In a layer 2 network, a MAC (Media Access Control) address is used in order to uniquely identify network devices (including computers and virtual machines) configuring a network. However, there is a problem that the MAC address can be easily spoofed. On the other hand, when a route of a packet flowing in the layer 2 network is changed in association with a physical transfer of a computer or a transfer of a virtual machine, Gratuitous ARP (Address Resolution Protocol) is widely known to be advantageous (refer to a non-patent literature 1). The Gratuitous ARP is an ARP request packet in which its' own IP (Internet Protocol) address is set to a target IP address and provides two effects. One lies in the effect of finding out whether or not a something except itself uses the same IP address. If a different network device that uses the target IP address set in the ARP request packet sends back the ARP Reply, the IP address can be judged to be duplicative. The other effect lies in a fact that a switch configuring the layer 2 network updates its own ARP table and MAC table with reference to a transmission source MAC address of the Gratuitous ARP packet, and consequently can follow the transfer of the computer and/or virtual computer to change the transfer route of the packet. However, by using this property, a trouble can be induced in the network. For example, when the Gratuitous ARP packet in which the transmission source MAC address or target IP address is spoofed is transmitted by an illegal third party, the ARP table or MAC table of the switch configuring the layer 2 network is rewritten. Consequently, a TCP/IP communication of a legal user is easily interrupted. Moreover, a packet to be sent to the legal user can be intercepted because the packet is changed to be sent to an illegal person.
A technique for monitoring and preventing illegal access and interruption using the foregoing ARP packet is described in, for example, JP 2005-210451A (refer to a patent literature 1). A system described in the patent literature 1 includes a monitoring host for monitoring an ARP request packet, and a database in which an IP address and physical address of a legal host inside a network are registered in advance. The monitoring host, when detecting an ARP request packet for the IP address or physical address that is not registered in the database, transmits the ARP request packet whose request source is the above monitoring host itself, to a request destination node of the ARP packet, and updates the ARP table of the node. Consequently, a reply packet to the illegal access is transferred to a monitor server without being sent to the illegal third party.
In this way, the system described in the patent literature 1 can prevent the illegal access to the network, because the monitor server that detects the illegal ARP packet controls the transfer destination of the packet in the node.
On the other hand, a technique in which transfer operations and the like in respective switches are unitarily controlled by an external controller in a computer network (openflow) is proposed by the OpenFlow Consortium (refer to a non-patent literature 2). A network switch (hereinafter, referred to as an openflow switch (OFS)) corresponding to the above technique holds detailed information such as a protocol type, a port number and the like in a flow table, and can control the flow and acquire statistical information. The flow table of the OFS inside the network is unitarily set and managed by an openflow controller (OFC).
With reference to FIG. 1, a configuration and operation of the computer system that uses an openflow protocol are described. With reference to FIG. 1, the computer system based on the technique related to the present invention includes: an openflow controller 100 (hereinafter, referred to as an OFC 100); a switch group 200 including a plurality of open switches 102-1 to 102-n (hereinafter, referred to as OFS 102-1 to 102-n); and a host group 300 including a plurality of host computers 103-1 to 103-i (hereinafter, referred to as hosts 103-1 to 103-i). However, each of n and i is a natural number of 2 or more. In the following explanation, when the OFSs 102-1 to 102-n are not distinguished from each other, they are collectively referred to as an OFS 102. In addition, when the hosts 103-1 to 103-i are not distinguished from each other, they are collectively referred to as a host 103.
The OFC 100 sets a communication route between the hosts 103 and sets a transfer operation (relay operation) to the OFS 102 on the route and the like. At this time, the OFC 100 sets a flow entry in which a rule for specifying a flow (packet data) and an action for defining an operation for the flow are correlated, in a flow table held by the OFS 102. The OFS 102 on the communication route determines a transfer destination of received packet data and carries out a transfer process, in accordance with the flow entry set by the OFC 100. Consequently, the host 103 can transmit and receive the packet data to and from the different host 103 by using the communication route set by the OFC 100. That is, in the computer system that uses the openflow, the OFC 100 for setting the communication route and the OFS 102 for carrying out the transfer process are separated, which enables the communication in the entire system to be unitarily controlled and managed.
With reference to FIG. 1, when the packet is transmitted from the host 103-1 to the host 103-i, the OFS 102-1 refers to transmission destination information (header information: for example, a destination MAC address and a destination IP access) in the packet received from the host 103-1 and searches an entry, which coincides with the header information, from the flow table held inside the OFS 102-1. The content of the entry set in the flow table is defined in, for example, a non-patent literature 2.
If the entry about the received packet data is not described in the flow table, the OFS 102-1 transfers the packet data (hereinafter, referred to as a first packet) or the header information of the first packet to the OFC 100. The OFC 100, which receives the first packet from the OFS 102-1, determines a route 400 on the basis of the information, such as a transmission source host and a transmission destination host, which is included in the packet.
The OFC 100 instructs all of the OFS 102 on the route 400 to set a flow entry for defining the transfer destination of the packet (issue a flow table update instruction). The OFS 102 on the route 400 updates the flow table managed by itself, on the basis of the flow table update instruction. After that, the OFS 102 starts transferring the packet, in accordance with the updated flow table. Consequently, through the route 400 determined by the OFC 100, the packet arrives at the host 103-i of the destination.