With a spread of information system using a network, a network such as an IP network is being large-scaled and complicated, and additionally, a high flexibility is being required. Since setting of a network device is being complicated and number of devices to be set is increasing, a burden in a design management for the network is increasing.
For example, as one of widespread access control methods for a personal computer (hereinafter referred to as PCs), a method is known which forms a MAC base VLAN (Virtual Local Area Network) in a terminal L2 switch which is adjacent to the PC to allow only a connection from a PC that has a designated MAC address. In this method, however, in an environment in which hundreds of thousands of PCs are connected, daily maintenances are required for adding or deleting hundreds of thousands of MAC addresses and thousands of L2 switches, and a burden for an administrator is increased.
As a description for solving such a problem, there is an open technology which is proposed by OpenFlow Consortium (http://www.openflowswitch.org/) (refer to non-patent literature 1). In an open flow system according to this technology, a server called as an open flow controller (OFC: Open Flow Controller) is able to integrate, set and manage network switches which are called as open flow switches (OFS Open Flow Switch). Therefore, by setting, in the OFC, a network policy (hereinafter, referred to as a policy) for an overall open flow system, all OFSs are able to be controlled.
With reference to FIG. 1, a configuration and an operation of a computer system which uses an open flow protocol will be explained. With reference to FIG. 1, a computer system according to a related art of the present invention includes an open flow controller 100 (hereinafter, called as OFC 100), a switch group 20 including a plurality of open switches 2-1 to 2-n (hereinafter, called as OFSs 2-1 to 2-n), and a host group 30 including a plurality of host computers 3-1 to 3-i (hereinafter, called as hosts 3-1 to 3-i). Here, n and i are respectively a natural number of 2 or more. In a following explanation, each of the OFSs 2-1 to 2-n is called as an OFS 2 when being not distinguished, and each of the hosts 3-1 to 3-i is as a host 3 when being not distinguished.
The OFC 100 performs setting of a communication path between the hosts 3, and setting of a forwarding operation (a relay operation) or the like for the OFS 2 on the path. In this case, the OFC 100 sets a flow entry in a flow table which is included in the OFS 2, the flow entry associating a rule for identifying a flow (packet data) with an action for defining an operation for the flow. The OFS 2 on the communication path determines a forwarding destination of received packet data in accordance with the flow entry which is set by the OFC 100, and performs a forwarding operation. Thus, the host 3 is able to use a communication path which is set by the OFC 100 to transmit and receive packet data with another host 3. That is, in a computer system using the open flow, since the OFC 100 for setting a communication path and the OFS 2 for performing a forwarding operation are separated, communications in the whole system are able to be collectively controlled and managed.
With reference to FIG. 1, when transmitting a packet to the host 3-i from the host 3-1, the OFS 2-1 references transmitting destination information in the packet which is received from the host 3-1 (header information: for example, destination MAC address or destination IP address), and searches an entry corresponding to this header information in a flow table which is included in the OFS 2-1. For example, contents of the entry set in the flow table are defined in Non-Patent literature 1.
When the entry about the received packet data is not described in the flow table, the OFS 2-1 transfers the packet data (hereinafter, called as a first packet) or header information of the first packet (or first packet itself) to the OFC 100. The OFC 100 which has received the first packet from the OFS 2-1 determines a path 40, based on information such as a source host and a destination host which are included in the packet.
The OFC 100 instructs all OFSs 2 on the path 40 to set flow entries which define transmitting destination of the packet (issue a flow table updating instruction). The OFS 2 on the path 40 updates the flow table managed by itself, in accordance with the flow table updating instruction. After that, the OFS 2 starts transmitting of the packet according to the updated flow table, and the packet is transmitted to the destination host 3-i via the path 40 which is determined by the OFC 100.
However, in the OpenFlow technology described above, the host terminal such as PC (Personal Computer) or the like which is connected with the Open flow system is identified by the IP address or MAC address. Therefore, in an environment where hundreds of thousands of PCs are connected, a policy is required to be set for each of hundreds of thousands of IP addresses or MAC addresses, and a burden is increased. Furthermore, since the IP address and MAC address are able to be faked, there is a risk of an unauthorized access, and a countermeasure is required.
For example, a system about a policy control is described in JP 2005-4549 (refer to patent literature 1). In Patent Literature 1, a policy server is described, which has an access control function for a network device or an application server based on a security policy which is retained by the policy server itself, however, a policy control in a system of an open flow environment is not disclosed.