Conventional network apparatuses are “black boxes” on which flexible control such as load balancing and aggregation cannot be performed from the outside. For this reason, the larger a network becomes, the more difficult it becomes to grasp and improve the behavior of the network as a system. Thus, when the design or configuration of the network is changed, much delay is caused, which is counted as a problem.
To solve this problem, there has been considered a method of separating functions of packet forwarding and path control that conventional network apparatuses perform. For example, by causing a network apparatus to perform packet forwarding and a controller arranged outside the network apparatus to perform path control, external control can easily be performed. Namely, a flexible network can be established.
As a specific example of the above method, OpenFlow in Non-Patent Literature 1 and 2 will be described. OpenFlow is an architecture defined in “Open Networking Foundation”.
FIG. 9 illustrates a basic configuration of OpenFlow 1.1.0. In FIG. 9, a switch is illustrated as a network apparatus. OpenFlow includes a network apparatus (a switch X20) supporting the OpenFlow protocol described in Non-Patent Literature 2 and an externally-arranged controller X10. The network apparatus and the controller are connected with each other via a secure channel and communicate with each other by using the OpenFlow protocol. In OpenFlow, packet forwarding and path control functions of a network apparatus are separated. More specifically, the network apparatus (the switch X20) performs packet forwarding and the controller X10 performs path control of the network apparatus.
The network apparatus supporting OpenFlow includes a table which is referred to as a flow table and which stores control information. The flow table is a table for managing entries. In each of these entries, header region information (Header Field) of a packet defined as belonging to a flow and an instruction defining a processing content(s) for the packet are associated with each other. A set of the header region information (Header Field; also referred to as Match Fields) and the instruction is referred to as a flow entry.
A matching condition(s) for determining processing target packets is written in the header region information (Header Field). A wildcard can also be specified in a part in the header region information (Header Field). The processing content(s), such as forwarding processing for forwarding packets to other network apparatuses and dropping processing for dropping packets, are written in the instruction field.
Other processing than the above forwarding and dropping processing may be written as an action in the instruction field. For example, an action for causing the network apparatus to modify a value in the header region information (Header Field) of a packet can also be specified. A plurality of actions may be set in a single flow entry. The network apparatus checks the header region information (Header Field) of a received packet against the header region information (Header Field) in the flow table. As a result of this checking processing, if any matching entry is found, a corresponding action(s) in the instruction field is performed.
Information that could be used as items of the header region information (Header Field) will be described with reference to FIG. 9. In FIG. 9, “Ingress Port”, “Ether src”, “Ether dst”, “Ether type”, “VLAN ID”, “VLAN priority”, “IP src”, “IP dst”, “IP proto”, “IP ToS”, “TCP/UDP src port”, and “TCP/UDP dst port” are illustrated as the information that could be used as items of the header region information (Header Field). At least one of the above information items is used when a packet is checked against the flow entries. Namely, at least one of or a combination of the above information items is used to define a flow.
“Ingress Port” represents an ingress port. “Ether src” represents a source MAC address (Media Access Control Address). “Ether dst” represents a destination MAC address. “Ether type” represents an upper-layer protocol type. “VLAN ID” represents identification information set for each port of a virtual LAN (Virtual Local Area Network) switch. “VLAN priority” represents a priority of a corresponding port of a virtual LAN switch. “IP src” represents a source IP address (Internet Protocol Address). “IP dst” represents a destination IP address. “IP proto” represents an IP protocol number or an ARP operation code. “IP ToS” represents an IP priority. “TCP/UDP src port” represents a source port number in TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). “TCP/UDP dst port” represents a destination port number in TCP or UDP.
Next, header rewrite actions (set-Field Actions) for modifying header region information (Header Field) of a packet will be described with reference to FIG. 10. These actions can be set in the instruction field in a flow entry. In FIG. 10, “Set VLAN ID”, “Set VLAN priority”, “Strip VLAN header”, “Modify Ethernet src MAC address”, “Modify Ethernet dst MAC address”, “Modify IPv4 src address”, “Modify IPv4 dst address”, “Modify IPv4 ToS bits”, “Modify transport src port”, and “Modify transport dst port” are illustrated as the header rewrite actions (Action) that can be set in a flow entry. A plurality of these actions can be performed in combination.
“Set VLAN ID” represents adding “VLAN ID” to the header region information (Header Field) or modifying “VLAN ID” in the header region information (Header Field). “Set VLAN priority” represents adding “VLAN priority” to the header region information (Header Field) or modifying “VLAN priority” in the header region information (Header Field). “Strip VLAN header” represents deleting “VLAN ID” and “VLAN priority” from the header region information (Header Field). “Modify Ethernet src MAC address” represents modifying “Ether src” in the header region information (Header Field). “Modify Ethernet dst MAC address” represents modifying “Ether dst” in the header region information (Header Field). “Modify IPv4 src address” represents modifying “IP src” in the header region information (Header Field). “Modify IPv4 dst address” represents modifying “IP dst” in the header region information (Header Field). “Modify IPv4 ToS bits” represents modifying “IP ToS” in the header region information (Header Field). “Modify transport src port” represents modifying “TCP/UDP src port” in the header region information (Header Field). “Modify transport dst port” represents modifying “TCP/UDP dst port” in the header region information (Header Field). “Ethernet” is a registered mark.
The controller X10 includes a network apparatus control unit (a switch control unit X11 in FIG. 9), updates a flow table in the network apparatus via the secure channel, and controls the network apparatus (the switch X20).
The network apparatus (the switch X20) includes a packet control unit X21 performing packet forwarding and packet updating in accordance with the above flow entries. When receiving a packet, the network apparatus checks the packet against a flow table X22 therein. If the flow table X22 includes a matching flow entry, the network apparatus performs an associated action(s) such as packet forwarding and dropping.
Next, a basic operation of the network apparatus (the switch X20) in OpenFlow will be described with reference to FIG. 11. When receiving a packet from a network (step S11 in FIG. 11), the network apparatus (the switch X20) analyzes the header region information (Header Field) of the received packet (step S12 in FIG. 11).
The network apparatus (the switch X20) determines whether the flow table includes a flow entry that matches the header region information (Header Field) of the received packet (step S13 in FIG. 11).
If the flow table includes a flow entry that matches the header region information (Header Field) of the received packet, the network apparatus (the switch X20) performs an action(s) written in the instruction field in the flow entry (step S14 in FIG. 11).
If the flow table does not include a flow entry that matches the header region information (Header Field) of the received packet, the network apparatus (the switch X20) holds the packet therein and notifies the controller X10 of arrival of this unknown packet by transmitting the packet to the controller X10 via the secure channel (step S15 in FIG. 11). In this description, the unknown packet that does not match any flow entry is referred to as a 1st packet.
When receiving the 1st packet, the controller calculates a path to a destination of the 1st packet on the basis of a location of a source of the 1st packet and information included in the 1st packet, adds a new flow entry to the flow table of the network apparatus (the switch X20), and updates the flow table. After the flow table is updated, the network apparatus processes the 1st packet that has been held therein and subsequent packets of the same kind in accordance with the newly added action.
In addition, Patent Literature 1 discloses a communication system using OpenFlow. In addition, Patent Literature 2 discloses a layer-2 load balancer that is arranged between a group of clients and a group of servers and that performs MAC address conversion and proxy response.
Patent Literature 1
    Japanese Patent Kokai Publication No. 2011-188433APatent Literature 2    Japanese Patent Kokai Publication No. 2008-60747ANon-Patent Literature 1    Nick McKeown, and seven others, “OpenFlow: Enabling Innovation in Campus Networks”, [online], [searched on Feb. 14, 2012],Non-Patent Literature 2    “OpenFlow Switch Specification”: Version 1.1.0 Implemented (Wire Protocol 0x02), [online], [searched on Feb. 14, 2012]