obtained connection tracking data of the packet, and sending it to the at least one external data storage or memory, determining a state of the packet by matching the sent connection tracking data with connection tracking data stored in the at least one external data storage or memory, updating the connection tracking data stored in the at least one external data storage or memory by the sent connection tracking data, and processing the packet in the at least one network node based on the determined state.
  • the method comprises the steps of receiving a packet belonging to a network service session at one network node, intercepting obtained connection tracking data of the packet, and sending it to the at least one external data storage or memory, determining a state of the packet by matching the sent connection tracking data with connection tracking data stored in the at least one external data storage or memory, updating the connection tracking data stored in the at least one external data storage or memory by the sent connection tracking data, and processing the packet in the at least one network node based on the determined state.
  • the processing of the packet comprises generating connection metadata, storing the generated connection metadata in the at least one external data storage or memory, and sharing the connection metadata across all network nodes.
  • connection tracking data is stored in at least one internal data storage or memory of the at least one network node.
  • At least one network node accesses and updates the connection tracking data stored in the at least one external data storage or memory.
  • a software hook writes and/or reads connection tracking data from and/or to the at least one network node to and/or from the at least one external data storage or memory.
  • connection metadata is stored in the at least one external data storage or memory, and the stored connection metadata is shared across all network nodes.
  • at least one network node adds connection metadata, which is aggregated in the network node by processing the a least one packet, to the connection metadata stored in the at least one external data storage or memory.
  • read and/or write operations of connection tracking data between the at least one network node and the at least one external data storage or memory are supported by an auxiliary network.
  • At least one network node runs at least an instance of at least one network service session.
  • a distributed connection state is provided across all instances of the at least one network service session running on at least one network node.
  • the method of the second aspect achieves all advantages of the system of the first aspect as described above.
  • a third aspect of the present invention provides a computer program product for implementing, when carried out on a computing device, a method for providing network services according to the above second aspect and its implementation forms.
  • a fourth aspect of the present invention provides a system for managing at least one network service, comprising at least one network node including at least one connection tracking module configured to perform connection tracking on at least one packet belonging to a network service session, the at least one network node comprising at least one switch node, a load balance node connected to at least one external data storage or memory and to at least two server nodes, the at least one external data storage or memory configured to store connection tracking data obtained by the at least one connection tracking module, and to share the stored connection tracking data across all network nodes, the load balance node is configured to receive at least one running parameter from the at least two server nodes, and generate routing information which indicates a server node according to the at least one running parameter, and store the routing information in the at least one external data storage or memory, the at least one switch node is configured to route the at least one packet to
  • the running parameter of a server node indicates at least one of the following parameters: CPU utility rate, memory utility rate, non-volatile memory utility rate (e.g. hard disk or solid state disk etc.), network bandwidth utility rate of the server node or similar parameters which can reflect the working condition of the server node.
  • a switch node can route packets to a server node indicated by the routing information, and specifically the routing information may comprise: next hop of the packets, or port information which indicates a port of the switch node for transmitting the packets, or flow tables if the switch node is an openflow switch.
  • the at least one external data storage or memory ensures an efficient sharing of the connection tracking data and routing information across all the switch nodes.
  • the sharing of the connection tracking data supports scale requirements of the switch nodes, since once serial packets from a specific network service session processed by a switch node, consecutive packets of the same network service session must not necessarily be processed by the same switch node.
  • the load balance node observes the running parameters of all the switch nodes in the system, and determines where traffic should be forwarded in order to fulfil availability, performance and scale requirements, in a dynamic order.
  • each network node is configured to access and update the connection tracking data stored in the at least one external data storage or memory.
  • a software hook is implemented in each connection tracking module, the software hook being configured to write and/or read connection tracking data to and/or from the at least one external data storage or memory.
  • the at least one network node includes at least one internal data storage or memory configured to store the connection tracking data obtained by the at least one connection tracking module
  • a scanning module is implemented in each network node, the scanning module being configured to monitor connection tracking data storing in the internal data storage or memory, and update connection tracking data storing in the at least one external data storage or memory when detecting the connection tracking data storing in the internal data storage or memory is modified
  • the scanning module is further configured to monitor the connection tracking data storing in the at least one external data storage or memory, and update the connection tracking data storing in the internal data storage or memory when detecting the connection tracking data storing in the at least one external data storage or memory is modified.
  • a scanning module is implemented in a network node, which scans the internal data storage or memory of the network node for changes done by the connection tracking module, and mirrors these changes to the at least one external data storage or memory.
  • the scanning module scans the at least one external data storage or memory for changes and mirrors them to the internal data storage or memory.
  • the use of the scanning module brings better processing efficiency of the network nodes, since the network nodes can acquire connection tracking data of packets in their local internal data storage or memory. Meanwhile the use of the scanning module keeps synchronization of the connection tracking data across all the networks nodes.
  • the at least one external data storage or memory is configured to store connection metadata, and to share the stored connection metadata across all network nodes.
  • each network node is configured to add connection metadata, which is aggregated in the network node by processing the at least one packet, to the connection metadata stored in the at least one external data storage or memory.
  • an auxiliary network is configured to support all read and/or write operations of connection tracking data between the at least one network node and the at least one external data storage or memory.
  • each network node is configured to run at least an instance of at least one network service session.
  • a fifth aspect of the present invention provides a method for managing network services, the method comprises the steps of performing connection tracking in at least one network node on at least one packet belonging to a network service session, wherein the at least one network node comprising at least one switch node, storing obtained connection tracking data in at least one external data storage or memory outside of the at least one network node, sharing the connection tracking data stored in the at least one external data storage or memory across all network nodes, receiving, by a load balance node, at least one running parameter from at least two server nodes, generating, by the load balance node, routing information which indicates a server node according to the at least one running parameter, storing, by the load balance node, the routing information in the at least one external data storage or memory, and routing, by the at least one switch node the at least one packet to the server node according to the routing information.
  • the receiving, generating, storing and routing steps can be executed in parallel with the performing, storing and sharing steps. There is no definite time sequence between these steps.
  • the method comprises the steps of receiving a packet belonging to a network service session at one network node, intercepting obtained connection tracking data of the packet, and sending it to the at least one external data storage or memory, determining a state of the packet by matching the sent connection tracking data with connection tracking data stored in the at least one external data storage or memory, updating the connection tracking data stored in the at least one external data storage or memory by the sent connection tracking data, and processing the packet in the at least one network node based on the determined state.
  • the performing further comprises receiving a packet belonging to a network service session at one network node, obtaining connection tracking data of the packet comprising at least one state of the packet, updating the obtained connection tracking data of the packet belonging to the network service session in at least one internal data storage or memory, processing the packet in the at least one network node based on the connection tracking data
  • the storing and sharing further comprise monitoring connection tracking data stored in at least one internal data storage or memory, and updating connection tracking data stored in the at least one external data storage or memory when detecting that the connection tracking data stored in the internal data storage or memory is modified, monitoring the connection tracking data stored in the at least one external data storage or memory, and updating the connection tracking data stored in the internal data storage or memory when detecting that the connection tracking data stored in the at least one external data storage or memory is modified.
  • the processing of the packet comprises generating connection metadata, storing the generated connection metadata in the at least one external data storage or memory, and sharing the connection metadata across all network nodes.
  • the method of the fifth aspect achieves all advantages of the system of the fourth aspect as described above.
  • a sixth aspect of the present invention provides a computer program product for implementing, when carried out on a computing device, a method for providing network services according to the above fifth aspect and its implementation forms. It has to be noted that all devices, elements, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application as well as the functionalities described to be performed by the various entities are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities.
  • Fig. 1 shows a basic system according to an embodiment of the present invention.
  • Fig. 2 shows an advanced system according to an embodiment of the present invention.
  • Fig. 3 shows a basic method according to an embodiment of the present invention.
  • Fig. 4 shows an advanced method according to an embodiment of the present invention.
  • Fig. 5 shows an advanced system according to an embodiment of the present invention.
  • Fig. 6 shows an advanced system according to an embodiment of the present invention.
  • Fig. 7 shows an advanced system according to an embodiment of the present invention.
  • Fig. 8 shows an advanced method according to an embodiment of the present invention.
  • Fig. 1 shows a basic system 100 according to an embodiment of the present invention.
  • the system 100 is used for managing at least one network service 101, and comprises at least one network node 102, wherein preferably each network node 102 is configured to run at least an instance of at least one network service session, and at least one external data storage or memory 104.
  • the at least one network service may be one or more of e.g. a firewall, NAT, a load-balancer, a hypervisor, and application or the like.
  • the at least one network node 102 includes at least one connection tracking module 103, which is configured to perform connection tracking on at least one packet belonging to a network service session. Thereby, connection tracking data is obtained, for instance a network connection state or forwarding information of the at least one packet.
  • the at least one external data storage or memory 104 is configured to receive from the at least one network node 102 and store the connection tracking data obtained by the at least one connection tracking module 103. Likewise, it is configured to send the stored connection tracking data 105 to the at least one network node 102, and thereby share it across all network nodes 102 of the system 100.
  • the at least one data storage or memory 104 is preferably a distributed hash table (DHT), a Random Access Memory cloud (RAM cloud), or a distributed cache.
  • DHT distributed hash table
  • RAM cloud Random Access Memory cloud
  • Fig. 2 shows an advanced implementation of the basic system shown in Fig. 1.
  • the system 100 includes three network nodes 102 (indicated with Node A, Node B, and Node C) and one external data storage or memory 104.
  • the network nodes 102 are preferably each operated by a Linux-based operation system, which includes a Kernel module 204.
  • the Kernel module 204 includes preferably the at least one connection tracking module 103.
  • the Kernel 204 may further include a network processor 203 acting, for instance, as a forwarding element for packets, and a local (i.e. internal) data storage or memory 200 configured to store the connection tracking data obtained by the at least one connection tracking module 103.
  • a software hook 201 may be implemented in each connection tracking module 103, preferably in an API thereof, and is configured to intercept, write and/or read connection tracking data from and/or to the external data storage or memory 104, instead of (or in addition to) the local connection tracking data storage or memory 200.
  • the external data storage or memory 104 is preferably a high-speed low-latency distributed memory (such as a Distributed Memory Data Base or a similar technology), to which the connection tracking data will be written, and from which the connection tracking data will be read, in order to share it across all network nodes 102. Thereby, a distributed connection state can be provided across all instances of the at least one network service session running on at least one network node 102.
  • the external data storage or memory 104 of the system 100 shown in Fig. 2 can also store connection metadata 202 (also referred to as extended metadata), and can share the stored connection metadata 202 across all network nodes 102.
  • connection metadata that is continuously aggregated and added in each network node 102 of the system 100 processing a packet belonging to a network service can be written to and read from the external data storage or memory 104.
  • the connection metadata may also be stored in one or more internal data storages or memories 200.
  • an auxiliary network preferably a separate physical high-speed, low-latency network, in order to support all connection tracking data reads and/or writes to/from the external data storage or memory 104.
  • the connection tracking data and optionally also the connection metadata, may be readily accessible as e.g. a Global Connection Tracking 105 repository and an Extended Metadata 202 repository, respectively.
  • Fig. 3 shows a basic method 300 for managing network services according to an embodiment of the present invention.
  • connection tracking in at least one network node 102 is performed on at least one packet 301 arriving at said at least one network node 102, the packet 301 belonging to a network service session.
  • the obtained connection tracking data is stored in at least one external data storage or memory 104 located outside of the at least one network node 102.
  • the connection tracking data stored in the at least one external data storage or memory 104 is then shared across all network nodes 102.
  • Fig. 4 shows further an advanced operation of the basic method 300 shown in Fig. 3.
  • Fig. 4 shows a mode of operating of a system 100 as shown in Fig. 2.
  • a network node 102 for example a network node 102 running a first inline network service (e.g. "Service 1" on "Node A” as shown in Fig. 2).
  • the packet is then processed in the network node 102 ("Node A"), e.g. by the network processor 203 and/or by the connection tracking module 103.
  • the network node 102 may attempt to match a network connection state of the arriving packet, particularly by using a metadata hash tuple from the packet's header (e.g. obtained by a combination of L3 and L4 fields).
  • the software hook 201 intercepts this matching operation attempt and intercepts connection tracking data of the packet (step 401), and delegates them (step 402) to the external data storage or memory 104.
  • a network connection state of the packet may then be determined in the external data storage or memory 104 (step 403), particularly by matching the intercepted connection tracking data with connection tracking data already stored in e.g. the Global Connection Tracking 105 repository shown in Fig. 2.
  • a result of the determination is then received (step 409) by the software hook 201, and is returned (step 410) to the network node 102 (step 410).
  • the packet may be further processed (step 405) in the network node 102 based on the determined state.
  • the processing (step 405) of the packet may comprise generating (step 406) connection metadata, storing (step 407) the generated connection metadata in the external data storage or memory 104, e.g. in the Extended Metadata 202 repository shown in Fig. 2, and sharing (step 408) the stored connection metadata across all network nodes 102. If a network connection state of the packet was not matched, the network node 102 may attempt to create a state.
  • the software hook 201 may intercept this attempt to create a state (step 411) and may delegate it (step 412) to the external data storage or memory 104.
  • a state may then be created in the external data storage or memory 104, and may e.g. be inserted into the Global Connection Tracking repository 105 (step 404). That means that the connection tracking data stored in the external data storage or memory 104 is updated. Finally, this updated connection tracking data is advantageously shared (step 408) across all network nodes 102.
  • Fig. 5 shows an advanced implementation of the basic system shown in Fig. 1.
  • the system 600 includes two switch nodes 602, one external data storage 104, two server nodes 604, one load balance node 603 and multiple clients 601.
  • a client 601 is not bound to a specific switch node 602 since all switch nodes 602 can handle all clients 601 at any given time (due to the shared connection tracking data between them).
  • Each switch node 602 communicates with every server node 604 through data path.
  • Load balance node 603 and each switch node 602 communicate with the external data storage 104 through control path.
  • the data path indicates a path for transmitting packets from a network service or a client 601.
  • the control path indicates a path for transmitting information that contributes to controlling network service nodes.
  • the load balance node 603 differs from a known load balance node by being an offline component, which means that it is not residing in the data path, but rather is residing in the control path.
  • the load balance node 603 is configured to receive running parameters from every server node 604. Thereby, the load balance node 603 generates routing information which indicates a server node 604 according to the running parameters with consideration of working condition of every server node, and stores the routing information in the external data storage 104. Since the switch nodes 602 can communicate with the external data storage 104, the switch nodes 602 are configured to acquire the routing information and route packets to the server node 604 indicated by the routing information.
  • the load balance node 603 may employ one or more of several load balancing techniques, like layer 3 (e.g. equal cost multi-path routing), layer 4 (e.g. dynamic routing), layer 7 (e.g. HTTP proxy), or others load balancing techniques.
  • Fig. 6 shows an advanced implementation of the basic system shown in Fig. 5.
  • the service node 604 further comprises frontend service nodes 6041 and backend service nodes 6042.
  • the frontend service nodes 6041 communicate with the backend service nodes 6042 through at least one switch node 602.
  • the frontend service nodes 6041 are used for a static data serving layer and the backend service nodes 6042 are used for a dynamic data serving layer.
  • a frontend service node 6041 is not bound to a specific backend service node 6042.
  • the availability and performance of the system 600 are further increased by the at least one switch node 602 serving between the fronted service nodes 6041 and the backend service nodes 6042.
  • each network node 102 further comprises a scanning module 106 which is connected to the local connection tracking data storage 200 and external data storage 104.
  • the scanning module 106 is configured to monitor connection tracking data storing in the internal data storage or memory 200, and to update connection tracking data storing in the external data storage 104 when detecting that the connection tracking data storing in the internal data storage or memory 200 is modified.
  • the scanning module 106 is further configured to monitor the connection tracking data storing in the external data storage 104, and to update the connection tracking data storing in the internal data storage or memory 200 when detecting that the connection tracking data storing in the external data storage 104 is modified.
  • the scanning module 106 includes preferably a local monitoring submodule and a remote monitoring submodule.
  • the local monitoring submodule communicates with the internal data storage or memory 200 and monitors connection tracking data storing in the local network node 102.
  • the local monitoring submodule can preferably monitor the connection tracking module 103, since the modification in the local network node 102 is caused by the connection tracking module 103.
  • the remote monitoring submodule communicates with the external data storage 104 and monitors modified connection tracking data in the external data storage 104 caused by other network nodes 102 where the scanning module 106 is not residing. Cooperation of these two submodules ensures an efficient synchronization of the connection tracking data across all the switch nodes.
  • a method for managing network services according to an embodiment of the present invention is further provided.
  • the method implemented in the system 600 further comprises: receiving, by the load balance node 603, at least one running parameter from at least two server nodes 604, and generating routing information which indicates an optimized server node 604 according to the at least one running parameter.
  • the optimized server node 604 fits in the availability and performance of all the server nodes 604 in the system 600. Storing, by the load balance node 603, the routing information in the external data storage 104, and routing, by the at least one switch node 602, at least one packet to the optimized server based on the generated routing information.
  • Step 302 further comprises: receiving 802, by the network node, a packet belonging to a network service session at a network node 102.
  • the connection tracking module 103 then attempt to match a connection tracking state of the packet, particularly by using a metadata hash tuple from the packet's header (e.g. obtained by a combination of L3 and L4 fields).
  • the matching operation will result in querying of the local connection tracking data storage 200.
  • step 303 and step 304 steps further comprise: monitoring 810, by the scanning module 106, connection tracking data stored in the internal data storage or memory 200, and updating connection tracking data stored in the external data storage 104 when detecting that the connection tracking data stored in the internal data storage 200 is modified.
  • monitoring 812, by the scanning module 106 monitors the connection tracking data stored in the external data storage 104, and updating the connection tracking data stored in the internal data storage 200 when detecting that the connection tracking data stored in the external data storage 104 is modified.
  • the connection tracking data stored in the internal data storage 200 becomes synchronized with the connection tracking data stored in the external data storage 104, in a repeatable manner, across all the network nodes in the system 600.
  • the present invention provides a platform for stateful network services with improved dynamic scalability.
  • the platform provided by the present invention allows simple scale-out and scale-in.
  • the platform of the present invention also enables out-of-line load balancing, particularly by allowing network services to run in different instances on different network nodes in parallel. Further, no vendor lock-in is necessary, and high availability and network service continuity are well possible.

Abstract

La présente invention concerne un système (100) destiné à gérer au moins un service de réseau (101). Le système (100) comprend au moins un nœud de réseau (102) comprenant au moins un module de suivi de connexion (103), qui est configuré de sorte à effectuer un suivi de connexion sur au moins un paquet appartenant à une session de service de réseau. En outre, le système comprend également au moins un stockage de données externe, ou une mémoire, (104) configuré, ou configurée, de sorte à stocker des données de suivi de connexion obtenues par le ou les modules de suivi de connexion (103) et à partager les données de suivi connexion stockées (105) à travers tous les nœuds de réseau (102).
PCT/EP2016/070776 2015-09-03 2016-09-02 Suivi de connexion répartie et équilibrage de charge WO2017037265A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
PCT/EP2015/070160 WO2017036535A1 (fr) 2015-09-03 2015-09-03 Suivi de connexions distribuées
EPPCT/EP2015/070160 2015-09-03

Publications (1)

Publication Number Publication Date
WO2017037265A1 true WO2017037265A1 (fr) 2017-03-09

Family

ID=54065876

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/EP2015/070160 WO2017036535A1 (fr) 2015-09-03 2015-09-03 Suivi de connexions distribuées
PCT/EP2016/070776 WO2017037265A1 (fr) 2015-09-03 2016-09-02 Suivi de connexion répartie et équilibrage de charge

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/070160 WO2017036535A1 (fr) 2015-09-03 2015-09-03 Suivi de connexions distribuées

Country Status (1)

Country Link
WO (2) WO2017036535A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6762298B2 (ja) 2016-06-22 2020-09-30 ホアウェイ・テクノロジーズ・カンパニー・リミテッド 悪意があるデータフローのネットワーク侵入を検知および防止するシステムおよび方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6606316B1 (en) * 1999-07-02 2003-08-12 Cisco Technology, Inc. Gathering network statistics in a distributed network service environment
EP1494422A2 (fr) * 2003-06-30 2005-01-05 Microsoft Corporation Equilibrage de charge de réseau avec données d'état de l'hote
US20140108626A1 (en) * 2012-10-11 2014-04-17 International Business Machines Corporation Virtual Consolidated Appliance
US20140310390A1 (en) * 2013-04-16 2014-10-16 Amazon Technologies, Inc. Asymmetric packet flow in a distributed load balancer

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8763106B2 (en) * 2011-09-08 2014-06-24 Mcafee, Inc. Application state sharing in a firewall cluster
US9438488B2 (en) * 2012-11-09 2016-09-06 Citrix Systems, Inc. Systems and methods for appflow for datastream
EP2768200B8 (fr) * 2013-02-18 2019-09-18 Forcepoint Finland Oy Réception de paquets de données
US9407519B2 (en) * 2013-03-15 2016-08-02 Vmware, Inc. Virtual network flow monitoring

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6606316B1 (en) * 1999-07-02 2003-08-12 Cisco Technology, Inc. Gathering network statistics in a distributed network service environment
EP1494422A2 (fr) * 2003-06-30 2005-01-05 Microsoft Corporation Equilibrage de charge de réseau avec données d'état de l'hote
US20140108626A1 (en) * 2012-10-11 2014-04-17 International Business Machines Corporation Virtual Consolidated Appliance
US20140310390A1 (en) * 2013-04-16 2014-10-16 Amazon Technologies, Inc. Asymmetric packet flow in a distributed load balancer

Also Published As

Publication number Publication date
WO2017036535A1 (fr) 2017-03-09

Similar Documents

Publication Publication Date Title
US10680946B2 (en) Adding multi-tenant awareness to a network packet processing device on a software defined network (SDN)
US11044314B2 (en) System and method for a database proxy
US11677818B2 (en) Multi-cluster ingress
CN108713191B (zh) 用于云感知应用传送控制器的系统和方法
US9137156B2 (en) Scalable and efficient flow-aware packet distribution
US9979674B1 (en) Capacity-based server selection
US9509615B2 (en) Managing link aggregation traffic in a virtual environment
US20100036903A1 (en) Distributed load balancer
US20150249643A1 (en) Regional firewall clustering in a networked computing environment
US10033645B2 (en) Programmable data plane hardware load balancing system
US20140164477A1 (en) System and method for providing horizontal scaling of stateful applications
US9350666B2 (en) Managing link aggregation traffic in a virtual environment
US9686178B2 (en) Configuring link aggregation groups to perform load balancing in a virtual environment
McCauley et al. Thoughts on load distribution and the role of programmable switches
US10171361B1 (en) Service-specific probes in a native load balancer
US10511514B1 (en) Node-specific probes in a native load balancer
Kohler et al. ZeroSDN: A highly flexible and modular architecture for full-range distribution of event-based network control
US11516116B2 (en) Domain name system multipathing distributed applications
US10827042B2 (en) Traffic optimization for multi-node applications
US11146490B2 (en) Distributed load balancer health management using data center network manager
WO2017037265A1 (fr) Suivi de connexion répartie et équilibrage de charge
US11647083B2 (en) Cluster-aware multipath transmission control protocol (MPTCP) session load balancing
US11394663B1 (en) Selective packet processing including a run-to-completion packet processing data plane
Kulkarni et al. Managing state for failure resiliency in network function virtualization
WO2017097352A1 (fr) Gestion d'un réseau par le suivi de connexion

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16760483

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16760483

Country of ref document: EP

Kind code of ref document: A1