1. Field of the Invention
The present invention relates to a packet transferring apparatus, and in particular to a packet transferring apparatus which executes a packet transfer in a network having terminals connected by the TCP (Transmission Control Protocol) communication or the UDP (User Datagram Protocol) communication.
As the utilization of the network for communication between terminals (hereinafter occasionally referred to as inter-terminal communication) extends, a relay between the networks, e.g. a mutual connection between LAN's (Local Area Networks), or an LAN and a leased line becomes necessary for enlarging the scale of the network.
In the network thus constructed, the IP (Internet Protocol) network is the mainstream at present. This IP is a protocol of connectionless type corresponding to the network layer in the OSI (Open Systems Interconnection) model of the ISO (International Organization for Standardization).
In the IP communication of connectionless type, different from a connection type of protocol which preliminarily secures a channel between the terminals, the packet transferring apparatus which mutually connects the LAN's performs a transfer process of a packet storing therein communication data whereby the inter-terminal communication is realized.
In order to realize a connection-type communication by using the connectionless-type IP communication, it is required that a connection called “session” is established by the TCP corresponding to an upper transport layer and session layer and then the inter-terminal communication is performed.
On the other hand, when a connectionless-type packet communication is performed between the terminals, a connectionless-type UDP is substituted for the TCP. Which of the TCP or the UDP should be used for the communication depends on the selection of an application which performs the inter-terminal communication.
2. Description of the Related Art
FIG. 10 shows a general network arrangement where a packet transferring apparatus mutually connects a plurality of LAN's.
In this arrangement, terminals connected to the same LAN mutually and directly communicate not through the packet transferring apparatus. For example, terminals 11 and 13 connected to a LAN1 can communicate mutually and directly by transmitting/receiving a packet through the LAN1.
On the other hand, terminals not connected to the same LAN communicate mutually through a plurality of packet transferring apparatuses and LAN's.
In the communication between terminals 11 and 62, for instance, the packet transmitted from the terminal 11 is relayed through the route of LAN1→packet transferring apparatus 1→LAN4→packet transferring apparatus 2→LAN5→ packet transferring apparatus 3→ LAN6 in this order to be received at the terminal 62. The packet transmitted from the terminal 62 is relayed in the order reverse to the above-mentioned order to be received at the terminal 11. In this way, the communication between the terminals 11 and 62 is realized. At this time, the packet transferring apparatus 1 receives the packet transmitted from the terminal 11 at an interface IF1 connected to the LAN1, determines, from field values of a header portion which stores therein control information of the packet such as a destination address in the packet, an interface IF4 connected to the LAN4 as an interface to which the packet is to transmitted, and transmits the packet from this interface IF4. In the same way, the interface IF4 performs a packet transferring process of receiving the packet transmitted from the terminal 62 and transmitting the packet from the interface IF1 to the LAN1.
The packet transferring apparatuses, e.g. packet transferring apparatuses 1-3 in the network arrangement of FIG. 10, executes such a packet transferring process, so that the inter-terminal communication is realized.
On the other hand, the packet transferring apparatus also has a general function of prohibiting a specific communication on the network and preventing an illegal access as a part of a network management not only by transferring a packet but also abandoning a specific packet without being transferred.
To permit/prohibit the communication between specific terminals, specific terminal groups, specific LAN's, and specific applications is made possible by a “filtering process” for the packet transferring apparatus to transfer/abandon a specific packet.
In the network arrangement of FIG. 10, for instance, regarding the communication between the terminal 22 connected to the LAN2 and the terminal group connected to the LAN1, when a network management person performs such a network management that the communication between the terminals 22-11 is permitted, and the other communications between the terminals 22-12 and the terminals 22-13 are prohibited, the packet transferring apparatus 1 transfers only the packet whose source address and destination address respectively designate the terminals 22 and 11, and the packet whose source address and destination address respectively designate the terminals 11 and 22.
The filtering process is executed such that the packet is abandoned when the packet does not meet the above-mentioned condition, the source address designates the terminal 22, and the upper bit of the destination address designates the terminal connected to the LAN1.
Generally in the IP network, the terminal connected to the same LAN belongs to the same subnetwork, and the upper bit within a predetermined range in the addresses of the terminals becomes equal. The above-mentioned filtering process enables a network management person or a network manager to perform such a network management that the communication between the terminal 22 and the terminal group connected to the LAN1 is prohibited except the communication between the terminals 22-11.
In the same way as the above-mentioned example, the network manager combines various filtering conditions for determining the transfer/abandonment per packet to be set in the packet transferring apparatus. Thus, the network manager can perform such a security control of a more complicated network that a necessary communication is permitted while the illegal access from an external network outside the company such as LAN4, LAN5, and LAN6 is controlled supposing that e.g. the LAN1, the LAN2, and the LAN3 in FIG. 10 is made an internal network of the company, and the interface IF4 of the packet transferring apparatus 1 is made an interface with the outside of the company.
In addition, a “priority control” of not only permitting/prohibiting a specific communication on the network but also treating a specific communication prior to other communications is realized by the packet transferring apparatus distinguishing a packet of a specific communication and preferentially processing the distinguished packet.
This priority control process is the same as the filtering process in that the packet transferring apparatus distinguishes a specific packet. However, the filtering process and the priority control process are different from each other in that the former process renders the packet transferring apparatus transfer/abandon the packet after being distinguished while the latter process renders it give priority to the packet.
In the network arrangement of FIG. 10, for instance, when the network manager performs such a network management that the communication between the terminal 31 which is a server providing an important service to other terminals and the other terminals is processed prior to the other communications, the packet transferring apparatus 1 is set to transfer the packet with a high priority whose destination address or source address in the header designates the terminal 31. The packet transferring apparatus 1 executes such a priority control process to enable the priority control of the communication between the terminal 31 and the other terminals.
A conventional packet transferring apparatus executes the above-mentioned security control and priority control by a process arrangement shown in FIG. 11. When the packet transferring apparatus 100, which generally denotes the above-mentioned apparatuses 1-3, performs the security control, for instance, the network manager preliminarily performs setting to a security control software 102 composing a software portion 101 based on the management policy of the network.
The security control software 102 converts the setting into a form conformable with filtering entries of a filtering table 108 in a hardware portion 104. The security control software 102 requests a filtering processor 109 in the hardware portion 104 to store the converted entries in the filtering table 108.
The filtering processor 109 stores the entries requested from the security control software 102 in the filtering table 108.
In this procedure, the packet transferring apparatus 100 preliminarily stores the filtering entries in the filtering table 108. When the filtering processor 109 compares the received packet with the entries of the filtering table 108 by the field values so that there is found a relevant entry for the received packet, the received packet is transferred or abandoned depending on a value (e.g. “1” for transfer, and “0” for abandonment) of a “transfer/abandonment field” within the relevant entry.
In the same manner, when the packet transferring apparatus 100 performs the priority control, the network manager preliminarily performs setting to a priority control software 103 composing the software portion 101 based on the management policy of the network. The priority control software 103 converts the setting into a form conformable with entries of a priority control table 110 in the hardware portion 104.
The priority control software 103 requests a priority control processor 111 in the hardware portion 104 to store the converted entries in the priority control table 110. The priority control processor 111 stores the entries requested from the priority control software 103 in the priority control table 110.
In this procedure, the packet transferring apparatus 100 preliminarily stores the priority control entries in the priority control table 110. When the priority control processor 111 compares the received packet with the entries of the priority control table 110 by the field values so that there is found a relevant entry for the received packet, the packet transferring apparatus 100 preferentially transfers the received packet depending on a value (e.g. “o”-“7”) of a “priority degree field” within the relevant entry.
Also, since the above-mentioned filtering processor 109 and the priority control processor 111 retrieve the filtering table 108 and the priority control table 110 based on a transmitting interface of the packet, a routing processor 107 and a routing table 106 are arranged at the preceding stage of the filtering processor 109 and the priority control processor 111.
It is to be noted that since the process performed by the priority control processor 111 to the packet which is to be determined to be abandoned at the filtering processor 109 is wasteful, the filtering processor 109 is generally arranged at the preceding stage of the priority control processor 111.
Hereinafter, each of the processors mentioned above will be described as a series of transferring process operations which the packet transferring apparatus 100 shown in FIG. 11 performs to the received packet.
When the packet arrives at a receiving interface, the routing processor 107 retrieves the routing table 106 based on the destination address (e.g. the destination IP address in the IP communication), and determines an interface to which the received packet is transmitted and an MAC (Media Access Control) address of the transmitting packet at that time.
The routing processor 107 transmits the received packet to the next processor of the filtering processor 109, and notifies the transmitting interface and the MAC address determined by the above-mentioned routing processor 107 to the filtering processor 109.
The MAC address is one for identifying relaying equipment (not shown) connected to the LAN or the interface of the terminal, and is required for the communication between the terminals connected to the same LAN and the relaying equipment.
The correspondence between the transmitting interface and the MAC address for the destination IP address in the routing table 106 is either preliminarily inputted by the network manager or stored by the communication of an apparatus control software with the relaying equipment adjoining thereto.
Also, as a method of notifying the packet together with the information annexed to the packet to the next processor such that a transmitting interface No. and the MAC address determined by the above-mentioned routing processor 107 are notified to the filtering processor 109, an in-apparatus controlling header can be added e.g. ahead of a packet header, which will be described later referring to FIGS. 13A and 13B, by the preceding processor, which can store the information to be notified to the next processor in the specific field of the in-apparatus controlling header.
The filtering processor 109 which has received the packet from the routing processor 107 retrieves the filtering table 108 based on the field values within the packet header and the transmitting/receiving interface of the received packet. When the received packet coincides with the filtering condition for abandonment, the packet is abandoned. Otherwise, the packet is transferred to the next processor of the priority control processor 111.
The priority control processor 111 retrieves the priority control table 110 based on the field values within the packet header and the transmitting/receiving interface Nos. of the received packet. When the received packet conforms with a specific entry, the priority degree stored in that entry and the packet are transferred to the next processor of a switch portion 112.
The switch portion 112 stores the received packet in each of transmitting queues 113 in a packet scheduling processor 114 depending on the transmitting interface No. and the priority degree of the packet.
In the packet scheduling processor 114, for instance, three queues for each transmitting interface 115 are prepared, as shown in FIG. 11. Assuming the packet transferring apparatus 100 has eight priority degrees between “0-7”, “0-2” are assigned to low priority queues, “3-5” to medium priority queues, and “6-7” to high priority queues.
The packet scheduling processor 114 takes out the packet from the queues depending on a packet scheduling method to be transmitted to the transmitting interface 115.
As the above-mentioned packet scheduling method, there is known a method by way of a simple one that the packet is transmitted firstly from the queue 113 storing the packet with a higher priority degree and when the queue with a higher priority degree is empty the packet is transmitted from the queue 113 with the next higher priority degree.
By transmitting the packet firstly depending on the priority degree of the packet in this way, the packet transferring apparatus 100 can perform a priority transfer control to finally transmit the packet from the transmitting interface 115.
The structure of the filtering table 108 will be more specifically described by referring to FIGS. 12 and 13.
In case of the IP, for instance, the table 108 is composed of a filtering condition table and a mask data table, as respectively shown in FIGS. 12A and 12B corresponding to the field values (protocol No., source IP address, destination IP address, source port No., destination port No., receiving interface No., and transmitting interface No.) within the header of an IP packet format shown in FIG. 13.
Each of the entries of the filtering condition table is related to each of the entries of the corresponding mask data table by a pointer, as shown in FIGS. 12A and 12B. The filtering condition table stores a packet condition when the packet transferring apparatus performs the filtering process, and the mask data table stores a bit string of “0” or “1” indicating whether or not the field values of the filtering conditions are significant.
In a filtering condition 301 of the filtering condition table, for instance, three conditions of the protocol No., the source IP address, and the destination IP address are set, while the other source port No., destination port No., receiving interface No., and transmitting interface No. are not set.
Accordingly, as for mask data 306 corresponding to the filtering condition 301, the field values of the source port No., the destination port No., the receiving interface No., and the transmitting interface No. are set to “ 00 . . . 0” as the bit string.
Furthermore, the source IP address is “150.56.0.0” (equivalent to the bit string 10010110 00111000 00000000 00000000) in the filtering condition 301, while the source IP address of the corresponding mask data 306 is “255.255.0.0” (equivalent to the bit string 11111111 11111111 00000000 00000000).
Accordingly, not only the packet whose source IP address is “150.56.0.0” but also all of the packets whose source IP address is “150.56.(0-255).(0-255)” conform with the condition of the source IP address in the filtering condition 301.
Likewise, as for the destination IP address in the filtering condition 301, all of the packets whose destination IP address is “10.(0-255).(0-255).(0-255)” conform with the condition of the destination IP address in the filtering condition 301.
Namely, mask values of the mask data table designate the range in which the field values of the entries in the filtering condition table are conformed with the field value within the packet header.
It is not necessary that the total number of the entries set in the mask data table is equal to the total number of the entries set in the filtering condition table. Since the pattern of the mask data for the filtering condition 302 is equal to that for the filtering condition 301, for instance, the total number of the entries set in the mask data table can be fewer than that set in the filtering condition table by setting the pointer of a filtering condition 302 to designate the mask data 306.
It is to be noted that while the “protocol No.” of the filtering condition table is represented by the characters of “TCP” or “UDP”, it is to be stored in a storage device (not shown) with corresponding bits such as “0” for TCP and “1” for UDP when the storage device in the hardware portion 104 of the packet transferring apparatus 100 mounts thereon the filtering condition table.
Similarly, while “transfer/abandonment” of the filtering condition table is represented by the characters “transfer” or “abandonment”, it is to be stored in the storage device with corresponding bits such as “0” for transfer and “1” for abandonment when the storage device in the hardware portion 104 mounts thereon the filtering condition table.
The priority control table 110, like the filtering table 108, has a priority condition table and the mask data table, has the fields of the protocol No., the source IP address, the destination IP address, the source port No., the destination port No., the receiving interface No., and the transmitting interface No. as the fields of the priority control condition table and the mask data table, and has a table structure in which the “transfer/abandonment” field of the filtering condition table is replaced by the “priority degree”.
When the hardware portion 104 mounts thereon the above-mentioned filtering table 108 and the priority control table 110, the storage device generally called a CAM (Content Addressable Memory) is used.
The CAM, different from the other memory or the like, does not compare the entry in the memory with the field value within the packet which is a retrieval key one by one, but can simultaneously compare the retrieval key with all of the entries in parallel, thereby enabling the corresponding entry for the received packet to be retrieved at a high speed regardless of the number of the entries, stored in the table.
The filtering table and the priority control table as well as the filtering processor and the priority control processor which perform the retrieval, the update, and the result determination of those tables, included in the hardware portion of the conventional packet transferring apparatus, have an entry arrangement per packet for determining the transfer/abandonment and the priority degree per each packet which arrives at the packet transferring apparatus.
Accordingly, there has been a problem that it is impossible to perform the security control and the priority transfer control depending on such a session establishing direction that e.g. in a communication relating to a certain application the communication started by the external network is generally prohibited or treated with a low priority, while the communication started by the internal network is permitted or treated with a high priority. This will be described more specifically.
In case of the TCP communication of FIG. 3A, for instance, packets {circle around (1)} and {circle around (3)} cannot be distinguished by the filtering condition shown in FIG. 12A. This is because both packets {circle around (1)} and {circle around (3)} are sent from the terminal 62 belonging to the external network. However, the packet {circle around (3)} belongs to a series of communication arising from the packet {circle around (2)} sent from the terminal 11 originally belonging to the internal network, while the packet {circle around (1)} belongs to a communication arising from the packet {circle around (1)} sent from the terminal 62 originally belonging to the external network. Therefore, the packet transferring apparatus must distinguish the packet {circle around (1)} from the packet {circle around (3)} to perform the abandonment/transfer.
For this distinction, it is necessary to define the information for identifying not each packet per se but the subsequent packet (e.g. packet {circle around (3)}) based on the attribute of a previous packet (e.g. packet {circle around (2)}). This definition enables the security control and the priority transfer control to be performed depending on the session establishing direction.
In order to perform the security control and the priority transfer control depending on the above-mentioned session establishing direction, a security control/priority transfer processor for performing this process has only to be newly provided within the packet transferring apparatus.
At this time, it is required that the security/priority transfer processor is also arranged in the packet transferring apparatus to adequately cooperate with the routing processor, the filtering processor, and the priority control processor arranged within the packet transferring apparatus in the order shown in FIG. 11.
Thus, it becomes possible to realize a high-speed packet transferring process by preventing the packet transferring process performed by the packet transferring apparatus from being delayed and by omitting redundant processes overlapped at the processors.
Such an adequate cooperation can be exemplified by such a cooperation with the routing processor that the security/priority transfer processor performs the process to the received packet, thereby refraining from the routing process in the presence of the determination by the transmitting interface.
Accordingly, there has been a problem that the conventional packet transferring apparatus neither can detect the session nor consequently can define the information for identifying a specific packet nor perform the security control and the priority transfer control based on the defined information.
Also, there has been a problem that the conventional packet transferring apparatus redundantly retrieves even the packet which does not require the retrieval of the routing table and the filtering table, resulting in a disadvantage for enhancing the speed of the packet transferring process.
Furthermore, since the filtering table and the priority control table included by the conventional packet transferring apparatus of FIG. 11 store the entries with the mask values indicating the ranges of the field values by e.g. a software which the network manager uses for the setting, the number of the entries per se is few. However, since a newly provided session management table for solving the above-mentioned problems stores the entries based on the inter-terminal communication, there has been a problem that the number of the entries possessed by the session management table becomes large and an available memory capacity for mounting the session management table becomes enormous.