1. Field of the Invention
The present invention relates to a communication processing system, a packet processing load balancing device and a packet processing load balancing method used therefor, and more particularly, an IP (Internet Protocol) packet processing load balancing method.
2. Description of the Related Art
Router devices placed on an IP network include a device which performs processing with reference to information of an IP higher layer. Among devices of this kind are, for example, a firewall device used in unauthorized access prevention or the like and a VPN (Virtual Private Network) gateway device which terminates IPsec (IP security protocol) tunnels.
These devices need to identify a session of an upper layer to which a passing packet belongs and process the packet according to a state of each session. Since these devices perform identification of a session and refer updating of a state every time a packet passes to increase the volume of computation required for processing, techniques have been developed to balance loads with a plurality of devices. Here, a session represents a virtual communication path provided by an upper layer of an IP, which includes a TCP (Transmission Control Protocol) connection, security association of IPsec and the like.
Conventional systems of balancing have such two kinds as described in the following. First is such a system as shown in FIG. 8, in which with a device which assigns packets (packet assignment device 5) placed preceding a plurality of packet processing devices [router devices (#1-#4) 4-1˜4-n], the device assigns a packet to any of the packet processing devices to balance load.
In FIG. 8, the router devices (#1-#4) 4-1˜4-n have session processing functions 41-1˜41-n (the session processing functions 41-2˜41-n are not shown) of holding session states 41a-1˜41a-n (the session states 41a-2˜41a-n are not shown) and the packet assignment device 5 has a load balancing rule 51.
The first system has a shortcoming that processing is so centralized on a device which assigns packets that a failure of the device leads to paralysis of the entire system. For solving the problem, the second system which will be described in the following is proposed.
In the second system, as illustrated in FIG. 9, packets arrive at all the packet processing devices (a master router device 7 and router devices 6-1˜6-n) by multicast using a data link layer protocol. Each packet processing device includes a packet distribution filter [a traffic distribution filter 73 and traffic distribution filters 63-1˜63-n (the traffic distribution filters 63-2˜63-n are not shown)].
In FIG. 9, the master router device 7 has a session state (currently used) 71 of other device and a session processing function 72 of holding a session state 72a and the router devices 6-1˜6-n have session states (backup) 61-1˜61-n of other devices [the session states (backup) 61-2˜61-n of other devices are not shown] and session processing functions 62-1˜62-n [the session processing functions 62-2˜62-n are not illustrated] of holding session states 62a-1˜62a-n (the session states 62a-2˜62a-n are not shown). The master router device 7 and the router devices 6-1˜6-n are connected to a neighbor node (transmission side) 5 through a data link 200 with a neighbor node.
The packet distribution filter passes or abandons an IP packet multicast on a data link according to load balancing rules. The load balancing rules are set at each device to satisfy the conditions (1) a packet of the similar contents is processed by any one of the devices and (2) a packet passes through a filter of any one of the devices without fail.
According to a load balancing procedure in the second system, such operation as described below is executed.
(1) The master device sets a load balancing rule at other device.
(2) The master device recognizes which load balancing filter is set at other device and sets a rule so as to balance loads evenly.
(3) The master device sets to itself such a load balancing filter that it processes a packet not relevant to a load balancing rule.
(4) Based on session information of a packet processed by the master device, a new load balancing rule is generated and set with respect to another device.
(5) When the master device develops a failure, other device operates to serve as the master device.
In FIG. 9, each device has the session processing function. In the session processing function, an internal session processing rule and a session state are referred to to process a packet having passed through the packet distribution filter and abandon or transfer the packet.
The master router device 7 sets a session processing rule to each device. The respective devices including the master router device 7, which exchange session states with each other, perform the exchange at fixed intervals when there exists a difference from the lastly exchanged state.
The respective devices including the master router device 7 hold a session processing rule of other device and a session state of each device as of a certain time point. Therefore, when any of tha other devices than the master router device 7 develops a failure, the master router device 7 determines a replacement device to make the device in question take over a session processing rule set at the device having the failure and a session state. When the master router device 7 develops a failure, other device takes over the function of the master router device. This arrangement enables automatic recovery from a failure of an arbitrary device. (Literature: Japanese Translation of PCT International Application No. 2003-518338, Japanese Translation of PCT International Application No. 2003-517221)
In the above-described conventional load balancing methods, however, other devices need to hold information necessary to operate as a master device in order to be prepared for a failure of the master device.
Since the master device needs to hold all the contents of sessions to be assigned to other devices, every device needs to hold information of the sessions assigned to all of the other devices. As a result, with the conventional load balancing methods, as the number of sessions to be processed by a cluster system increases, the volume of states to be held by each device is increased irrespective of the number of devices in the system.
Moreover, in the conventional load balancing methods, because the above-described states are synchronized with each other in the respective devices, when a master device newly assigns a session to other device, states of all the devices are updated. Therefore, with the conventional load balancing methods, shortening an interval of state synchronization in order to reduce a failover time at the time when the master device develops a failure (other device takes over control processing of the master device) results in increasing overhead in communication for updating of the states of the devices.