KR101578193B1 - Method and System for controlling an access gateway using software defined network - Google Patents

Method and System for controlling an access gateway using software defined network Download PDF

Info

Publication number
KR101578193B1
KR101578193B1 KR1020140195005A KR20140195005A KR101578193B1 KR 101578193 B1 KR101578193 B1 KR 101578193B1 KR 1020140195005 A KR1020140195005 A KR 1020140195005A KR 20140195005 A KR20140195005 A KR 20140195005A KR 101578193 B1 KR101578193 B1 KR 101578193B1
Authority
KR
South Korea
Prior art keywords
flow
access gateway
service
packet
policy
Prior art date
Application number
KR1020140195005A
Other languages
Korean (ko)
Inventor
전병천
최재원
Original Assignee
(주)넷비젼텔레콤
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)넷비젼텔레콤 filed Critical (주)넷비젼텔레콤
Priority to KR1020140195005A priority Critical patent/KR101578193B1/en
Application granted granted Critical
Publication of KR101578193B1 publication Critical patent/KR101578193B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to an access gateway control system using a software defined network technology for shortening the time and cost of creating a network service by adding an access gateway control system using software defined network technology to an existing network and a control method thereof will be.
An access gateway control system using a software defined network technology according to an embodiment of the present invention determines a processing method in units of flow by inputting traffic in a manner defined by a flow control device, A plurality of access gateways transmitting all or part of the access gateway identifier (AG_ID) in a packet of a specified format to the flow monitoring apparatus; One or more flow monitoring devices for analyzing the flow traffic inputted from the access gateway according to a specified rule and delivering the analyzed result to the flow control device together with the access gateway identifier (AG_ID); And a flow control device for determining a flow processing policy based on the analyzed result information in the flow monitoring device and delivering the corresponding control policy to an access gateway designated by the access gateway identifier.

Description

TECHNICAL FIELD [0001] The present invention relates to an access gateway control system using a software defined network technology and a control method thereof,

The present invention relates to an access gateway control system using a software defined network technology and a control method thereof, and more particularly, to an access gateway control system using a software defined network technology to an existing network, The present invention relates to an access gateway control system using a software defined network technology that shortens time and resources, and a control method thereof.

Conventional networks need to change the configuration of most network components of the network in order to apply them when new service policies are created. The accounting (accounting) rules for the newly created service should be set in the accounting equipment, and the quality of service (QoS) setting for each user should be newly set in most equipment of the network in order to provide the service. Even if a new service is created by this detailed work, it takes much time and resources to apply to a conventional network. In addition, the provision of network services is limited by the functions (such as Accounting, QoS (Quality of Service), etc.) supported by the devices in the current network. That is, if the network constituent devices belonging to the network do not support the functions required by the specific service, the service can not be applied without replacement of the network equipment. In addition, the location of the new service equipment is limited by the network topology. Due to the nature of existing networks with hierarchical structure, the service equipment must be located in front of the network or in front of the server in order to use the service equipment efficiently.

Another prior art related to the present invention is a software defined networking technique. A software defined network allows each network element in the network to be controlled by a central controller. By applying the new service-related settings to the central controller, the new service can be applied to the entire network, There are advantages. In this process, the controller controls the forwarding of each packet by referring to a flow rule for each network element. In order to provide a differentiated service to each user, flow, or packet, the conventional technology uses a flow identifier or a service identifier in the header of each packet And provides differentiated services by differentiating the flow rules that the controller gives according to each identifier. That is, the packet of the user subscribed to the specific service is inserted into the identifier of the service to which the user subscribes, and is forwarded to the service to which the user subscribes according to the flow rule set for each network element per identifier by the controller . However, this conventional method can quickly apply a new policy by inserting a new rule in addition to the flow rule provided by the controller, but it is possible to control all the components of the conventional network by a central controller, The controller must be replaced with a controlled device.

1. Korean Patent Publication No. 10-2014-0052847: Method and apparatus for providing service quality in a software defined networking-based network 2. Korean Patent No. 10-1438212: Software defined network deep packet analysis method and software defined network system using the same 3. Korean Patent No. 10-0949808: P2P Traffic Management Device and Method Thereof

SUMMARY OF THE INVENTION The present invention has been conceived to solve the problems described above, and it is an object of the present invention to quickly create and apply policies by using a centralized control method of software defined networking technology and to overcome limitations of policy creation through software renewal In addition, the concept of Network Function Virtualization is implemented by software defined networking technology, so that service equipment can be placed anywhere on the network irrespective of network topology. Also, unlike existing software defined networking technology, The present invention enables the functions provided in the software defined networking in the existing IP network even if the components specified in the invention are added or replaced without being controlled by the network switching function. The purpose of this paper is to implement a software defined network solution that can create and apply services quickly and cheaply, and to diversify services by overcoming hardware limitations of service creation.

In the present invention, a software defined network environment is configured in an existing IP network by adding or replacing three kinds of components constituting an access gateway control system among elements of an existing network, a tunnel is set for each service, The present invention aims at providing a service that can not be implemented in the conventional network due to hardware limitation through software update to the access gateway control system components.

The access gateway control system of the present invention is intended to provide a software definition solution capable of creating various services and rapidly applying while adding or replacing only a part of an existing IP network.

However, the object of the present invention is not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.

An access gateway control system using a software defined network technology according to an embodiment of the present invention determines a processing method in units of flow by inputting traffic in a manner defined by a flow control device, A plurality of access gateways transmitting all or part of the access gateway identifier (AG_ID) in a packet of a specified format to the flow monitoring apparatus; One or more flow monitoring devices for analyzing the flow traffic inputted from the access gateway according to a specified rule and delivering the analyzed result to the flow control device together with the access gateway identifier (AG_ID); And a flow control device for determining a flow processing policy based on the analyzed result information in the flow monitoring device and delivering the corresponding control policy to an access gateway designated by the access gateway identifier.

Advantageously, the flow monitoring device is capable of simultaneously analyzing one or more different flows, and can provide a plurality of analysis and processing schemes, wherein the flow control device is operable, on a flow-by-flow basis, for traffic passing through a plurality of access gateways A control policy for performing at least one of detection and blocking of an attack, QoS control by flow, and access control by a specific flow is determined and transmitted to the access gateway.

Preferably, when the access gateway provides a service that can not be accommodated by the access gateway, the data plane packet processor of the access gateway sends the packet to the tunnel interface allocated for the service, The data packet is transmitted to a flow monitoring device existing on a network capable of handling a heavy load due to the tunnel header. The tunnel header of the packet includes a packet An AG_ID for identifying a source access gateway, and a Service_ID for indicating an event processing engine for each service to which a packet should be delivered.

More preferably, when a tunnel interface capable of transmitting the AG_ID and the Service_ID is set in the access gateway, a packet of a user subscribing to each tunnel interface and a service mapped to the tunneled interface is transmitted to the tunnel interface according to a flow rule, In the encapsulation process of the interface, the AG_ID and the Service_ID are inserted together with the tunnel header, and the packet is transmitted to the flow monitoring device designated in the IP network using the destination IP address and the destination L4 port number, And is processed.

Preferably, the access gateway registers a MAC address or a unique number of a device to the flow control device in an initial operation, and is assigned a unique access gateway identifier (AG_ID) corresponding to the registered value.

Advantageously, the access gateway is capable of forwarding, dropping, redirecting to a specific IP address, passing and mirroring, forwarding and mirroring to a specified format And transmits the packet to a specific IP address (encapsulation delivery), and the processing method of the processing function can be set as a control command of the flow control device.

Preferably, the flow control device includes: a policy generator that predefines a processing method according to analysis contents of the flow monitoring device; A policy DB for storing a processing policy predefined in accordance with a flow; A policy searcher for searching a policy database based on a flow analysis result; And an SDN controller for generating an access gateway control command according to the retrieved processing policy.

A control method of an access gateway control system using a software defined network technology according to another embodiment of the present invention determines a processing type of traffic input by a flow in a manner defined by a flow control apparatus by a flow gateway, Transferring all or a part of a specific traffic flow according to a specified policy in a packet having a format specified together with the access gateway identifier (AG_ID) and transmitting the packet to the flow monitoring device; Analyzing the flow traffic inputted from the access gateway by the flow monitoring device according to a specified rule and delivering the analyzed result to the flow control device together with the access gateway identifier (AG_ID); And the flow control apparatus determining the flow processing policy based on the analyzed result information in the flow monitoring apparatus and delivering the corresponding control policy to the access gateway specified by the access gateway identifier.

Advantageously, the flow monitoring device is capable of simultaneously analyzing one or more different flows, and can provide a plurality of analysis and processing schemes, wherein the flow control device is operable, on a flow-by-flow basis, for traffic passing through a plurality of access gateways A control policy for performing at least one of detection and blocking of an attack, QoS control by flow, and access control by a specific flow is determined and transmitted to the access gateway.

Preferably, when the step of delivering to the flow monitoring apparatus provides a service that can not be accommodated by the access gateway, the data plane packet processor of the access gateway sends the packet to the tunnel interface allocated for the service; And transmitting the data packet to a flow monitoring apparatus existing on a network capable of processing a heavy load due to the tunnel header, the tunnel interface wrapping the data packet in a tunnel header and transmitting the data packet to the network The tunnel header of the packet includes an AG_ID for identifying a source access gateway of a packet and a Service_ID indicating an event processing engine for each service to which a packet should be transmitted.

More preferably, when a tunnel interface capable of transmitting the AG_ID and the Service_ID is set in the access gateway, a packet of a user subscribing to each tunnel interface and a service mapped to the tunneled interface is transmitted to the tunnel interface according to a flow rule, In the encapsulation process of the interface, the AG_ID and the Service_ID are inserted together with the tunnel header, and the packet is transmitted to the flow monitoring device designated in the IP network using the destination IP address and the destination L4 port number, And is processed.

Preferably, the access gateway registers a MAC address or a unique number of a device to the flow control device in an initial operation, and is assigned a unique access gateway identifier (AG_ID) corresponding to the registered value.

Advantageously, the access gateway is capable of forwarding, dropping, redirecting to a specific IP address, passing and mirroring, forwarding and mirroring to a specified format And transmits the packet to a specific IP address (encapsulation delivery), and the processing method of the processing function can be set as a control command of the flow control device.

Preferably, the flow control device includes: a policy generator that predefines a processing method according to analysis contents of the flow monitoring device; A policy DB for storing a processing policy predefined in accordance with a flow; A policy searcher for searching a policy database based on a flow analysis result; And an SDN controller for generating an access gateway control command according to the retrieved processing policy.

A computer-readable recording medium according to another embodiment of the present invention records a program for executing a control method of an access gateway control system using software defined network technology.

As described above, the present invention provides a network solution capable of real-time policy setting and differentiated services for all packets flowing into the network through the access gateway 100 using a software defined networking technique. The policy of the network manager applied to the flow control apparatus 300 is linked with the access gateway 100 and the flow monitoring apparatus 200 through the flow rules in a real-time manner, Enabling rapid adoption and introduction of new policies without the need to replace them. Also, according to the present invention, a software defined networking service can be provided through a tunnel even in an existing IP network, so that a service can be provided without replacing or replacing a part of existing network equipment.

Further, the present invention provides a base for providing various services based on DPI (Deep Packet Inspection) that can not be processed by the access gateway using the additional flow sensing device, and uses a low-cost access gateway that provides only analysis up to L4 While providing services such as attack detection and application-based services that require analysis and processing up to L7.

1 shows an access gateway control system according to the present invention.
2 shows a configuration of an access gateway according to the present invention.
3 shows a flow control device configuration according to the present invention.
4 shows an initialization procedure of an access gateway according to the present invention.
FIG. 5 shows a data packet processing procedure of an access gateway according to the present invention.
6 is a flowchart illustrating a control command processing procedure of an access gateway according to the present invention.
7 shows an example of a GRE header according to the present invention.
8 shows an example of a VxLAN Header according to the present invention.
9 shows an example of an IPSec header according to the present invention.
10 shows a packet processing procedure of the flow monitoring apparatus according to the present invention.
11 shows an event processing procedure of the flow control apparatus according to the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the term "comprising" or "comprising" or the like is intended to specify the presence of stated features, integers, But do not preclude the presence or addition of features, numbers, steps, operations, components, parts, or combinations thereof.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The present invention is an invention in which a software defined network (SDN) is implemented at a relatively low cost in an existing network in order to diversify services that can be created while using most of the conventional network configuring equipments and speed up the application of the service .

An access gateway control system using a software defined network technology according to an embodiment of the present invention determines a processing method in units of flow by inputting traffic in a manner defined by a flow control device, A plurality of access gateways transmitting all or part of the access gateway identifier (AG_ID) in a packet of a specified format to the flow monitoring apparatus; One or more flow monitoring devices for analyzing the flow traffic inputted from the access gateway according to a specified rule and delivering the analyzed result to the flow control device together with the access gateway identifier (AG_ID); And a flow control device for determining a flow processing policy based on the analyzed result information in the flow monitoring device and transmitting the corresponding control policy to an access gateway designated by the access gateway identifier. In addition, the flow monitoring apparatus can simultaneously analyze one or more different flows, and can provide a plurality of analysis and processing methods, and the flow control apparatus is capable of performing a flow- A control policy for performing at least one of sensing and blocking, QoS for each flow, and access control for each flow may be determined and transmitted to the access gateway.

1 shows an access gateway control system according to the present invention. 1, the access gateway control system 1000 of the present invention is composed of three components (components), namely, the access gateway 100, the flow monitoring apparatus 200, and the flow control apparatus 300 , It is possible to provide the service without requiring the replacement of the existing network equipment to provide the service through the service provision and control tunnel indicated by the red dotted line in the conventional existing IP network as shown in FIG.

2 shows a configuration of the access gateway 100. As shown in FIG. An access gateway is a device belonging to an edge device in an existing network and is located nearest to a network user among devices under the control of an Internet service provider. The access gateway control system allows the access gateways to be controlled by a software defined networking technology so that all packets passing through each access gateway, that is, all the packets that the user enters into the network, can be provided differentiated services. In order to provide such a service, the access gateway uses the AG control agent 110 and the data plane packet processor 120 and transmits the flow rule received by the AG control agent 110 to the flow table of the data plane packet processor 120 flow table 121 to provide differentiated services for each service user.

3 shows the configuration of the flow control device 300. As shown in Fig. In order to implement an inexpensive software-defined networking, the access gateway control system of the present invention employs a method in which, in the case of heavy-load services, other event processing engines belonging to the flow monitoring device on the network process instead of processing in the access gateway. In this method, the flow control device records a log of the service provision status for each service, and when the service needs to be set for the access gateway that has transmitted the service packet as a result of the service process, Function. Therefore, the flow control device loads the policy processor 310 on the basis of the SDN controller capable of setting and setting the flow rules, and uses the policy processor 310 as an application. The policy processor 310 includes a policy detector 311 for classifying received events and searching for a policy set for an event, and a policy DB 312 for recording policies to be applied on an event-by-event basis. When the policy is detected, the retrieved policy is transmitted to the SDN controller so that the flow rules specified in the policy can be generated and transmitted. In addition, the policy processor 310 provides a policy generator 313 that allows a network administrator to insert policies to be applied on an event-by-event basis into the policy DB 312.

Another component of the access gateway control system 1000 is the flow monitoring device 200, as shown in FIG. The flow monitoring apparatus recognizes an access gateway identifier and a service identifier contained in an input traffic header, analyzes and processes the information according to the service, and transmits analysis and processing results to the flow control apparatus. The flow monitoring device can simultaneously analyze one or more different flows and can provide various analysis and processing methods.

A control method of an access gateway control system using a software defined network technology according to another embodiment of the present invention determines a processing type of traffic input by a flow in a manner defined by a flow control apparatus by a flow gateway, Transferring all or a part of a specific traffic flow according to a specified policy in a packet having a format specified together with the access gateway identifier (AG_ID) and transmitting the packet to the flow monitoring device; Analyzing the flow traffic inputted from the access gateway by the flow monitoring device according to a specified rule and delivering the analyzed result to the flow control device together with the access gateway identifier (AG_ID); And the flow control apparatus determining the flow processing policy based on the analyzed result information in the flow monitoring apparatus and delivering the corresponding control policy to the access gateway specified by the access gateway identifier.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a detailed procedure of a control method of an access gateway control system using software defined network technology will be described with reference to the accompanying drawings. FIGS. 4, 5, and 6 illustrate an initialization procedure, a data packet processing procedure, and a control command processing procedure with the FlowChart of the access gateway, respectively.

4 shows a procedure for initializing the access gateway. In step S410 of FIG. 4, a request for connection to the flow control apparatus of the access gateway control system is transmitted, and its own DataPathID (DPID) and MAC (Media Access Control) address are transmitted to the flow control apparatus of the access gateway control system. AG_ID (Access Gateway ID), IP address, and configuration information including interface information and tunnel information for each service. Thereafter, the AG control agent 110 of the access gateway 110 completes step S420 of setting a virtual interface and a tunnel for each service using the setting information received in step S410, And then sends a flow rule to the flow control device so that the packet can be sent to the designated virtual interface or tunnel in step S430 so that the process is differentiated for each packet, and receives the flow rule from the flow control device. The received flow rule is set in the access gateway by the AG control agent 110 in step S440, and the access gateway completes the initialization procedure.

The access gateway that has completed the initialization procedure uses the data plane packet processor 120 to forward packets to different interfaces according to the flow rules set in the flow table. At this time, the flow rules set in the flow table include L3 fields such as L2 fields such as MAC address Ether-Type Field, IP address, Type of Service (ToS) field, Protocol field, Any of the available header fields from the L4 fields to the L7 application layer field is used as a condition for the field specified in the flow rule, and the execution of each flow rule (Action A drop that discards the packet itself, a block that ignores the packet, a redirect that transfers the packet to a specific interface, a mirror that copies the packet to a specific interface, (L2 Switch or L3 Routing). In the access gateway control system, block, redirect, and mirror actions are mainly used. Unless blocking is used, packets are redirected or mirrored to a virtual interface set for each service do.

The above procedure is described in detail in the data packet processing procedure of FIG. 5, which starts with the access gateway receiving the data packet in step S510. When the access gateway receives the data packet, the data plane packet processor 120 of the access gateway first checks in the flow table whether there is a flow rule that can identify the data packet received in step S520. If there is no flow rule that can identify the packet, the data plane packet processor 120 transmits the flow rule to the AG control agent 110 via the AG control agent 110 Step S532 is executed to request the flow control device for the flow rule necessary for the received data packet. The flow control device downloads a flow rule based on the policy set by the network manager, and the AG control agent 110 of the access gateway receives and sets the flow rule, and then causes the data plane packet processor 120 to perform step S520 again do. When the data plane packet processor 120 enters the step S531, the data plane packet processor 120 applies the action defined in the flow rule identified for the packet. In the case of the block, Since it is a non-existent operation, it usually performs Redirecting or Mirroring. Therefore, in step S531, the data plane packet processor 120 transfers or mirrors the data packet to the interface specified in the action of the flow rule. At this time, the interfaces specified in the action of the flow rule include the virtual interface and the tunnel interface set in the initialization procedure of the access gateway in order to perform packet processing for each service, and the differentiated packet processing for each service, In S540, service differentiation through the access gateway is performed.

When the access gateway provides a service that can not afford unacceptable load, the data plane packet processor 120 of the access gateway sends the packet to the tunnel interface allocated for the service. In this tunnel interface, a data packet is wrapped in a tunnel header and is introduced into a network. Due to the tunnel header, the data packet is transmitted to a flow monitor 200 existing on a network capable of handling a heavy-load service. In this process, the tunnel header of the packet includes an AG_ID that can identify the source access gateway of the packet and a Service_ID that indicates an event processing engine for each service to which the packet should be delivered, so that the packet reaches the flow monitoring apparatus 200 So that the flow monitoring apparatus 200 can sufficiently provide information on a packet to provide a specific service.

The tunnel interface of the present invention can conceptually be supported by a software upgrade of the access gateway control system of any tunnel headers. The access gateway must be set to be able to operate with the flow control device 300 in order to perform the functions of the present invention as described above. To this end, the flow control device 300 transmits a control command to the access gateway. Upon receiving the control command, the access gateway performs a control command processing procedure as shown in FIG. 6 to apply the setting defined in the control command.

Upon receipt of the control command in step S610 of FIG. 6, the AG control agent 110 of the access gateway determines whether the control command received in step S620 is a control command for setting an access gateway, such as an interface or a tunnel, Check if it is a command. If the received control command is a control command for setting an access gateway, the flow advances to step S631 to extract the setting information, and the configuration is applied to the access gateway in step S641. However, if the received control command is a control command for setting a flow rule, step S632 is performed to extract a flow rule, and the flow rule is added to, deleted from, or updated in the flow table 121 via step S642. The access gateway thus prepares a data packet processing procedure of the data plane packet processor 120.

FIGS. 7 and 8 show an example of implementing the tunnel interface concept of the present invention using GRE (Generic Routing Encapsulation), which is a well known tunnel header, and VxLAN (Virtual Extensible LAN) header. The core of the tunnel interface concept of the present invention is that the AG_ID and the Service_ID information are inserted in the tunnel header, and only the Service_ID and AG_ID can be transmitted to the flow monitoring apparatus 200 by using specific fields of the respective tunnel headers. Therefore, in the GRE header of FIG. 7, AG_ID and Service_ID are transmitted using the Reserved 1 field which can be used when the checksum flag is set to 1, and AG_ID and Service_ID are transmitted using the VNID field in the VXLAN header of FIG.

If only a field capable of transmitting an AG_ID and a Service_ID can be determined, other tunnel headers such as IPSec Header as shown in FIG. 9 having a Reserve field as well as GRE and VxLAN tunnels can also be used as a tunnel interface for the present invention . When the tunnel interface capable of transmitting the AG_ID and the Service_ID is set in the access gateway, the packet of the user joining each tunnel interface and the mapped service is transmitted to the tunnel interface according to the flow rule, The AG_ID and the Service_ID are inserted together with the tunnel header and are transmitted to the flow monitoring apparatus 200 designated in the conventional network using the destination IP address and the destination L4 port number, . In this way, the access gateway provides a foundation for implementing a software-defined networking solution that can easily create and quickly deploy differentiated services at low cost in existing networks.

10 shows a packet processing procedure of the flow monitoring apparatus. When the user's packet arrives at the target service event processing engine of the flow monitoring apparatus through the Service_ID of the tunnel header, the event processing engine first decapsulates (encapsulates) the tunnel header of the packet as in step S1010, . In this case, in case of a service requiring control of the origin access gateway for each service, the AG_ID of the tunnel header is extracted so as to identify the origin access gateway for access gateway control after service processing. Upon completion of the decapsulation process, the original packet of the user is transmitted to the event processing engine of the target service of the flow monitoring apparatus, and the service process of step S1020 is performed. Thereafter, in step S1030, the event processing engine transmits an event for the service processing step performed in step S1020 to the flow control device to leave a log of the service processing. If the control gateway needs to control the access gateway that forwarded the packet, Together with the AG_ID, to the flow control device so that the flow control device can make the setting requested by the event processing engine to the access gateway. In step S1040, the flow control device releases or drops the packet, And completes the processing function. Such service processing steps may be different for each service-specific event processing engine, and the access gateway control system of the present invention can be applied to an existing network quickly by creating and modifying various services by adding and modifying an event processing engine for each service do. In addition, the service-specific event processing engine can be created by virtualization because it is a logically divided object. Depending on the load required by the service, a plurality of event processing engines for a plurality of services may be mounted on the same server, A large single event service processing engine for specific services can be mounted and the number of physical servers to be used can be changed in accordance with the change in load so that various services can be provided inexpensively to existing networks Can be applied.

The flow control device, which is the last component of the access gateway control system, determines and controls a flow rule for an access gateway to be controlled based on the access gateway identifier and flow information included in the flow analysis and processing result input from the flow monitoring device Function.

11 shows an event processing procedure of the flow control device. And performs a policy search and a flow rule application for a policy triggered by an event delivered by a service event processing engine of the flow monitoring apparatus. In the event processing procedure, if the flow control apparatus receives an event in step S1110, the flow control apparatus performs step S1120 to search whether there is a policy for the event in the policy DB. If the received event does not exist in the policy DB, a log is left as an unprocessed event through the step S1132, and the event is ignored. However, if the policy for the received event exists in the policy DB, the flow control device performs step S1131 to execute the policy defined in the event, and transmits the flow rule or configuration information to the access gateway when necessary. After the processing of the event, the flow control device logs in regard to the last processed event in step S1140.

Meanwhile, the control method of the access gateway control system using the software defined network technology according to the embodiment of the present invention may be implemented in the form of a program command which can be executed through a variety of means for processing information electronically, have. The storage medium may include program instructions, data files, data structures, and the like, alone or in combination.

Program instructions to be recorded on the storage medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of software. Examples of storage media include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, magneto-optical media and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. The above-mentioned medium may also be a transmission medium such as a light or metal wire, wave guide, etc., including a carrier wave for transmitting a signal designating a program command, a data structure and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as devices for processing information electronically using an interpreter or the like, for example, a high-level language code that can be executed by a computer.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined in the appended claims. It will be understood that the invention may be varied and varied without departing from the scope of the invention.

Claims (15)

1. An access gateway control system using software defined network technology,
The flow control unit determines a processing method in a flow unit in accordance with a flow defined in the flow control apparatus, and loads all or a part of a specific traffic flow in a packet of a specified format together with the corresponding access gateway identifier (AG_ID) A plurality of access gateways communicating to a flow monitoring device;
One or more flow monitoring devices for analyzing the flow traffic inputted from the access gateway according to a specified rule and delivering the analyzed result to the flow control device together with the access gateway identifier (AG_ID); And
And a flow control device for determining a flow processing policy based on the analyzed result information in the flow monitoring device and delivering the corresponding control policy to an access gateway designated by the access gateway identifier.
The method according to claim 1,
The flow monitoring device may simultaneously analyze one or more different flows and may provide a plurality of analysis and processing schemes,
The flow control device determines a control policy for performing at least one of detection and blocking of an attack, flow quality of service (QoS) control, and access control for each specific flow for traffic passing through a plurality of access gateways And transmits the access gateway control information to the access gateway.
The method according to claim 1,
When the access gateway provides a service that can not be accommodated by the access gateway, the data plane packet processor of the access gateway sends the packet to the tunnel interface allocated for the service,
Wherein the tunnel interface encapsulates the packet in a tunnel header and is transmitted to the flow monitoring device,
Wherein the tunnel header of the packet includes an AG_ID for identifying a root access gateway of a packet and a Service_ID for indicating an event processing engine for each service to which a packet should be delivered.
The method of claim 3,
When a tunnel interface capable of transmitting the AG_ID and the Service_ID is set in the access gateway, a packet of a user subscribing to each tunnel interface and a service mapped to the tunnel interface is transmitted to the tunnel interface according to a flow rule, The AG_ID and the Service_ID are inserted together with the tunnel header and are transmitted to the flow monitoring apparatus designated in the IP network using the destination IP address and the destination L4 port number to be processed by the event processing engine of the target service Access gateway control system.
The method according to claim 1,
Wherein the access gateway registers a MAC address or a unique number of the device to the flow control device in an initial operation and receives a unique access gateway identifier (AG_ID) corresponding to the registered value.
The method according to claim 1,
The access gateway can perform forwarding, dropping, redirecting to a specific IP address, passing and mirroring, and forwarding to a packet of a specified format for traffic input from the device side or the network side To a specific IP address (encapsulation delivery), and the processing method of the processing function can be set as a control command of the flow control device.
The apparatus according to claim 1, wherein the flow control device
A policy generator for predefining a processing method according to analysis contents of the flow monitoring apparatus;
A policy DB for storing a processing policy predefined in accordance with a flow;
A policy searcher for searching a policy database based on a flow analysis result; And
And an SDN controller for generating an access gateway control command in accordance with the retrieved processing policy.
A control method of an access gateway control system using software defined network technology,
The access gateway determines the processing type of traffic input in a manner defined by the flow control apparatus in a flow unit and determines all or a part of the specific traffic flow according to the specified policy together with the corresponding access gateway identifier (AG_ID) Transferring the packet to the flow monitoring apparatus;
Analyzing the flow traffic inputted from the access gateway by the flow monitoring device according to a specified rule and delivering the analyzed result to the flow control device together with the access gateway identifier (AG_ID); And
And a step in which the flow control apparatus determines the flow processing policy based on the analyzed result information in the flow monitoring apparatus and transfers the corresponding control policy to the access gateway designated by the access gateway identifier, Method of controlling the system.
9. The method of claim 8,
The flow monitoring device may simultaneously analyze one or more different flows and may provide a plurality of analysis and processing schemes,
The flow control device determines a control policy for performing at least one of detection and blocking of an attack, flow quality of service (QoS) control, and access control for each specific flow for traffic passing through a plurality of access gateways To the access gateway.
9. The method of claim 8, wherein the step of delivering to the flow monitoring device
When the access gateway provides a service that can not be accommodated by the access gateway, the data plane packet processor of the access gateway sends the packet to the tunnel interface allocated for the service; And
And causing the tunnel interface to wrap the packet in a tunnel header and to be transmitted to the flow monitoring apparatus,
Wherein the tunnel header of the packet includes an AG_ID for identifying a source access gateway of a packet and a Service_ID for indicating an event processing engine for each service to which a packet should be transmitted.
11. The method of claim 10, wherein when a tunnel interface capable of transmitting the AG_ID and the Service_ID is set in the access gateway, a packet of a user subscribing to each tunnel interface and a service mapped to the service is transmitted to the tunnel interface according to a flow rule, In the encapsulation process of the interface, the AG_ID and the Service_ID are inserted together with the tunnel header, and the packet is transmitted to the flow monitoring device designated in the IP network using the destination IP address and the destination L4 port number, The access gateway control system comprising:
9. The method of claim 8,
Wherein the access gateway registers a MAC address or a unique number of a device to the flow control device in an initial operation and is assigned a unique access gateway identifier (AG_ID) corresponding to the registered value. .
9. The method of claim 8,
The access gateway can perform forwarding, dropping, redirecting to a specific IP address, passing and mirroring, and forwarding to a packet of a specified format for traffic input from the device side or the network side Wherein the processing function of the processing function is set to a control command of the flow control device, and the processing function of the processing function is set to a control command of the flow control device.
9. The apparatus according to claim 8, wherein the flow control device
A policy generator for predefining a processing method according to analysis contents of the flow monitoring apparatus;
A policy DB for storing a processing policy predefined in accordance with a flow;
A policy searcher for searching a policy database based on a flow analysis result; And
And an SDN controller for generating an access gateway control command in accordance with the retrieved processing policy.
A computer-readable recording medium storing a program for executing the method of any one of claims 8 to 14.
KR1020140195005A 2014-12-31 2014-12-31 Method and System for controlling an access gateway using software defined network KR101578193B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020140195005A KR101578193B1 (en) 2014-12-31 2014-12-31 Method and System for controlling an access gateway using software defined network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020140195005A KR101578193B1 (en) 2014-12-31 2014-12-31 Method and System for controlling an access gateway using software defined network

Publications (1)

Publication Number Publication Date
KR101578193B1 true KR101578193B1 (en) 2015-12-16

Family

ID=55080812

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020140195005A KR101578193B1 (en) 2014-12-31 2014-12-31 Method and System for controlling an access gateway using software defined network

Country Status (1)

Country Link
KR (1) KR101578193B1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111698730A (en) * 2019-03-15 2020-09-22 阿里巴巴集团控股有限公司 Flow control method, operating system, end equipment and distributed system
KR102181185B1 (en) * 2019-09-24 2020-11-20 프라이빗테크놀로지 주식회사 System and method for providing secure network connection to devices
US11082256B2 (en) 2019-09-24 2021-08-03 Pribit Technology, Inc. System for controlling network access of terminal based on tunnel and method thereof
US11190494B2 (en) 2019-09-24 2021-11-30 Pribit Technology, Inc. Application whitelist using a controlled node flow
US11271777B2 (en) 2019-09-24 2022-03-08 Pribit Technology, Inc. System for controlling network access of terminal based on tunnel and method thereof
US11381557B2 (en) 2019-09-24 2022-07-05 Pribit Technology, Inc. Secure data transmission using a controlled node flow
US11652801B2 (en) 2019-09-24 2023-05-16 Pribit Technology, Inc. Network access control system and method therefor

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100949808B1 (en) 2007-12-07 2010-03-30 한국전자통신연구원 Apparatus and method for managing p2p traffic
KR20140052847A (en) 2012-10-22 2014-05-07 한국전자통신연구원 Method and apparatus for providing quality of service in software defiend neworking network
KR101438212B1 (en) 2014-02-25 2014-09-04 주식회사 나임네트웍스 Method for deep packet instection of software defined network and software defined networking system using the same

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100949808B1 (en) 2007-12-07 2010-03-30 한국전자통신연구원 Apparatus and method for managing p2p traffic
KR20140052847A (en) 2012-10-22 2014-05-07 한국전자통신연구원 Method and apparatus for providing quality of service in software defiend neworking network
KR101438212B1 (en) 2014-02-25 2014-09-04 주식회사 나임네트웍스 Method for deep packet instection of software defined network and software defined networking system using the same

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111698730A (en) * 2019-03-15 2020-09-22 阿里巴巴集团控股有限公司 Flow control method, operating system, end equipment and distributed system
CN111698730B (en) * 2019-03-15 2023-11-21 斑马智行网络(香港)有限公司 Flow control method, operating system, terminal equipment and distributed system
KR102181185B1 (en) * 2019-09-24 2020-11-20 프라이빗테크놀로지 주식회사 System and method for providing secure network connection to devices
WO2021060856A1 (en) * 2019-09-24 2021-04-01 프라이빗테크놀로지 주식회사 System and method for secure network access of terminal
US11082256B2 (en) 2019-09-24 2021-08-03 Pribit Technology, Inc. System for controlling network access of terminal based on tunnel and method thereof
US11190494B2 (en) 2019-09-24 2021-11-30 Pribit Technology, Inc. Application whitelist using a controlled node flow
US11271777B2 (en) 2019-09-24 2022-03-08 Pribit Technology, Inc. System for controlling network access of terminal based on tunnel and method thereof
US11381557B2 (en) 2019-09-24 2022-07-05 Pribit Technology, Inc. Secure data transmission using a controlled node flow
US11652801B2 (en) 2019-09-24 2023-05-16 Pribit Technology, Inc. Network access control system and method therefor

Similar Documents

Publication Publication Date Title
KR101578193B1 (en) Method and System for controlling an access gateway using software defined network
US10361956B2 (en) Traffic flow forwarding path redirection method and apparatus, and traffic flow forwarding system
US9800502B2 (en) Quantized congestion notification for computing environments
CN105765921B (en) For carrying out method, system and the equipment of DIAMETER routing using software defined network function
CN108293001B (en) Software defined data center and deployment method of service cluster in software defined data center
EP3435606B1 (en) Message processing method, computing device, and message processing apparatus
KR101473783B1 (en) Method and apparatus for control of dynamic service chaining by using tunneling
US9787570B2 (en) Dynamic feature peer network for application flows
US9363180B2 (en) Service chaining in a cloud environment using Software Defined Networking
US10805268B2 (en) Method and apparatuses for enabling routing of data packets between a wireless device and a service provider based in the local service cloud
US9380111B2 (en) Feature peer network with scalable state information
CN106130850B (en) Intelligent access method for private line user
CN208656813U (en) A kind of enterprise branch office's access request processing system
US10476807B2 (en) User equipment processing method and device
JP2010004426A (en) Communication system and server device
US20200322181A1 (en) Scalable cloud switch for integration of on premises networking infrastructure with networking services in the cloud
CN108737217B (en) Packet capturing method and device
CN108063761B (en) Network processing method, cloud platform and software defined network SDN controller
EP3588859B1 (en) Network device configuration versioning
US20130275620A1 (en) Communication system, control apparatus, communication method, and program
KR101746105B1 (en) Openflow switch capable of service chaining
CN106656807A (en) Message forwarding method and SDN switch
CN102480403B (en) Method for providing virtual private network service, device and system
KR100650741B1 (en) Apparatus and method for dynamically binding binary code and virtual forwarding component of network processor
JP6149444B2 (en) Application start control method, system, apparatus and program

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20181210

Year of fee payment: 4

FPAY Annual fee payment

Payment date: 20191210

Year of fee payment: 5