Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L12/00—Data switching networks
  • H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
  • H04L12/2854—Wide area networks, e.g. public data networks
  • H04L12/2856—Access arrangements, e.g. Internet access
  • H04L12/2869—Operational details of access network equipments
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
  • H04L41/06—Management of faults, events, alarms or notifications
  • H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
  • H04L41/0668—Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L12/00—Data switching networks
  • H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
  • H04L12/2854—Wide area networks, e.g. public data networks
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
  • H04L61/09—Mapping addresses
  • H04L61/10—Mapping addresses of different types
  • H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
  • H04L61/09—Mapping addresses
  • H04L61/25—Mapping addresses of the same type
  • H04L61/2503—Translation of Internet protocol [IP] addresses
  • H04L61/2514—Translation of Internet protocol [IP] addresses between local and global IP addresses
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols
  • H04L67/10—Protocols in which an application is distributed across nodes in the network
  • H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
  • H04L67/1004—Server selection for load balancing
  • H04L67/1017—Server selection for load balancing based on a round robin mechanism

Definitions

• the invention relates to a data transmission management technique. More particularly, the invention relates to a multihoming technique for the interconnection of IP services ("Internet Protocol"). Multihoming is generally about connecting to multiple Internet Service Providers for a network in order to improve the reliability of the Internet connection.
• IP services Internet Protocol
• the multihoming consists, for a host network considered, to be able to reach other networks by passing through at least two separate neighboring networks to choose from.
• the objective is to increase the quality and / or resilience of the network interconnection.
• the basic principle is to eliminate, as far as possible, any single point of failure on the considered network path.
• the invention is more particularly in the context of the implementation of cloud computing services.
• Cloud computing a technique that is now well known, partly consists in relocating the storage and computing capacities needed to meet the needs of users in hosting rooms.
• This is an evolution of the implementation of IT, in which the responsibility for supply and day-to-day operations no longer falls to the user companies.
• the commercialization of these IT resources is done in a fine granularity in terms of service units and time units. These two resources are sold to the user companies.
• the SaaS mode for "Software as a Service" refers to the provision of business or office software in the form of subscription services or by purchase of user units (a certain number of users for 1 year, for example ), whereas, traditionally, this type of software is sold as a valid user license for one or more client computers;
• the PaaS mode for "Platform as a Service" includes the provision of software bricks allowing the development of complex and tailor-made services for one or more user companies. It tends to replace the implementation of these same services on platforms deployed and managed on the site of user companies;
• vs. the laaS mode for Infrastructure as a Service, implies that the provider provides computing capacity or raw storage, in the form of virtual machines and disks hosted on its own infrastructure.
• the data is mixed with the ordinary Internet traffic (in which they are difficult to identify). They will then cross several networks: the local network of the site, the extended network of the company (through the virtual circuits established on the transport network of the chosen operator), several networks of operators with the rules of engineering and the variable contention ratios (depending on the path taken on the Internet), then the interconnection network to the cloud infrastructure provider, and finally the local network for connecting to cloud servers.
• the company has a contractual relationship with only one of the operators: the one that provides it with its extensive network.
• the mixing of critical data in the Internet traffic makes the implementation of a quality of service policy difficult to envisage end-to-end, and even only on the extended network of the company, since it is impossible to to qualify the criticality, and therefore the class of service, of encrypted data without first decrypting them.
• One solution to this problem could be to implement two parallel Internet accesses, one being used for the transport of critical data to Cloud Computing, and the other for the transport of conventional Internet traffic (consultation of information, orders of goods or services, exchange of mail, etc.). Therefore the user enterprise should implement a multihoming mechanism, capable of qualify the different data to be transmitted between its wide-area network and different destinations on the Internet.
• BGP for "Borger Gateway Protocol”
• BGP Internet Gateway Protocol
• the invention does not have these disadvantages of the prior art. More particularly, the invention relates to an access gateway to an interconnection network (ICB) of a data transmission system comprising a first local network, called a client network, a second local network called a cloud network and a network. interconnection network connecting said client network and said cloud network, characterized in that said gateway comprises means for identifying and routing data from said client network to said cloud network.
• IDB interconnection network
• said gateway further comprises means for creating at least two data transmission tunnels through said interconnection network and means for selecting, from said at least two tunnels, at least one tunnel. at least one packet transmission tunnel, according to at least one predetermined parameter.
• said types of tunnels are based on the UDP (English for "User Datagram Protocol" protocol.
• said at least one predetermined parameter belongs to the group comprising: a state of availability of a link between said local network and said interconnection network;
• a state of availability of a link between said local network and an extended mesh network a traffic class associated with at least one data packet to be transmitted.
• said gateway also includes means for identifying a destination of a packet as a function of at least one destination address of said packet.
• said gateway further comprises:
• BFAI access gateway
• packet filtering means so that only packets to said cloud network are transmitted on said interconnection network.
• the invention also relates to a data transmission system, comprising a first local network, said client network, a second local network said cloud network and an interconnection network connecting said client network and said cloud network, said client network further comprising an access gateway to an extended mesh network (BFAI).
• said system further comprises, at the level of the client network, an access gateway to said interconnection network (ICB) comprising means for identifying and routing data from said client network to said cloud network.
• the presently described technique proposes to solve the problems posed by "public" access to applications and or services of the "Cloud Computing” type by deploying an end-to-end private infrastructure (ranging from the Customer's network to the provider's network). the application and / or the service, ie the cloud network), without ever crossing a Third Party network, in particular the Internet network.
• the technique of the invention makes it possible to address the issues of security, Quality of Service and Compliance posed by Cloud Computing.
• the solution described is particularly aimed at multi-user companies of "Cloud Computing", because a single access to a dedicated gateway makes it possible to secure all the destinations connected to the private network provided to the user company.
• This solution is deployed in parallel with the company's main Internet access solution, without disturbing its work habits. It is, so to speak, “transparent” to non-critical flows, and drastically improves critical flows and business flows, both in terms of security and Quality of Service.
• the general principle of the invention is to have, within the network of the user (i.e. the client entity that wishes to access Cloud Com puting services), an intelligent interconnection gateway.
• the object of this gateway and allow a differentiation of outgoing (and incoming) flows, so that they are routed adequately.
• the purpose of this gateway is also to ensure a predefined quality of service level while ensuring fault tolerance.
• This gateway is also named ICB afterwards.
• the ICB gateway includes means for interconnecting the customer network with an interconnection network.
• This interconnection network makes it possible, to some extent, to interconnect a client and a Cloud Computing Service Provider (CSP).
• This interconnection network aggregates dedicated links.
• a dedicated link is a physical link that is "pulled" between the client and the interconnection network. It can for example be an optical fiber.
• a physical link can also be drawn between the interconnection network and the Cloud Computing Service Provider (CSP).
• the interconnection network manages both the transmission / reception of data from the clients and the routing of these data to the CS P.
• the Intelligent Interconnect Gateway is able to transmit and receive data on the interconnection network.
• the interconnection gateway also has a data transmission capacity directly via a mesh network, such as the internet network, when the dedicated link is not or no longer operational. It is in this sense that the gateway can be described as intelligent.
• the gateway includes tunneling mechanisms on the one hand and uses a protocol that allows great freedom in the transport of data.
• an intelligent interconnection gateway called ICB which, according to the invention, makes it possible (in a multihoming architecture) to separate the data transmitted to the Cloud Service Providers (CSPs). and the general data passing through an operator network.
• CSPs Cloud Service Providers
• This gateway has two modes of operation.
• this access gateway is named BFAI
• the ICB is placed at break of the BFAI gateway. Its role is to intercept and divert data destined for CSPs to the network dedicated to the transmission of data to cloud service providers;
• the DNS server of the client machines of the LAN will be the DNS server of the provider of the interconnection infrastructure.
• the ICB placed in a DMZ will be the "next-hop" (the mechanism of knowing only the address of the next link leading to the destination is called successive jump routing) of the route to the provider of the infrastructure of interconnection at the level of there gateway BFAI.
• the network has many features that make it possible to operate transparently for the customer where it is implemented.
• This gateway as has been discussed in general, transports the flows to and from the cloud service providers via an interconnection network.
• the ICB boots to the network (via PXE) and loads its kernel, environment, and configuration through a server at the core of the interconnect network.
• the system loaded from the network is placed in the RAM of the ICB. This ensures that it is possible to modify the configuration of the remote gateway to meet the evolution needs related to the network infrastructure, for example.
• the IP address provided by the server is assigned based on the MAC address (machine address) of the ICB. The server is able to know the link from which the ICB makes its request, and can then provide it with the appropriate configuration.
• VLANs Virtual Local Area Network or Virtual LAN
• Each stream would then be isolated in a VLAN on the dedicated link.
• the dedicated link (from the ICB to the interconnection network) is provided by a third party operator. There is no guarantee of support for data transport via VLANs.
• each stream be passed through a different tunnel to allow isolation. This is not the case with OpenVPN.
• a filtering policy is applied at the level of the interface connected to the provider of the interconnection infrastructure. No filtering is applied to the ISP.
• the ICB mounts tunnels (with OpenVPN) to a tunnel concentrator at the edge of the interconnection network.
• tunnels mounted with Ethernet connectivity there are two different types of tunnels:
• I ndirect (tunO) this tunnel makes indirect access to the CSPs possible.
• I l offers connectivity at the IP level. This tunnel is common to all indirect accesses.
• TCP Transmission Control Protocol
• UDP User Datagram Protocol
• TCP The advantage of TCP is that it provides a suite of congestion management mechanisms, error control, and so on. The problem is that the ICB provides Ethernet connectivity through these tunnels, and that the flows that pass through the tunnel already have an error control mechanism (at the network protocol, or at the application level): the fact that passing it back to TCP is a duplication.
• the dedicated link becomes unavailable, the TCP session of the tunnel is broken and the tunnel is reassembled on the BFAI side interface.
• the ICB will continue to use the BFAI side interface since the TCP session is still active. I will manually cut the tunnel and reassemble it so that it goes through the dedicated link again.
• the advantage of using TCP sessions is that it is possible to detect when the TCP sessions are broken and transmit this information to the supervision.
• UDP The advantage of UDP is its simplicity. It is not necessary, as in TCP, to maintain sessions. UDP does not handle congestion and error control: the flow that passes through the tunnel handles these aspects of congestion and error control alone.
• the use of the UDP protocol for tunnels is preferred.
• the UDP protocol makes it possible to switch from one link to another instantly according to the routing table, rather than having to dismount and reassemble the tunnels manually.
• UDP is lighter than TCP and it is not necessary to have advanced error control mechanisms at the tunnel level since the flows flowing there have their own mechanisms.
• Some CSPs agree to manage an IP address of the LAN or DMZ of the client as the access point to their service.
• the IP address managed by the CSP is either an I P address of the client's local LAN or an I P address of its DMZ.
• the ICB transmits data through one of the tunnels.
• the core equipment of the interconnection network is able to extend the local LAN from the client to the CSP.
• the security of the data transiting on this LAN LAN extended is the responsibility of the customer, since it is part of its network.
• VLL Virtual Leased Line
• VPLS Virtually Private LAN Service
• ARP table it is a table of IPv4 address-MAC address pairs contained in the memory of a computer that uses the ARP protocol, "Address Resolution Protocol”.
• the number of clients and planned CSP does not result in a shortage of resources at the equipment level that will have to manage VPLS.
• IP address Either directly the public IP address of the CSP;
• the public IP address of the CSP is used. If there is a loss of link between the interconnection network and a CSP, the routing mechanisms put in place switch the traffic to the transit network (Internet) and route the traffic to the CSP via the Internet.
• IP addresses of the interconnection network are used, a fast saturation mechanism of the starting address class occurs.
• the client provides a range of private IP addresses, this range being reserved for the CSPs. This ensures that the range is not already in use in the customer's network and there is no need to use a public IP address.
• Each client therefore has a specific DNS configuration with a bijection between the IP addresses provided (by him) and the IP addresses of the CSPs he wants to access: for each IP address of the CSP, there is an associated private IP address.
• This also makes it possible to take advantage of possible load balancing mechanisms (such as "round robin") that the CSPs have been able to put in place in their DNS.
• the ICB has the table of correspondence between these IP addresses to be able to do a NAT ("Network Address Translation") on the destination of the packets.
• NAT Network Address Translation
• One of the other advantages of using a private IP address range for CSPs is the class of traffic perceived by the customer's "VPN" operator across VPNs between client sites. If public IP addresses were used, the traffic through the VPN would be classified as “Best Effort”. If private IP addresses are used, the operator will classify the traffic as "Business", with a better quality of service through the VPN. Thus, the use of private IP addresses somehow "lure" the operator of the client.
• the source I P address contained in the packets is the I P address of the client machine in the LAN LAN (in the client's LAN). Since this IP address is private, it will not be routed to the Internet (or to the interconnection network) and the CSP will not know where to send its response.
• NAT Network Address Tra nslation
• the ICB When the link between the ICB and the interconnection network becomes unavailable, the ICB is able to switch the transmission and reception of streams on the Internet network.
• the unavailability of the link invalidates the static routes to the interconnection network and the ICB automatically switches the tunnels to access to the interconnection network via the Internet.
• the customer When the ICB is unavailable (hardware or software problem), the customer is able to remove the ICB from its network (by connecting 2 network cables with a coupler for example) and can continue to use its services and all or part of the services offered without having to reconfigure its equipment.
• the ICB has a short-circuit feature: the user does not have to remove the ICB from its network.
• the ICB behaves like a single interconnecting cable.
• This feature can be implemented in two different ways: the first is to let the ICB detect alone that the interconnect link is unavailable. In this case the circuit breaker functionality is implemented by the ICB. The second is material: when the ICB is no longer fed (for example the ICB is disconnected), the short circuit is performed automatically, due to the lack of power.
• SNMP trap During service degradation, a Simple Network Management Protocol (SNM) trap must be sent to the management server for processing and to immediately notify administrators of a failure.
• the ICB transmits an SNMP trap when it detects an anomaly on a link, or if a critical service is unavailable.
• the tunnel concentrator is able to detect that an ICB has failed to trace its tunnels.
• SNMP traps are transmitted through the administration tunnel.
• the ICB automatically returns to its initial configuration.
• the ICB also transmits an SNMP trap to warn of the resumption of service.
• IP addresses For the good functioning of the ICB, one needs several different IP addresses:
• IP address on the provider-side interface of the interconnection infrastructure, to mount the tunnels when the link is available. This IP address is distributed by a DHCP server at the heart of the interconnection network, over a range of private IP addresses.
• IP address on the BFAI side interface to mount the tunnels when the dedicated link is unavailable. We do not control the IP address on this interface, it is not possible to arbitrarily choose an address I P in the local network of the client. It must provide an unused IP address to avoid an addressing conflict.
• the management of the quality of service holds a prominent place. Having ICBs at the customer's premises allows end-to-end equipment to be controlled from the network to the CSP (at least for a very large part of the journey). It is then possible to use the ICBs to test the quality of the end-to-end network (EtherSAM measurements). It is also possible to identify the peak and off-peak hours of service use by the customer.
• the ICB also has means for mounting a tunnel on the Internet in addition to the tunnels on the dedicated link. Therefore, it is possible to run scenarios in parallel on the two links to compare them. As a result, it is possible, in a dynamic manner, to adjust data transmission parameters, or even to decide to use an additional tunnel to carry out a data transmission in a given context. 4.3.1 In break
• the ICB is placed in a break of the BFAI. Its role is to intercept and divert data destined for CSPs to the interconnection network.
• the following elements describe the operation of the gateway, and more generally the system in this configuration. It is important to note that the gateway includes means for implementing the methods that are described later, and in particular means for implementing the method of routing and differentiating the processing of data from and to the network interconnection network and the "public" network which provides Internet access. These means consist of a processor (which is able to apply separate processing to the packets according to a network situation and a configuration), at least one memory (which includes the configuration files necessary for the processing of the packets) and at least three network interfaces.
• interfaces may be physical access network modules that may be identical or different technologies, depending on the case.
• the purpose of the invention is to make as transparent as possible the routing of data between networks and to ensure continuity of service in the event of a failure of the network. other networks.
• continuity of service is provided to the interconnection network: it is to ensure continuity of service during a failure of the BFAI and during a failure of the ICB. To do this specific means are not developed by the inventors.
• ethO connects the local LAN of the client to the ICB.
• ethl connects the customer's BFAI to the ICB.
• This interface has an IP address in the customer's LAN.
• eth2 connects the interconnection network to the ICB. This interface has an IP address that is not controlled.
• the bridge between the interfaces is called brO.
• VLAN-sensitive interfaces eg ethO.x
• brl bridge a second brl bridge
• Ethernet bridge is mounted at the ICB to continue to provide Ethernet connectivity between LAN and BFAI.
• the LAN LAN of the client will continue to work as before (ARP, BOOTP, ...), the BFAI will always be the default gateway for client machines.
• the inventors had the idea of favoring the Ethernet bridge which allows a simpler configuration at the level of the ICB and which avoids having twice the same IP address in the local LAN of the client. It also makes it easy to extend the LAN from the client to the CSP.
• the invention resides in part on the assumption that the Internet Service Provider (ISP) is unreliable.
• the inventors had the idea to change the secondary DNS server provided by the DHCP server by a DNS server of the provider of the interconnection infrastructure (in private IP). This is useful when the link to the operator or the BFAI becomes unavailable.
• the client can modify the DHCP configuration provided by either the BFAI or a DNS server in its LAN network and modify the secondary DNS server directly.
• the ICB is off the DHCP server and the inventors had the idea to rewrite the DHCP responses that pass through the ICB by changing the secondary DNS server.
• the interrupted ICB needs to know the I P address ranges it needs to divert to the interconnection network. It must therefore be possible to retrieve this information from the interconnection network.
• the ICB must also be able to periodically refresh these address ranges.
• Data destined for BFAI can potentially be encapsulated in VLANs.
• the cut ICB must be able to understand the tagged frames. For simplicity of configuration and mechanisms implemented in the ICB, it is considered that Internet traffic is not separated into multiple VLANs. It is possible to have multiple VLANs crossing the ICB but only one will contain the Internet traffic that needs to be analyzed and possibly diverted to the provider of the interconnection infrastructure.
• the inventors came up with the idea of making an ethernet bridge brl between the ethO and ethl interfaces. On this bridge will circulate all tagged frames or not. The inventors came up with the idea of extracting the VLANs that are interesting by decapping them.
• An Ethernet bridge (brO) is mounted between the 3 interfaces ethO, ethl, tap *.
• DNS queries pass through the Ethernet bridge without being corrupted.
• the DNS server of the operator returns the public IP address of the CSPs. Indirect access to the CSPs is intercepted by the ICB, which considers them as for him and the routes to the interconnection network. If the packets are in a VLAN, they are unpacked before being routed. Masquerading is performed on outgoing packets through the tunO interface.
• the service provided to the client is terminated and its LAN is imparted.
• the client must remove the ICB from its network to restore connectivity with the BFAI.
• the client will not have to do anything unless the crash is at the software level.
• ARP cache When a machine tries to send a packet to an IP address on its local network, it must first know its MAC address.
• the known addresses are stored in a table (which matches IP ⁇ -> MAC) at the operating system level called ARP cache.
• the machine sends an ARP message to the network which indicates the IP address concerned.
• the machine with this IP address will respond with an is-at message, containing its MAC address.
• the ARP cache is cleaned regularly. Any MAC addresses that have not been used recently are removed.
• the browser analyzes the user input in the address bar to retrieve the DNS name (or IP address) of the target.
• the browser requests the operating system to perform a name resolution to obtain the IP address of the target.
• the operating system looks for information on all the means at its disposal (hosts file, DNS cache, DNS server).
• the operating system must contact the ISP's DNS server, it is not on the local network.
• the operating system must transmit the request to its default gateway because it is not a local IP address (determined by the routing table).
• the operating system checks whether the MAC address of the gateway is available in the ARP cache.
• the operating system performs an ARP resolution to obtain the MAC of the gateway.
• the ICB (which acts as an Ethernet switch) passes the request to the BFAI that responds to the client.
• the operating system transmits the DNS query to its default gateway. 10.
• the ICB passes the request.
• the browser establishes a connection with the target site by transmitting the data to its gateway (because again we have a non-local IP address) which will be responsible for routing them.
• the ICB passes the connection since it does not concern a CSP. b. Indirect CSP traffic
• Steps 1 to 11 the operation of the process is identical.
• Step 12 is modified as follows:
• the ICB has detected that the connection concerns a CSP and diverts the data to the interconnection network.
• the application tries to connect to the target IP address.
• the operating system detects that it is a local IP address, accessible directly.
• the operating system checks whether the MAC address of the gateway is available in the ARP cache.
• the operating system performs an ARP resolution to obtain the MAC of the gateway.
• the ICB which acts as an Ethernet switch between the LAN, the BFAI and the interconnection infrastructure provider, allows the ARP request to spread across the interconnection network.
• the remote machine will respond to this request through the interconnection network
• the app can connect to the target
• the ICB (which acts as an Ethernet switch) will send the data to the target across the interconnection network
• the client machines can no longer access it and all current connections are broken.
• the IP address no longer responds to requests, the route will be invaid in the routing table of the operating system. From this moment, the client no longer has any entries in its routing table to join the remote IP address.
• the operating system considers that the route is unreachable and directly returns an error code to the application without transmitting any data on the network.
• Direct traffic is not affected because it does not depend on the default route entry in the routing table. Indeed, it depends on another input which indicates that the address range I P of the local network is directly reachable. Since the ICB is still running, it will continue to relay any ARP requests to the remote machine, and it will continue to act as an Ethernet switch and relay the data to the target machine across the interconnect network.
• the inventors came up with the idea of setting up a mechanism which, when it detects that the link to the BFAI is unavailable, mounts the IP address of the BFAI on the Internet.
• LAN interface of the ICB (ethO) to restore the default route of the clients.
• IPv4 we can also send a Free ARP to accelerate the process of refreshing the cache of client machines.
• the one to the main server will do a timeout. Indeed, even if the ICB passed DNS traffic through the interconnection network, the operator's DNS server would refuse the connection because it would not come from one of its clients. So we let the DNS request to the primary server expire, and then we switch to the secondary DNS server (that of the provider of the interconnection infrastructure). The DNS requests will then be routed to the interconnection network by the ICB.
• the ICB became the default gateway for the client's LAN machines. Traffic is therefore sent to the ICB (and more to the BFAI). The ICB will route the packets without forcing the process as before.
• the inventors had the idea of allowing only the packets to go to the CSPs and the DNS server of the provider of the interconnection infrastructure. Traffic to the Internet will not pass through the interconnect network and will receive ICMP error messages.
• a second problem also exists when the BFAI also acts as a DHCP server. In fact, the machines whose IP address was served via DHCP eventually stop using these IPs if the DHCP server stops responding (tested on Linux and Windows).
• a first solution would be to deploy a full-fledged DHCP server that would replace the ICB for this role.
• the DHCP server always responds, the client machines keep their IP and continue to communicate with the direct CSPs.
• Another solution would be to have a secondary DHCP server that would communicate with the BFAI to keep up to date and take over in case of failure of the BFAI. This would eliminate the single point offailure.
• the solution is to simulate a DHCP server at the ICB to ensure continuity of service. We will not allocate new IP addresses to avoid having conflicts. On the other hand, at the level of the ICB, the inventors had the idea to simulate the messages that the DHCP server would have returned in normal times so that the customers do not realize that the DHCP server of the BFAI is unavailable and continue to transmit on the network.
• the loss of a link with the Internet (but not the BFAI) will cause the DNS request timer to expire to the primary DNS, and then switch to the DNS of the provider of the interconnect infrastructure.
• the ICB will route DNS requests to the provider server of the interconnect infrastructure.
• Indirect access will be as before and will be intercepted by the ICB.
• Content destined for the Internet will not pass through the interconnect network and will receive ICMP error messages.
• the user's network is in a triangle configuration with spanning tree to secure its LAN LAN, and the BFAI acting as one of the switches, we can not break the conventional ICB. It would require a box with at least one more network interface to play the role played by the BFAI. Placing this box does not change the redundancy capacity of the customer's network. If the BFAI (in the previous configuration) or the ICB (in the new configuration) becomes unavailable, access to the Internet also becomes unavailable.
• a switch should be added to the customer's network. It's an equipment we do not want to be responsible for.
• the decision to divert traffic to the interconnect network is based on the destination IP address of the packet.
• the default behavior is to pass the data to the BFAI.
• the scenario of access to a CSP can be divided into three stages:
• the client From the access address to the CSP, the client will first extract the domain name and perform a DNS resolution to know which IP address it should connect to;
• the client will issue a request; 3.
• the server after having analyzed the submitted request, will return the appropriate content and close the communication channel.
• a client accesses the CSP by performing a DNS query, and the ICB is disconnected from the DNS server, it detects the DNS request to a CSP and listens for the response to learn the IP address.
• the ICB when the ICB is disconnected from the DNS server (for example, if this service is integrated into the BFAI), the ICB can observe the DNS resolution process. Thus, the ICB detects the DNS request for a domain issued by the client. This query contains the type of information you want as well as the target of the question. On the other hand, this request does not contain information interesting for the process currently described, namely the IP address of the target server. It is therefore not necessary to perform a particular treatment DNS packets type "question". On the other hand, "answer" type DNS packets are of interest as part of the learning process. Indeed, these packets contain both the response of the DNS server with the requested data, and a copy of the original question.
• IP addresses associated with a domain By analyzing these packets, one can for example recover the IP addresses associated with a domain.
• the analysis of a DNS packet begins with a step of checking at least a portion of the state and count fields.
• the goal is to check the type of DNS packet, the response code, the number of questions and answers. This check does not treat packets that are of a bad type or that do not contain an answer and avoids the process being too resource intensive.
• the question ie the initial request included in the packet is analyzed. More particularly, a question of the type (Qtype fields) is sought.
• the query In the IP ad-hoc box, the query must be based on a type-A DNS record. The scan continues with a search step, within the packet, of a QJype type whose value is to "A".
• the associated domain name is retrieved, via an extraction step.
• This domain name is compared, in a comparison step, with entries in a database.
• This database includes domain names that are associated with "CSP" traffic.
• the structure of this database is optimized to take advantage of the DNS tree structure.
• This address is then compared to the entries of a second database, which contains the learned IP addresses, and for which the traffic deflection process will be implemented.
• This second database is called a list of learned IP addresses. If the IP address has not already been learned, then it is added as an entry into this database, as well as the traffic diversion process. When the address has already been learned, the date of use of this address is updated (so that it can be followed later).
• This second database is optimized for fast searches. Thus, each insertion or deletion is performed so that the list of learned IP addresses is always ordered. This allows for a dichotomous search when one wants to know if ⁇ is learned or not.
• ICB If the ICB is not disconnected from the DNS server, it is still possible to learn information, for example from the Host field of HTTP requests. More particularly, it is possible to learn I P addresses by observing the exchanges made on the network. For example, an HTTP request to a CSP server will contain the target IP address in the TCP headers, but also the target domain name in the Host field of the HTTP headers.
• this method although interesting as a backup method, is suboptimal for two reasons:
• the first mechanism is to perform an automatic cleaning of IP addresses, cleaning based on their frequency of use and their date of learning. It is not necessary to keep in memory an IP address that has not been used for a long time. In this case, an automated process is responsible for detecting these obsolete IP addresses and removing them from the database and the decision process. To do this, as explained above, the database of learned IP addresses further includes a field for marking the date of last use of the IP address in question.
• an ICB When an ICB learns a new IP address, it transmits an alert to a verification server in the interconnection network.
• the server can possibly check if this new IP corresponds to a change in the DNS records of the CSP.
• learning a new IP address may be subject to validation by a master server. Indeed, an IP address learned by observing the DNS requests can finally be entrusted to an Internet forwarder by the interconnection network, because it is not present in the specific routing tables to the CSPs. If this is the case, the traffic will have been diverted to the destination and to the destination.
• ICB can submit the learned IP address to a validation server within the Cloud network. This server is responsible for checking the relevance of the IP address and informs the ICB. As long as the IP address is not validated by the master server, it is not added to the database and the deviation process.
• the ICB can use this learning mechanism to whitelist IP addresses that must constantly be passed to the BFAI (typically all used IP addresses that do not match not to CSPs).
• the feedback of this information also makes it possible, during a system update, to directly launch the ICB with this static list, which has the effect of speeding up the processing of the flows intended for the CSPs.
• a cleaning system based on the frequency of use and the age of the IP address removes superfluous IP addresses.
• an ICB learns a new IP, it may be that when it travels over the interconnection network, it is directly routed to the outside because unknown to the routers. We will have consumed resources to finally return the package on the Internet.
• interconnection infrastructure provider's DNS servers are expected to be as up-to-date as possible, it may be possible to use the unknown IP address detection mechanism via DNS queries only (and if not too much expensive) to issue alerts and force active verification of DNS records at the core of the interconnect network.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Data Exchanges In Wide-Area Networks (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=48446305

Family Applications (1)

Country Status (4)

Families Citing this family (4)

Citations (1)

Family Cites Families (11)

• 2012
  • 2012-05-09 FR FR1254238A patent/FR2990585B1/fr not_active Expired - Fee Related
• 2013
  • 2013-05-10 WO PCT/EP2013/059754 patent/WO2013167745A1/fr active Application Filing
  • 2013-05-10 EP EP13723078.5A patent/EP2847939A1/de not_active Withdrawn
  • 2013-05-10 US US14/400,206 patent/US20150100625A1/en not_active Abandoned

Patent Citations (1)

Also Published As

Similar Documents

Legal Events