KR20190028059A - Apparatus and method for controlling traffic in openflow network - Google Patents

Abstract

Receiving a first packet including a port number of a traffic from an open flow controller, receiving a traffic packet using a port number of the traffic or a Deep Packet Inspection (DPI) based on the first packet, And generating a flow rule including firewall information on the traffic based on the information of the application program and the firewall policy table. The present invention can further include adding bandwidth limiting information and priority queue information for traffic to the flow rule when the firewall information is not dropping, so that traffic of a specific application program is controlled according to the intention of the administrator .

Description

[0001] APPARATUS AND METHOD FOR CONTROLLING TRAFFIC IN OPENFLOW NETWORK [0002]

The present invention relates to an apparatus and method for controlling traffic in an OpenFlow network, and more particularly to an apparatus and method for controlling traffic in an OpenFlow network. More particularly, the present invention relates to an apparatus and method for controlling traffic in an open flow network, To a device and a method for performing a grading service.

Recently, as the size of network increases, traffic volume also increases. In addition, since each network service requires a large amount of network bandwidth to guarantee a certain quality of service (QoS), a method for effectively managing traffic in many networks is required. However, in the existing network environment, since the network management environment for traffic control is closed and only a limited interface is provided, it is difficult in terms of cost and operation. Therefore, in order to solve such a problem, an attempt has been made to control traffic by establishing SDN (Software Defined Networks) environment in a service provider network or an Internet data center (IDC). SDN is a next-generation network technology that divides a network into a control plane and a data plane to provide a flexible and efficient network management function. OpenFlow is a de facto standard communication protocol used in SDN. It supports L4 network layer, so it inserts TCP / UDP port number that can identify application into flow rule to manage traffic of specific application can do.

Here, the traffic management of a specific application program identifies an application or a network protocol that has generated the traffic, and then manages the traffic. However, it does not use the promised TCP / UDP port number An application program using an arbitrary TCP / UDP port number is difficult to identify, and traffic management is also difficult.

In order to solve the above problems, an object of the present invention is to provide a method of controlling traffic using deep packet analysis when an application program does not use the promised TCP / UDP port number in an open flow.

Another object of the present invention is to provide an apparatus for controlling traffic using deep packet analysis when an application program does not use the promised TCP / UDP port number in an open flow.

According to an aspect of the present invention, there is provided a traffic control method comprising: receiving a first packet including a port number of traffic from an open flow controller; Recognizing information of an application program that has generated traffic using a port number of traffic or a deep packet inspection (DPI), and forwarding traffic based on information of an application program and a firewall policy table And generating a flow rule including firewall information for the traffic that determines whether to drop or drop the packet.

Herein, recognizing the information of the application program that has generated the traffic may include classifying the traffic according to whether the information of the application program is recognized based on the port number of the traffic.

Herein, the step of recognizing the information of the application program that has generated the traffic includes recognizing the information of the application program based on the port number of the traffic and recognizing the information of the application program, The traffic for which the information is not recognized may further include a step of requesting the deep packet analysis to the outside to recognize the information of the application program.

Here, the step of generating a flow rule including firewall information on the traffic includes: searching a firewall policy based on information of an application program in the firewall policy table; and generating a flow rule including firewall information according to the search result .

Here, if the firewall policy is not a drop, it may further include adding bandwidth limitation information on the traffic to the flow rule based on the information of the application program and the bandwidth policy table.

Here, the step of adding the bandwidth limitation information on the traffic to the flow rule may include a step of searching a bandwidth policy based on the information of the application program in the bandwidth policy table, and a step of adding bandwidth limitation information according to the search result to the flow rule . ≪ / RTI >

Here, the method may further include receiving flow statistics from the open flow controller and adjusting a bandwidth limitation value of the bandwidth limitation information based on the received flow statistics.

Here, the method may further include adding priority queue information for the traffic to the flow rule based on the information of the application program and the priority queue policy table.

The step of adding the priority queue information to the flow rule includes searching the priority queue policy based on the information of the application program in the priority queue policy table, To the flow rule.

Here, the priority queue information may include a queue having a minimum usage amount based on the queue usage information, and information for transferring the packet to the selected queue.

According to another aspect of the present invention, there is provided a traffic control apparatus for receiving a first packet including a port number of traffic from an open flow controller, A traffic classifier for recognizing information of an application program generating traffic using a port number of a traffic or a deep packet inspection (DPI), and a forwarding module for forwarding traffic based on an application program information and a firewall policy table And a firewall management unit for generating a flow rule including firewall information for traffic that determines whether to drop or drop the packet.

Here, the traffic classifier may classify the traffic according to whether application program information is recognized based on the port number of the traffic.

Here, the traffic classifier recognizes the information of the application program based on the port number of the traffic based on the port number of the traffic, recognizes the information of the application program, and the traffic whose application program information is not recognized based on the port number of the traffic, It can request the packet analysis and recognize the information of the application program.

Here, the firewall manager may search the firewall policy based on the information of the application program in the firewall policy table, and may generate the flow rule including the firewall information according to the search result.

Here, if the firewall policy is not drop, the bandwidth management unit may further include a bandwidth management unit for adding bandwidth limitation information on the traffic to the flow rule based on the information of the application program and the bandwidth policy table.

Here, the bandwidth manager may search the bandwidth policy based on the information of the application program in the bandwidth policy table, and add the bandwidth limitation information according to the search result to the flow rule.

Here, the bandwidth management unit can receive the flow statistics from the open flow controller, and adjust the bandwidth limitation value of the bandwidth limitation information based on the received flow statistics.

Here, the information processing apparatus may further include a traffic scheduler that adds priority queue information for the traffic to the flow rule based on the information of the application program and the priority queue policy table.

Here, the traffic scheduler searches the priority queue policy based on the information of the application program in the priority queue policy table, and adds the priority queue information according to the search result to the flow rule.

The network monitor further includes a network monitor that receives the switch queue statistical information and calculates queue usage information based on the received switch queue statistical information. The priority queue information includes a queue having a minimum usage amount based on the queue usage information And may include information for the packet to be delivered to the selected queue.

According to the present invention, even when the TCP / UDP port number is changed dynamically, it is possible to identify an application program that has generated traffic through deep packet analysis.

According to the present invention, it is possible to provide a network administrator with a function of controlling access in units of traffic according to various application programs.

According to the present invention, it is possible to provide effective network control to the network administrator through the bandwidth limitation function.

1 is a block diagram of a traffic control apparatus according to an embodiment of the present invention.
2 is a conceptual diagram illustrating an operation of a traffic control apparatus according to an embodiment of the present invention.
3 is a flowchart illustrating a traffic control method according to an embodiment of the present invention.
4 is a flowchart illustrating a method of generating a flow rule including firewall information according to an embodiment of the present invention.
FIG. 5 is a table illustrating a firewall policy according to an exemplary embodiment of the present invention. Referring to FIG.
6 is a flowchart illustrating a method of adding bandwidth limitation information to a flow rule according to an embodiment of the present invention.
7 is a table illustrating a bandwidth policy according to an embodiment of the present invention.
8 is a flowchart illustrating a method of adding priority queue information to a flow rule according to an embodiment of the present invention.
9 is a table showing a meteorological rank queue policy according to an embodiment of the present invention.
10 is a diagram illustrating a result of a simulation of a traffic control method according to an embodiment of the present invention.
11 is a diagram illustrating a simulation result of a switch queue-based differentiation service according to an embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

The terms first, second, A, B, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. The term "and / or" includes any combination of a plurality of related listed items or any of a plurality of related listed items.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

In the specification of the present invention, a packet may mean data divided into a proper size for transmission of data, and traffic may mean the amount of data flowing within a certain time on a specific transmission. In addition, the topology may refer to a form of long-term connection to a local area network (LAN), and a protocol may mean a communication rule and an appointment for smoothly exchanging information between computers .

TCP (Transmission Control Protocol) can be used in applications requiring reliability by transmitting data after confirming that the connection between the transmitter and the receiver is established. UDP (User Datagram Protocol) It can be used in applications that require high speed by unilaterally transmitting data without checking the connection. The port number can refer to the virtual logical communication connection that the application uses for communication with TCP or UDP. Communication over the Internet can be performed using a port number, and the port number can be used by the corresponding protocol together with the IP address, and the range can be from 0 to 65535.

Software Defined Networks (SDN) is a next-generation networking technology that can easily handle network routing and control and complex operation management through software programming. The SDN is a structure in which the network control function is separated from the physical network, and can be divided into a physical infrastructure layer, a control layer that can be controlled, and an application layer. In other words, the network control function can be separated from the existing hardware such as a switch or a router, and can be separated from the data transfer function.

OpenFlow is a component of the SDN, which can refer to an open standard interface that is responsible for communicating between a controlling device and a networking switch. Openflow is a programmable application that supports a kind of SDN, and can help you connect directly to external networked software such as controllers and network devices such as switches and routers. The controller is located in the control layer of SDN and can control traffic on the network by sending flow tables to switches and routers. Here, the flow table includes a rule, which is an area defining a packet to be processed, an action, which is an area defining how to process a packet defined by the rule, and how many packets are matched to the flow table And stats, which is an area showing how large a byte has been transmitted. In the specification of the present invention, a flow table can be described using the term flow rule. When the flow table refers to information held by a switch, a router or the like, the open flow controller can be provided with a flow rule, such as a switch and a router, so that the flow rule can be applied to the flow table.

In-depth packet analysis is a technology used to analyze and authenticate protocols and applications of packets transmitted or exchanged over IP (Internet Protocol) networks. It examines packet payload as well as packet header, Quot; data " Deep packet analysis may be performed in hardware form directly connected to the network link and may be performed as an application program in the form of software.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In order to facilitate the understanding of the present invention, the same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.

1 is a block diagram of a traffic control apparatus according to an embodiment of the present invention.

Referring to FIG. 1, a traffic control apparatus 100 according to an exemplary embodiment of the present invention may include a traffic classifying unit 110 and a firewall managing unit 120, and may include a bandwidth managing unit 130, a traffic scheduler 140, And a network monitoring unit 150. [0031] Here, the configuration of the traffic control device 100 is not limited to a name, but may be defined by a function. In addition, a plurality of functions can be performed by one configuration, and a plurality of configurations can perform one function.

The traffic classifying unit 110 may receive the first packet including the port number of the traffic from the open flow controller and may receive the information of the application program that generated the traffic based on the first packet received It can be recognized. Here, the information of the application program may mean the name of the application program.

Here, the traffic classifying unit 110 may perform a port number search or deep packet inspection (DPI) of traffic to recognize information of an application program that has generated traffic based on the first packet received . More specifically, the traffic classifying unit 110 classifies traffic according to whether application program information is recognized based on the port number of the traffic, and classifies traffic based on the port number of the traffic, Recognizes the information of the application program, and recognizes the information of the application program by performing deep packet analysis on the traffic whose application program information is not recognized based on the port number of the traffic. Here, the in-depth packet analysis may be performed by an external device of the traffic control apparatus 100 so that the traffic control apparatus 100 and the external apparatus request deep packet analysis and receive the result response. However, A packet analysis program may be installed in the traffic control apparatus 100 and executed in the traffic control apparatus 100. [ However, the present invention is not limited thereto.

The firewall manager 120 may generate a flow rule including firewall information for the traffic using the firewall policy table based on the information of the application program recognized by the traffic classifier 110. [ Specifically, the firewall manager 120 searches the firewall policy based on the information of the application program in the firewall policy table to generate a flow rule, and generates a flow rule including firewall information according to the search result. Here, the firewall policy table can be defined or modified for each application program by the administrator. In addition, the firewall manager 120 can transmit the generated flow rule to the open flow controller, and the open flow controller can control the traffic by installing the received flow rule in the switch on the traffic path of the open flow network.

If the firewall information according to the search result is not a drop, the bandwidth management unit 130 may add bandwidth limitation information on the traffic to the flow rule based on the information of the application program and the bandwidth policy table. Specifically, the bandwidth manager 130 searches the bandwidth policy based on the information of the application program in the bandwidth policy table to generate a bandwidth-related flow rule, and transmits the bandwidth limit information according to the search result to the firewall manager 120 Can be added to the flow rule. Here, the bandwidth policy table can be defined or modified for each application program by the administrator. Also, the bandwidth management unit 130 may add the bandwidth limitation value to the flow rule based on the received traffic information or statistics.

The traffic scheduler 140 may add the priority queue information to the flow rule based on the application program information and the priority queue policy table in the flow rule to which the lending limitation information is added. Specifically, the traffic scheduler 140 searches the priority queue policy on the basis of the information of the application program in the priority queue policy table to generate a flow of the priority queue related flow, Can be added to the rule. Here, the priority queue policy table may be defined or modified for each application program by the administrator. In this case, the priority queue information may include route information to the destination of the traffic. If there are a plurality of routes, the traffic scheduler 140 calculates the minimum usage amount And the priority queue information may include information that causes the traffic scheduler 140 to transmit the packet to the port of the switch where the queue selected by the traffic scheduler 140 is located. The traffic scheduler 140 may transmit the flow rule to which the priority queue information is added to the open flow controller.

The network monitoring unit 150 may periodically calculate the current usage amount of the queue having the priority order and transmit the current usage amount of the calculated queue to the traffic scheduler 140. [ Also, the network monitoring unit 150 may utilize the switch queue statistical information to calculate the current usage amount of the queue.

The open flow controller can receive the flow rule from the firewall manager 120 or the traffic scheduler 140 and can install the flow rule in the switch on the traffic path to control the traffic. The open flow controller can receive information or statistics of traffic transmitted according to a flow rule from the switch after the flow rule is installed in the switch on the path of the traffic by the traffic control apparatus 100 of the present invention, Information or statistics to the bandwidth management unit 130 of the traffic control apparatus 100 of the present invention. Accordingly, the traffic control apparatus 100 can dynamically control the traffic through the bandwidth management unit 130 because it can dynamically change the bandwidth limitation value of the traffic based on the traffic information or statistics.

In other words, the traffic control apparatus 100 may be configured such that the administrator defines or modifies at least one of the firewall policy table, the bandwidth policy table, and the priority queue policy table for each application program, and controls the traffic of a specific application program according to the intention of the administrator .

The traffic control apparatus 100 according to an embodiment of the present invention may include at least one processor and a memory storing at least one instruction through which the above-described operation is performed. Herein, the processor may execute a program command stored in a memory, and may be a central processing unit (CPU), a graphics processing unit (GPU), or a dedicated Processor. ≪ / RTI > The memory may be constituted by a volatile storage medium and / or a non-volatile storage medium, and may be constituted by a read only memory (ROM) and / or a random access memory (RAM).

2 is a conceptual diagram illustrating an operation of a traffic control apparatus according to an embodiment of the present invention.

Referring to FIG. 2, a packet of traffic generated by an application program at a source 210 may move to a destination 230 via an open flow network. The open-flow network may include a plurality of switches or routers, and the packets may travel from the source 210 to the destination 230 along a specific path generated by a plurality of switches or routers. In the open flow network, the first switch 220-1 from the source 210 can receive the first packet of traffic, and a flow rule for the packet is transmitted to the first switch 220-1 The open flow controller 200 can transmit the packet to the open flow controller 200 and the open flow controller 200 can transmit the received packet to the traffic control device 100. [ The traffic control apparatus 100 according to an exemplary embodiment of the present invention may recognize an application program that has generated traffic by receiving the first packet of traffic from the open flow controller 200, It is possible to generate a flow rule related to the bandwidth limitation value and transmit it to the open flow controller 200. The open flow controller 200 can install the received flow rules in a plurality of switches. The plurality of switches provided with the flow rule can move the packet based on the flow rule.

More specifically, traffic originating from an application can typically include five specification elements, including source IP address, destination IP address, source port number, destination port number, and protocol, It can be defined as a configured network flow and reaches the network's ingress switch. Herein, the ingress switch may mean a switch at the entry point, and may mean the first switch 220-1. The first switch 220-1 recognizes the traffic received from the source 210 in the form of a network flow and may attempt matching with a flow rule that it has in itself. Here, the network flow may refer to a graph in which there is an additional attribute called capacity in each trunk.

When the first switch 220-1 does not have a flow rule for the traffic, the first switch 220-1 transmits the information of the first packet received in the received network flow to the open flow controller 200, As shown in FIG. Specifically, the contents of the packet header can be included in a Packet-In message of an open flow protocol and transmitted to the connected open flow controller 200. Here, the Packet-In message may be a message used by the switch to send a packet to the open flow controller to receive control of the packet. An open-flow network operating as described above may be referred to as an open-flow network operating in a reactive mode.

The traffic control apparatus 100 may be operated by an application program that controls and manages the network according to the open flow controller 200. [ The traffic control apparatus 100 parses the Packet-In message received from the open flow controller 200 to identify five specification elements of the traffic and transmits the packet to the first to fourth hierarchical layers It is possible to recognize the application program that generated the traffic by recognizing the network layer information.

Here, the network layers of the first to fourth layers include a physical layer as a first layer, a data-link layer as a second layer, a network layer as a third layer, It may mean a transport layer having four layers. The physical layer may operate or maintain a physical link between the systems and may define electrical, mechanical, procedural and functional aspects, and the data link layer may be physically addressed to provide reliable data transmission over the physical link, , Network topology, line usage rules, error detection, frame forwarding, and flow control. In addition, the network layer can send information along a selected path to a network layer protocol by selecting an optimal path through a network to which routing protocols are connected to provide connectivity and path selection between two systems located at different locations, May provide a data transfer service.

The traffic control apparatus 100 according to an exemplary embodiment of the present invention can use two methods to recognize an application program that generates traffic.

The first method is to recognize the application program using the port number of the traffic. When the traffic control apparatus 100 receives a Packet-In message (or packet information) including a well-known port number, the traffic control apparatus 100 transmits port number table information in the traffic control apparatus 100 The application program corresponding to the port number can be determined. Here, the port number table may record the TCP / UDP port number and the name or kind of an application program using the number, and may use information published by the Internet Assigned Numbers Authority (IANA), which is an international organization concerned. As a result of the determination, if a table entry matching the source / destination port number of the traffic exists in the port number table, the name of the application program can be obtained by recognizing the application program from the entry. However, if the port number of an existing application is changed or the port number is unknown due to a new application program, the first method may have a problem that the application program can not be recognized.

The second method is to recognize applications using Deep Packet Inspection (DPI). If the application program is not recognized using the port number for the first packet received, the traffic control apparatus 100 transmits the first packet to the in-depth packet analyzing apparatus 300 outside the traffic control apparatus 100, You can request packet analysis. The in-depth packet analyzing apparatus 300 can receive a packet of the corresponding traffic from the first switch 220-1, perform deep packet analysis, and transmit the deep packet analysis result to the traffic control apparatus 100. [ In-depth packet analysis can check traffic information by checking not only the header of the hacket but also the payload of the packet. The traffic control apparatus 100 can receive the result from the in-depth packet analyzing apparatus 300 and can confirm the data information of the traffic and recognize the application program that generated the traffic based on the data information of the received traffic. In other words, the in-depth packet analysis can be performed through an in-depth packet analysis program constructed as an off-platform, and the traffic control apparatus 100 can communicate with the in-depth packet analysis apparatus 300 using the REST API- Request packet analysis and receive analysis results. However, the deep packet analysis may be installed in the traffic control apparatus 100 as an application program, and may be performed in the traffic control apparatus 100, and the subject and method of performing the deep packet analysis are not limited thereto.

The traffic control apparatus 100 according to an exemplary embodiment of the present invention performs the first of the two methods in order to recognize the application program that generated the traffic, and if the application program is not recognized, The second method may be performed first, or the accuracy of the application program may be improved by using the above two methods in parallel.

The traffic control apparatus 100 according to an exemplary embodiment of the present invention can store and manage at least one of a firewall policy, a bandwidth policy, and a priority queue policy in the form of a table entry, And can search for at least one of a firewall policy, a bandwidth policy, and a priority queue policy for the traffic based on the information of the recognized application program. In this case, the policy may have its own specification according to the type of the related policy, and the network administrator can search the network policy applicable to the traffic according to the specification, and can apply the firewall policy, the bandwidth policy, You can define and modify them separately.

The traffic control apparatus 100 may generate a flow rule reflecting at least one of a firewall policy, a bandwidth policy, and a priority queue policy, and may transmit the generated flow rule to the open flow controller 200 have. The open flow controller 200 can install the flow rules received by the plurality of switches on the path of the traffic. The plurality of switches may then forward the packet from the source 210 to the destination 230 without further communication with the open flow controller. In other words, network administrators can control and manage traffic originating from specific applications according to policies intended from a firewall, bandwidth and priority queue perspective. A concrete procedure for generating the flow rule reflecting at least one of the firewall policy, the bandwidth policy, and the priority queue policy will be described later.

3 is a flowchart illustrating a traffic control method according to an embodiment of the present invention.

3, a traffic control method according to an exemplary embodiment of the present invention may first receive a first packet including a port number of a traffic from the open flow controller 200 ( S310). The traffic control apparatus 100 can determine whether the name of the application program of the traffic can be recognized based on the received port number in step S320 and if the name of the application program can not be recognized, ) To request a deep packet analysis (S330). The in-depth packet analyzing apparatus 300 can receive the packet information from the first switch 220-1 and perform deep packet analysis. The traffic control apparatus 100 can receive the analysis result from the in-depth packet analyzing apparatus 300 (S340) and recognize the name of the application program that generated the traffic based on the received analysis result (S350).

The traffic control apparatus 100 recognizes the name of the application program that generated the traffic, and generates a flow rule including firewall information to be applied to the traffic (S360). The firewall information included in the flow rule may reflect the firewall policy retrieved using the name of the application program from the firewall policy table stored and managed in the traffic control device 100. A concrete procedure will be described later with reference to FIG.

The traffic control apparatus 100 can determine whether the firewall policy reflected in the generated flow rule is a drop (S370), and if the firewall related policy is not a drop, May be added to the rule (S380). The bandwidth limitation information added to the flow rule may reflect the bandwidth policy retrieved using the name of the application program from the bandwidth policy table stored and managed in the traffic control device 100. A concrete procedure will be described later with reference to FIG. .

The traffic control apparatus 100 may add the priority queue information to the flow rule to which the bandwidth limitation information is added (S390). The priority queue information added to the flow rule may reflect the priority queue policy retrieved using the name of the application program from the priority queue policy table stored and managed in the traffic control device 100, 8 will be described later.

When the firewall policy is blocked, the traffic control apparatus 100 can transmit a flow rule including the generated firewall information to the open flow controller 200. If the firewall policy is not blocked, the traffic control apparatus 100 transmits firewall information, And the flow rule including the priority queue information to the open flow controller 200. The open flow controller 200 can set up flow rules received at a plurality of switches, and the packets can be transmitted from the source 210 to the destination 230 according to a plurality of switches provided with flow rules.

4 is a flowchart illustrating a method of generating a flow rule including firewall information according to an embodiment of the present invention.

Referring to FIG. 4, a method for generating a flow rule including firewall information according to an embodiment of the present invention includes: recognizing an application program that the traffic control apparatus 100 generates traffic, (S410), and the name of the acquired application program and the specification element of the traffic can be retrieved from the firewall policy table in the traffic control device 100 (S420). Here, the specification element of the traffic may include a source IP, a destination IP, a source port number, and a destination port number. The traffic control apparatus 100 may determine whether there is a firewall policy applicable to the traffic as a result of the search (S430). If the firewall policy does not exist in the firewall policy applicable to the traffic, the traffic control apparatus 100 may set the firewall policy to drop (S440). Thereafter, the flow rule including the firewall information may be generated by reflecting the firewall policy (S450). Here, the firewall policy applicable to the traffic may be forwarding or dropping, but is not limited thereto.

FIG. 5 is a table illustrating a firewall policy according to an exemplary embodiment of the present invention. Referring to FIG.

The traffic control apparatus 100 according to an exemplary embodiment of the present invention may store various firewall policies that can be defined by a network administrator in the form of a table entry. As shown in FIG. 5, the firewall policy may include six specification elements including a source IP, a destination IP, a source port number, a destination port number, an application program name, and a policy. The traffic control apparatus 100 can search for a matching firewall policy using the five specification elements of the traffic and the application program result as input factors. Some of the specification elements of a firewall policy can be defined in the form of an asterisk (*), and the elements defined in the form of an asterisk can mean that they do not care about the element.

The traffic control apparatus 100 may generate a flow rule for forwarding or dropping traffic according to the detected firewall policy and may generate a flow rule reflecting the drop when the firewall policy is dropped .., N through the open flow controller, and if the firewall policy is not dropped, the next step is to add the bandwidth limitation information of the traffic to the flow rule Can be performed.

6 is a flowchart illustrating a method of adding bandwidth limitation information to a flow rule according to an embodiment of the present invention.

Referring to FIG. 6, a method of adding bandwidth limiting information to a flow rule according to an embodiment of the present invention includes first obtaining a name of an application program by recognizing an application program that the traffic control apparatus 100 generates traffic (S610), and the name of the acquired application program and the specification element of the traffic can be retrieved from the bandwidth policy table in the traffic control device 100 (S620). Here, the specification element of the traffic may include a source IP, a destination IP, a source port number, and a destination port number. As a result of the search, the traffic control apparatus 100 may determine whether there is a bandwidth policy applicable to the traffic (S630). If there is a bandwidth policy applicable to the traffic, the traffic control apparatus 100 may further include a meter ) Element to add bandwidth limitation information reflecting the bandwidth policy to the flow rule (S640). However, if there is no bandwidth policy applicable to the traffic, the bandwidth limitation information may not be added to the flow rule.

7 is a table illustrating a bandwidth policy according to an embodiment of the present invention.

The traffic control apparatus 100 according to an embodiment of the present invention may store various bandwidth policies that can be defined by a network administrator in the form of a table entry. As shown in FIG. 7, the bandwidth policy may include seven specification elements including source IP, destination IP, source port number, destination port number, application name, bandwidth limit value, and policy. The traffic control device 100 can search for a matching bandwidth policy using the five specification elements of the traffic and the application program result as input factors. Some of the specification elements of a bandwidth policy can be defined in the form of an asterisk (*), and the elements defined in the form of an asterisk can mean that they do not care about the element. Here, the bandwidth limit value may be specified in units of bps (bits per second), and 1 Mbps in FIG. 7 may mean a transmission rate at which 1 million bits per second can be transmitted in mega bits per second. Policy may indicate a method of performing a drop or differential service code point (DSCP) on traffic exceeding the bandwidth limit value. Here, the differential service may mean adjusting the drop probability of the traffic. The traffic control apparatus 100 may add bandwidth limiting information reflecting the retrieved bandwidth policy to the flow rule.

8 is a flowchart illustrating a method of adding priority queue information to a flow rule according to an embodiment of the present invention.

Referring to FIG. 8, a method of adding priority queue information according to an embodiment of the present invention to a flow rule includes: first, recognizing an application program that the traffic control apparatus 100 generates traffic, (S810), and the name of the acquired application program and the specification element of the traffic can be retrieved from the priority queue policy table in the traffic control device 100 (S820). Here, the specification element of the traffic may include a source IP, a destination IP, a source port number, and a destination port number. The traffic control apparatus 100 can determine whether there is a priority queue policy applicable to the traffic as a result of the search (S830). If there is no applicable priority queue policy for the traffic, (S840). ≪ / RTI > The traffic control apparatus 100 may calculate the current usage amount of the queue having the priority according to the set policy (S850). Here, the current usage amount calculation may be periodically performed, and the switch queue statistics information may be utilized for the calculation . The traffic control apparatus 100 may select a queue having the smallest usage amount among the calculated queue usage information, and may add information for transferring traffic to the selected queue to the flow rule (S860). More specifically, the traffic control apparatus 100 can determine a route through which traffic is delivered to a destination in the network. If there are a plurality of routes, the traffic control apparatus 100 selects a queue having the smallest usage amount among the queue usage information located on the route And can send traffic to the port of the switch where the selected queue is located. The traffic control apparatus 100 can add information for delivering traffic to the selected queue to the flow rules, and the flow rules are transmitted to the open flow switches 220-1, ..., n through the open flow controller, .

9 is a table showing a meteorological rank queue policy according to an embodiment of the present invention.

The traffic control apparatus 100 according to an exemplary embodiment of the present invention may store various priority queue policies that can be defined by a network manager in the form of a table entry. As shown in FIG. 9, the priority queue policy may include six specification elements including a source IP, a destination IP, a source port number, a destination port number, an application program name, and a queue priority. The traffic control apparatus 100 searches for a priority policy of a queue to be passed through the corresponding traffic by using the source IP, the destination IP, the source port number, the destination port number, and the application program result as input factors among the five specification elements of the traffic can do. Some of the specification elements of the priority queue policy can be defined in the form of an asterisk (*), and the elements defined in the form of an asterisk can mean that they do not care about the element have.

The traffic control apparatus 100 may add information to the flow rule that specifies the priority of the queue to which the traffic is to be passed according to the retrieved priority queue policy and a weight may be assigned to the bandwidth that can be processed for each priority queue have. For example, if there are three priority queues and the total bandwidth is 100 Mbps, queues with a priority of 1 can be assigned a weight of 0.6 to handle 60 Mbps of traffic, and a queue with a priority of 2 It can process 30 Mbps by assigning a weight of 0.3. In addition, a queue having a priority of 3 can be assigned a weight of 0.1 and can handle 10 Mbps of traffic. If there is no traffic in the higher priority queue, the weight assigned to the higher priority queue may be exploited. For example, if there is no traffic in the priority 1 and priority 2 queues, a queue of priority 3 can be assigned a weight of 1 to handle 100 Mbps of traffic.

10 is a diagram illustrating a result of a simulation of a traffic control method according to an embodiment of the present invention.

FIG. 10 is a diagram illustrating a result of performing bandwidth management on File Transfer Protocol (FTP) traffic for file transmission after actually implementing the present invention on a mininet, which is an SDN network simulator. An open-flow switch implemented as a mininet can be configured between the source and destination connected via FTP. An Open Network Operating System (ONOS) controller is connected to the switch to switch the flow rules reflecting the firewall policy and bandwidth policy .

The FTP traffic used in the experiment to verify the effect of the present invention can transmit control packets for the FTP session configuration using the port number 21 and can transmit the actual data packets using the port number 20. In the experiment, it is possible to identify FTP control packet with port number 21 for control packet transmission through analysis based on port number, and packets having different port numbers can be identified as FTP traffic through deep packet analysis. Flow rules can also be placed on the switch via the ONOS controller.

Referring to FIG. 10, in the present experiment, when the first data packet is identified, the corresponding data packets are transmitted by applying a bandwidth policy without a bandwidth limit value. As a result, the packets could have a transmission rate of about 1.2 Mbps. After 10 seconds from the start of data packet transmission, the bandwidth policy was changed to 0.5 Mbps bandwidth. As a result, after changing the bandwidth policy, the data rate gradually decreased according to the bandwidth policy for 2 seconds, and the data packets could have a transmission rate of 0.5 Mbps. In addition, after 20 seconds from the start of transmission of the data packet, the bandwidth policy was changed to a bandwidth policy of 0.2 Mbps. As a result, after changing the bandwidth policy again, the data rate gradually decreased according to the bandwidth policy for about 2 seconds, so that the data packets could have a transmission rate of 0.2 Mbps. According to the above-described experimental results, the network manager was able to control the data rate (or traffic) of the data packet by changing the bandwidth policy.

11 is a diagram illustrating a simulation result of a switch queue-based differentiation service according to an embodiment of the present invention.

FIG. 11 is a block diagram illustrating a switch queue-based differentiation service (hereinafter referred to as " switch-based ") service targeting traffic generated by Iperf, a traffic generator in a Linux- Fig. An open-flow switch implemented as a mininet can be configured between the source and destination of the IPP and YouTube traffic, and the ONOS controller can be connected to the switch to establish a flow rule in the switch that reflects the priority queue policy.

The IPP traffic used in the experiment to verify the effect of the present invention can be identified using the fixed port number used in the session establishment between the source and destination, and the YouTube traffic can be identified through in-depth packet analysis. There are two or more paths between the source and destination of each traffic, and the maximum bandwidth of the link constituting the path is set to 100 Mbps. Also, in the priority policy, the IPP traffic is set to priority 2, and the YouTube traffic is set to priority 1.

Referring to FIG. 11, the baseline method may be an experiment in which only one path is used without using the priority queue policy. In this experiment, the first iPuff traffic has a transmission rate of 57 Mbps The second ipup traffic could have a data rate of 40 Mbps, and the YouTube traffic could have a data rate of 3 Mbps.

The MultiPath scheme may be an experiment using two or more paths without using a priority queue policy. In this experiment, the first ipf traffic may have a transmission rate of 90 Mbps, and the second child Puff traffic could have a data rate of 80 Mbps, and YouTube traffic could have a data rate of 7 Mbps.

Multipath and MultiQueue schemes can be used for experiments with simultaneous use of a priority queue policy and two or more paths. In this experiment, the first ipfp traffic can have a data rate of 86 Mbps, and the second IPuff traffic could have a transfer rate of 76 Mbps, and YouTube traffic could have a transfer rate of 15 Mbps.

According to the experimental results, the network administrator can increase the data rate (or traffic) by using multipath through the traffic scheduler 140 and the network monitoring unit 150 of the traffic control apparatus 100, By using the rank queue policy, it is possible to realize a differentiated service of the type that increases the bandwidth of the high priority traffic by reducing the bandwidth of the low priority traffic within the limited bandwidth.

The operation of the traffic control method according to the embodiment of the present invention can be implemented as a computer-readable program or code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. The computer-readable recording medium may also be distributed and distributed in a networked computer system so that a computer-readable program or code can be stored and executed in a distributed manner.

Also, the computer-readable recording medium may include a hardware device specially configured to store and execute program instructions, such as a ROM, a RAM, a flash memory, and the like. Program instructions may include machine language code such as those produced by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like.

Some or all of the method steps may be performed (e.g., by a microprocessor, a programmable computer or a hardware device such as an electronic circuit). In some embodiments, one or more of the most important method steps may be performed by such an apparatus.

In embodiments, a programmable logic device (e.g., a field programmable gate array) may be used to perform some or all of the functions of the methods described herein. In embodiments, the field programmable gate array may operate in conjunction with a microprocessor to perform one of the methods described herein. Generally, the methods are preferably performed by some hardware device.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the present invention as defined by the following claims It can be understood that

100: traffic control device 110: traffic classification unit
120: firewall management unit 130: bandwidth management unit
140: traffic scheduler 150: network monitoring unit
200: open flow controller 210: source
220-1, 2, ..., n: first, second, ..., n switches
230: Destination `300: Deep packet analyzer

Claims (20)

Receiving a first packet including a port number of traffic from an open flow controller;
Recognizing information of an application program that has generated the traffic using a port number of the traffic or a deep packet inspection (DPI) based on the first packet; And
Generating a flow rule including firewall information on the traffic that determines whether to forward or drop the traffic based on the information of the application program and the firewall policy table; Comprising a traffic control method. The method according to claim 1,
The step of recognizing information of an application program that has generated the traffic includes:
And classifying traffic according to whether information of the application program is recognized based on the port number of the traffic. The method of claim 2,
The step of recognizing information of an application program that has generated the traffic includes:
The traffic for which the information of the application program is recognized based on the port number of the traffic recognizes the information of the application program and the traffic for which the information of the application program is not recognized based on the port number of the traffic, And requesting analysis to recognize the information of the application program. The method according to claim 1,
Wherein the step of generating a flow rule including firewall information for the traffic comprises:
Retrieving a firewall policy based on the information of the application program in the firewall policy table; And
And generating a flow rule including the firewall information according to the search result. The method according to claim 1,
Further comprising adding bandwidth restriction information for the traffic to the flow rule based on the information of the application program and the bandwidth policy table when the firewall policy is not dropping. The method of claim 5,
Wherein adding the bandwidth limitation information for the traffic to the flow rule comprises:
Retrieving a bandwidth policy based on information of the application program in the bandwidth policy table; And
And adding the bandwidth limitation information according to the search result to the flow rule. The method of claim 5,
Receiving flow statistics from the open flow controller and adjusting the bandwidth limit value of the bandwidth limit information based on the received flow statistics. The method of claim 5,
Further comprising adding to the flow rule priority queue information for the traffic based on the information of the application program and a priority queue policy table. The method of claim 8,
Wherein adding the priority queue information for the traffic to the flow rule comprises:
Retrieving a priority queue policy based on information of the application program in the priority queue policy table; And
And adding the priority queue information according to the search result to the flow rule. The method of claim 8,
Wherein the priority queue information comprises:
And selecting a queue having a minimum usage amount based on the queue usage information, and including information for transferring the packet to the selected queue. Receiving a first packet including a port number of traffic from an open flow controller and using a port number of the traffic or a deep packet inspection (DPI) based on the first packet, A traffic classifying unit for recognizing information of an application program that has generated the traffic; And
A firewall management unit that generates a flow rule including firewall information for the traffic that determines whether to forward or drop the traffic based on the information of the application program and the firewall policy table, The traffic control device. The method of claim 11,
Wherein the traffic classifier comprises:
And classifies traffic according to whether information of the application program is recognized based on a port number of the traffic. The method of claim 12,
Wherein the traffic classifier comprises:
The traffic for which the information of the application program is recognized based on the port number of the traffic recognizes the information of the application program and the traffic for which the information of the application program is not recognized based on the port number of the traffic, And requests the analysis to recognize the information of the application program. The method of claim 11,
The firewall management unit,
Retrieving a firewall policy based on the information of the application program in the firewall policy table,
And generates a flow rule including the firewall information according to the search result. The method of claim 11,
Further comprising a bandwidth management unit for, when the firewall policy is not dropped, adding bandwidth restriction information on the traffic to the flow rule based on the information of the application program and the bandwidth policy table. 16. The method of claim 15,
The bandwidth management unit,
Retrieving a bandwidth policy based on the information of the application program in the bandwidth policy table,
And adds the bandwidth limitation information according to the search result to the flow rule. 16. The method of claim 15,
The bandwidth management unit,
Receives the flow statistics from the open flow controller, and adjusts the bandwidth limitation value of the bandwidth limitation information based on the received flow statistics. 16. The method of claim 15,
Further comprising: a traffic scheduler that adds priority queue information for the traffic to the flow rule based on information of the application program and a priority queue policy table. 19. The method of claim 18,
The traffic scheduler,
Retrieving a priority queue policy based on the information of the application program in the priority queue policy table,
And adds the priority queue information according to the search result to the flow rule. 19. The method of claim 18,
Further comprising a network monitor for receiving the switch queue statistical information and calculating queue usage information based on the received switch queue statistical information,
Wherein the priority queue information comprises:
And selects a queue having a minimum usage amount based on the queue usage information, and includes information for transferring a packet to the selected queue.

Images