As a communication system in which a control device centrally controls forwarding nodes, technology referred to as OpenFlow is known (refer to PTL 1, and NPLs 1 and 2). In OpenFlow, communication is treated as end-to-end flow, and path control, recovery from failure, load balancing and optimization are performed in flow units. An OpenFlow switch as specified in NPL 2 is provided with a secure channel for communication with an OpenFlow controller positioned as a control device, and operates according to a flow table in which appropriate addition or rewriting is instructed by the OpenFlow controller. In the flow table are definitions of sets of matching rules (Header fields) for collation with packet headers, flow statistical information (Counters), and actions (Actions) defining processing content, for each flow (refer to FIG. 12).
For example, when an OpenFlow switch receives a packet, an entry is searched for that has a matching rule (refer to header fields in FIG. 12) that matches header information of the received packet, from the flow table. As a result of the search, in a case where an entry matching the received packet is found, the OpenFlow switch updates the flow statistical information (Counters) and also implements processing content (packet transmission from a specified port, flooding, dropping, and the like) described in an Actions field of the entry in question, for the received packet. On the other hand, as a result of the search, in a case where an entry matching the received packet is not found, the OpenFlow switch forwards the received packet to the OpenFlow controller via a secure channel, requests determination of a path of the packet based on source and destination of the received packet, receives a flow entry realizing this, and updates the flow table. In this way, the OpenFlow switch uses the entry stored in the flow table as a processing rule to perform packet forwarding.
NPL 3 proposes constructing a secure channel for the abovementioned type of OpenFlow network in a real network using special frames and source-routing (below, a control channel constructed in this real network is referred to as an “in-band secure channel”).