As one of control systems of a network system, a CU (C: control plane/U: user plane) separation type network system is proposed in which a node unit (user plane) is controlled from an external control unit (control plane).
As an example of the CU separation type network system, an open flow network system is exemplified which uses an open flow (OpenFlow) technique for controlling switches from a controller for route control of the network. The details of the open flow technique have been described in Non-Patent Literature 1. It should be noted that the opening flow network system is only an example.
(Explanation of Open Flow Network System)
In the open flow network system, the controller such as an OFC (OpenFlow Controller) controls the conducts of switches such as OFSs (OpenFlow Switches) by operating flow tables of the switches. The controller and the switches are connected with secure channels.
The switches in the open flow network system form an open flow network, and are edge switches and core switches which are under the control of the controller. A series of processing from the reception of packets (packets) in the edge switch on the input side to the transmission of the packets to the edge switch on the output side in the open flow network is called a flow.
A packet may be referred to as a frame. A difference between the packet and the frame is only a difference in the unit of the data manipulated in the protocol (PDU: Protocol Data Unit). The packet is the PDU of “TCP/IP” (Transmission Control Protocol/Internet Protocol). On the other hand, the frame is the PDU of “the Ethernet (the registered trademark)”.
A flow table is a table which stores a flow entry defining a predetermined operation (action) to be carried out to the packets (communication data) which match a predetermined match condition (rule).
The rule of the flow entry is defined based on various combinations of all or some of a destination address, a source address, a destination port, and a source port, which are contained in a header field of each protocol hierarchy of the packet, and is identifiable. Also, the above address contains a MAC address (Media Access Control Address) and an IP address (Internet Protocol Address). Also, in addition to the above, the data of an entrance port (Ingress Port) can be used for the rule of the flow entry. Also, a normal expression, an expression with wildcard “*” and so on of a part (or all) of a value of the header field of the packet showing a flow can be used as the rule of the flow entry.
The action of the flow entry is any of operations such as operations of “outputting to a specific port”, “discarding”, and “rewriting a header”. For example, the switch outputs a packet to a corresponding port if data for identifying the output port (output port number and so on) is shown in the action of the flow entry, and discards the packet if data for identifying the output port is not shown. Or, the switch rewrites the header of the packet based on header data if the header data is shown in the action of the flow entry.
The switch in the open flow network system executes the action of the flow entry to a packet group (a series of packets) which matches the rule of the flow entry.
In the flow-based network like the open flow network system, a group of packets (a series of packets) which match the rule (predetermined header condition) of the flow entry is handled as a flow. By carrying out the monitoring and control of the traffic in a flow unit, the network can be controlled more flexibly than in a conventional network.
For example, when traffic between the server and the client should be controlled for every user, it becomes possible to monitor the flow based on a combination of the IP addresses of the server and of the client in the end-to-end and to control a traffic quantity.
It should be noted that the current network has a very complicated configuration, and equipments having various functions such as a firewall and a load balancer (load distribution apparatus) are often arranged in the front-stage of the server and the client machine. An advantage in the control of the flow-based network control is sometimes lost because of these equipments.
The equipments having a function of NAT (Network Address Translation) and NAPT (Network Address Port Translation) translate a packet header. For example, the equipment having the function of the NAT rewrites an IP header, and the equipment having the function of NAPT rewrites an IP header and a layer 4 header.
Because the packet header has been translated when passing through such an equipment (hereinafter, to be referred to as a header translating unit), the flow after the passage is different from the flow before the passage. Therefore, when relayed by such a header translating unit, the monitoring and control for every flow in end-to-end cannot be carried out.
As the technique to solve such a problem, for example, a method of using header translation data retained by the header translating unit is known. Specifically, a method is thought of in which a unit outputs an inquiry to the header translating unit to refer to an address translation table, and acquires the data of the packet header before the translation from the data of the packet header after the translation to find a corresponding flow.
However, this method can be realized if the header translating unit has an interface which can be inquired from an external unit and moreover the data of the address translation table can be referred to. If such conditions are not met, the header translating unit must be changed and the conditions must be fit.
Also, as another method, Patent Literature 1 (JP 2005-210518A) discloses a transmission source tracing data providing apparatus and a transmission source tracing apparatus as an apparatus which carries out IP trace-back.
As a representative example of the IP trace-back technique, there is ICMP trace-back (Internet Control Message Protocol Traceback) proposed by the ICMP traceback working group of IETF (Internet Engineering Task Force). In the ICMP trace-back, a router unit on a route selects an IP packet of a trace target in a predetermined probability, generates trace data to this IP packet, and transmits the trace data to the destination of the IP packet by use of an ICMP message, and then the destination unit displays the trace data.
There is a possibility that the correspondence relation of the separated flow by applying a similar technique to the above can be acquired.
However, in order to realize such a technique, the header translating unit needs a mechanism to transmit address translation data to the outside. Therefore, it is difficult to realize this without remodeling the header translating unit.