The present invention relates to a technology of inspecting specifications and configurations of a network.
Technologies for inspecting the specifications and configurations of a network are known. As an example of such technologies, for example, NPL 1 mentions a technique known as HSA (Header Space Analysis). In the HSA, a packet header is regarded as a bit series of “L” bits. Each packet is regarded as a certain point in an L-dimension space Π. And it is regarded that a packet is transferred from a certain point to another point in that space Π. Furthermore, a transfer function “φ: (Π×P)→Power(Π×E)” which indicates a packet transfer rule is created for each switch apparatus. Here, “X×Y” represents a set of direct products of “X” and “Y”. “Power(X)” represents a power set of “X”.
Here, “P” represents a set of physical switch ports in the network. Hereinafter, a physical switch port is also mentioned simply as port. It is assumed that, in the network, a port is uniquely identified.
“E” is a set of flow entries in the network. A flow entry is constituted by information that represents an input port, a matching pattern, an action, and an output port. Each switch apparatus includes a flow entry. When the header of a packet from the input port matches the matching pattern, the switch apparatus rewrites the header on the basis of the action in case the action is defined, and transfers the packet to the output port. Hereinafter, the pattern of a packet header is also mentioned as packet pattern.
The transfer function φ(π, p)={(π′, e)} indicates that when a packet having a packet pattern “π” is input to a certain port “p”, the packet pattern matches a flow entry “e” and the packet header thereof becomes “π”. The input to the transfer function “φ” is a pair of the packet pattern of an input packet and the input port of the packet. Because there may be a plurality of flow entries, for one packet, for copying and transferring the packet, the outputs from the transfer function “φ” are a set of pairs of the packet pattern of an output packet and a flow entry being matched to the packet.
In HSA, a transfer path of a packet is determined by transitively applying a pair of the transfer function “φ” and a connection function σ: P→P that represents a port connection relation between physical switches. And, by transitively applying transfer functions “φ” according to the transfer path of the packet, a packet pattern of the packet is determined at a terminating end switch port. HSA traces the path reversely from the determined packet pattern at the terminating end switch port to a starting end switch port, sequentially applying inverse functions φe−1: Π→Π of the transfer functions. Therefore, HSA can determine what packet pattern of a header is set to a packet that reaches the terminating end switch port from the starting end switch port includes. In the above, “e” is a flow entry that is applied when the transfer function is applied. That is, in the case where the transfer function is φ(π, p)={(π′, e)}, φe−1(π′)=π″ indicates that the input packet pattern is narrowed down from “π” to “π″” by re-applying the flow entries in the backward direction.
In the below, a port that is connected to an external network in view of the entire network is referred to as endpoint switch port or endpoint. An input packet that is input to an endpoint is referred to as “incoming packet” and an output packet that is output from an endpoint is referred to as outgoing packet. An endpoint to which an incoming packet is input is referred to as incoming port, and an endpoint from which an outgoing packet is output is referred to as outgoing port. The packet pattern of an incoming packet is referred to as incoming packet pattern, and the packet pattern of an outgoing packet is referred to as outgoing packet pattern.
With regard to any given pair of an incoming port and an outgoing port, by calculating the incoming packet pattern thereof, a network manager can inspect the reaching capability and the isolation property. Here, the reaching capability means that an assumed packet pattern can reach an outgoing port from an incoming port. The isolation property means that an unexpected packet pattern cannot arrive at an outgoing port from an incoming port.
[NPL1] Peyman Kazemian, George Varghese, Nick McKeown, “Header Space Analysis: Static Checking For Networks”, NSDI '12 Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, 2012, pp. 9-22
However, the related technology mentioned in NPL 1 has a problem that the technology requires a processing time to determine incoming packet patterns for all the pairs of endpoints in the network, when the size of a network becomes large.
A reason is that it is required to transitively apply the transfer functions with respect to the paths of all the combinations of endpoint switch ports existing in the network. In the case where the size of the network is assumed, for example, as the number of switches in the network, the number of endpoints in the network and the diameter of the network are approximated as being proportionate to the size of the network. In the case of HSA, first, the transfer functions are applied from the starting endpoint to the terminating endpoint (forward process), and then the transfer inverse functions are applied by following the path so as to go upstream from the terminating endpoint to the starting endpoint (backward process). At this time, the number of times that the transfer inverse function is applied is proportional to the size obtained by multiplying the combinations of endpoints (i.e., the second power of the size of the network) by the diameter of the network (proportional to the size of the network), and is therefore proportional to the third power of the size of the network.
The present invention has been conceived so as to solve the problem, and an object thereof is to provide a technology that reduces the processing time for calculating an incoming packet pattern for a network.
To achieve the object, a network inspection apparatus according to the present invention includes: inspection target network information acquisition means for acquiring a transfer rule for a packet at each switch in an inspection target network and physical network topology information about the inspection target network; backtrace function generation means for generating, based on the transfer rule, a backtrace function that calculates backward, from a packet pattern that is output from a port of the switch, a packet pattern that is input to a corresponding port of the switch; physical link path acquisition means for acquiring, based on the physical network topology information and the transfer rule, a physical link path that represents a series of ports that links a port (incoming port) of the switch through which a packet from an external network flows into the inspection target network to a port (outgoing port) of the switch through which a packet to an external network flows out; backtrace function application means for calculating a packet pattern at the incoming port of a packet that arrives the outgoing port, by sequentially applying the backtrace function from the outgoing port toward the incoming port, while using a packet pattern cache that stores a packet pattern at an intermediate port on the physical link path of the packet that arrives the outgoing port from the intermediate port; and inspection result output means for outputting a result of processing by the backtrace function application means.
A network inspection method according to the present invention includes: acquiring a transfer rule regarding a packet at each switch in an inspection target network and physical network topology information about the inspection target network; generating, based on the transfer rule, a backtrace function that calculates backward, from a packet pattern that is output from a port of the switch, a packet pattern that is input to a corresponding port of the switch; acquiring, based on the physical network topology information and the transfer rule, a physical link path that represents a series of ports that links a port (incoming port) of the switch through which a packet from an external network flows into the inspection target network to a port (outgoing port) of the switch through which a packet to an external network flows out; calculating a packet pattern at the incoming port of a packet that arrives the outgoing port, by sequentially applying the backtrace function from the outgoing port toward the incoming port while using a packet pattern cache that stores a packet pattern at an intermediate port on the physical link path of the packet that arrives the outgoing port from the intermediate port; and outputting the packet pattern at the incoming port of the packet that reaches the outgoing port.
A storage medium according to the present invention stores a network inspection program that causes a computer apparatus to execute: an inspection target network information acquisition step of acquiring a transfer rule regarding a packet at each switch in an inspection target network and physical network topology information about the inspection target network; a backtrace function generation step of generating, based on the transfer rule, a backtrace function that calculates backward, from a packet pattern that is output from a port of the switch, a packet pattern that is input to a corresponding port of the switch; a physical link path acquisition step of acquiring, based on the physical network topology information and the transfer rule, a physical link path that represents a series of ports that links a port (incoming port) of the switch through which a packet from an external network flows into the inspection target network to the port (outgoing port) of a switch through which a packet to an external flows out; a backtrace function application step of calculating a packet pattern at the incoming port of a packet that reaches the outgoing port, by sequentially applying the backtrace function from the outgoing port toward the incoming port while using a packet pattern cache that stores a packet pattern at an intermediate port on the physical link path of the packet that reaches the outgoing port from the intermediate port; and an inspection result output step of outputting a result of processing by the backtrace function application means.
The present invention can provide a technology that reduces the processing time for calculating an incoming packet pattern for a network.
Hereinafter, example embodiments of the present invention will be described in detail with reference to the drawings.
A functional block configuration of a network inspection apparatus 1 as a first example embodiment of the present invention is shown in
Furthermore, the network inspection apparatus 1 is communicatively connected to an inspection target network 900. The inspection target network 900 includes one or more switch apparatuses. Hereinafter, the switch apparatus will be also mentioned simply as switch. Each switch includes one or more transfer rules. The transfer rule determines, according to a packet input to an arbitrarily given port of a host apparatus, processing applied for the packet, the output port therefor, and the like. The network inspection apparatus 1 treats the inspection target network 900 described above as target for inspection.
Here, an example of a hardware configuration of the network inspection apparatus 1 is shown in
The inspection target network information acquisition unit 11 acquires transfer rules about packets in switches in the inspection target network 900 and physical network topology information about the inspection target network 900. For example, the inspection target network information acquisition unit 11 is able to acquire the physical network topology information thereabout, by accessing the inspection target network 900 via the network interface 1005. The inspection target network information acquisition unit 11 is able to acquire the transfer rules in the switches in the inspection target network 900 by accessing the switches via the network interface 1005.
The backtrace function generation unit 12 generates backtrace functions on the basis of the transfer rules of the switches. A backtrace function is a function that, on the basis of the packet pattern that is output from a certain port of a switch, calculates backward the packet pattern that is input to a port corresponding to the certain port of that switch. Here, the packet pattern refers to the pattern of a header that the packet includes. A port from which a packet is output will be hereinafter described also as an output port. The packet pattern of a packet output from an output port will be also described simply as the packet pattern at the output port. A port to which a packet is input will be hereinafter described also as an input port. The packet pattern of a packet input to an input port will be also described simply as the packet pattern at the input port.
The physical link path acquisition unit 13, on the basis of the physical network topology information and the transfer rules, acquires a physical link path that represents a series of ports extending from an incoming port to an outgoing port in the inspection target network 900. The incoming port is a port of a switch through which a packet from an external flows into the inspection target network 900. The outgoing port is a port of a switch from which a packet from the inspection target network 900 to an external flows out. The physical link path acquisition unit 13 may store a list of acquired physical link paths into the RAM 1002 or the storage apparatus 1004.
The backtrace function application unit 14 calculates the packet pattern at the incoming port of a packet that reaches the outgoing port, by sequentially applies backtrace functions from the outgoing port toward the incoming port of a physical link path to while using a packet pattern cache. Here, the packet pattern cache is a storage that stores the packet pattern at an intermediate port on a physical link path of a packet that reaches the outgoing port from that intermediate port. For example, the packet pattern cache can be constituted by the storage apparatus 1004 or the RAM 1002.
At this time, the backtrace function application unit 14 may set a predetermined value as a packet pattern that flows out from an outgoing port of a physical link path. The predetermined value may be a value that represents all the packet patterns that are assumed. For example, the backtrace function application unit 14 applies, to a packet pattern for which a predetermined value has been set, a backtrace function that is based on a transfer rule which enables the outgoing port of a switch to output the packet having the packet pattern from that outgoing port. Due to this, the backtrace function application unit 14 can calculate backward the packet pattern at the input port of the switch that includes the outgoing port. The calculated packet pattern is also the packet pattern of a packet that is output from the output port of a preceding switch connected to the input port that is included in the physical link path. Therefore, the backtrace function application unit 14 may store the calculated packet pattern into the packet pattern cache as the packet pattern at the output port of the preceding switch of the packet that reaches the outgoing port of the switch from that output port of the preceding switch. At the preceding switch, the backtrace function application unit 14 apples, to the packet pattern at the output port of that preceding switch, the backtrace function that is based on the transfer rule that enables that output port to output a packet having the packet pattern from that output port. Further, the backtrace function application unit 14 repeatedly stores the packet pattern calculated through applying the backtrace function, into the packet pattern cache at every switch from the outgoing port to the incoming port. Due to this, the backtrace function application unit 14 is able to calculate the packet pattern at the incoming port of the physical link path.
In that calculation, in the case where an already calculated packet pattern, with regard to an intermediate port on the physical link path, that reaches the outgoing port has been stored in the packet pattern cache, the backtrace function application unit 14 operates as follows. That is, the backtrace function application unit 14 reuses the already calculated packet pattern when finding the incoming packet pattern of the physical link path. In this case, the backtrace function application unit 14 is able to omit the backward calculation from the outgoing port and, is able to use the packet pattern already calculated with regard to the intermediate port to apply sequentially backtrace functions from the intermediate port toward the incoming port. Furthermore, in this case, when the backtrace function application unit 14 calculates a packet pattern cache at an intermediate port which has not been stored in the packet pattern cache during the process of sequentially applying backtrace functions, backtrace function application unit 14 is able to store it into the packet pattern cache.
The inspection result output unit 15 outputs results of the process performed by the backtrace function application unit 14. For example, the inspection result output unit 15 may output information that represents combinations of the packet pattern at an incoming port and an outgoing port. The backtrace function application unit 14 may output a result of the process to an output apparatus such as the display apparatus 1006. Furthermore, the inspection result output unit 15 may output a result of the process to the storage apparatus 1004 as a file or the like. Furthermore, the inspection result output unit 15 may output a result of the process to other apparatuses (not graphically shown) connected via the network interface 1005.
Operations of the network inspection apparatus 1 configured as in the above will be described with reference to
In
Next, the backtrace function generation unit 12 generates backtrace functions on the basis of the transfer rules of the switches acquired in step A1 (step A2). As described above, the backtrace function is a function that, from the packet pattern output from a port of a switch, calculates backward the packet pattern input to a corresponding port of that switch.
Next, the physical link path acquisition unit 13, on the basis of the physical network topology information and the transfer rules acquired in step A1, acquires physical link paths that represent a series of ports that extends from an incoming port to an outgoing port of the inspection target network 900 (step A3).
Next, with respect to each physical link path, the backtrace function application unit 14 sequentially applies backtrace functions from the outgoing port toward the incoming port while using the packet pattern cache. Due to this, the backtrace function application unit 14 calculates the packet pattern at the incoming port of the packet that reaches the outgoing port.
Specifically, in the case where the packet pattern from an intermediate port on a physical link path has not been stored in the packet pattern cache (No in step A4), the backtrace function application unit 14 operates as follows. In this case, the backtrace function application unit 14 repeatedly performs the process of applying a backtrace function based on a corresponding transfer rule, to a packet pattern from the output port of the switch, from the outgoing port toward the incoming port. That is, the backtrace function application unit 14 repeatedly performs the process of calculating backward the packet pattern at the input port of the switch, toward the incoming port. At this time, the backtrace function application unit 14 may apply a predetermined value as the packet pattern at the outgoing port, as described above. At this time, the backtrace function application unit 14 stores into the packet pattern cache the packet patterns calculated in the process of sequentially applying the backtrace functions (step A5). In detail, each packet pattern calculated during the process of applying the backtrace functions is stored into the packet pattern cache as a packet pattern that reaches the outgoing port, with regard to the port from which the packet pattern is output.
In the case where the packet pattern from an intermediate port on the physical link path has been stored in the packet pattern cache (Yes in step A4), the backtrace function application unit 14 operates as follows. In this case, the backtrace function application unit 14 repeatedly performs the process of applying a backtrace function based on a corresponding transfer rule to a packet pattern from the output port of the switch, from the intermediate port toward the incoming port. That is, the backtrace function application unit 14 repeatedly performs the process of calculating backward the packet pattern at the input port of that switch, toward the incoming port. At this time, the backtrace function application unit 14 also stores into the packet pattern cache the packet patterns calculated during the process of sequentially applying backtrace functions (step A6). In this case, each packet pattern calculated during the process of applying the backtrace functions is stored into the packet pattern cache as a packet pattern that reaches the outgoing port, with regard to the port from which the packet pattern is output.
When the process in step A5 or A6 is completed with regard to each physical link path, the inspection result output unit 15 outputs results of the process by the backtrace function application unit 14 (step A7). In particular, as described above, the inspection result output unit 15 may output information that represents combinations of a packet pattern at an incoming port and an outgoing port.
The network inspection apparatus 1 ends the operation by the above processing.
In the following, advantageous effects of the first example embodiment of the present invention will be described.
The network inspection apparatus as the first example embodiment of the present invention can reduce the processing time for calculating incoming packet patterns for a network.
In the following, reasons for that will be described. In the present example embodiment, the inspection target network information acquisition unit acquires the physical network topology information about an inspection target network and the transfer rules of the switches. And the backtrace function generation unit, on the basis of the transfer rules, generates a backtrace function which calculates backward, based on the packet pattern output from a port of a switch, the packet pattern input to a corresponding port of that switch. The physical link path acquisition unit, on the basis of the physical network topology information and the transfer rules, acquires physical link paths from incoming ports to outgoing ports in the inspection target network. And, the backtrace function application unit sequentially applies the backtrace functions from the outgoing ports toward the incoming ports, while using the packet pattern cache. In this case, the backtrace function application unit stores into the packet pattern cache each packet pattern calculated during the process of applying the backtrace functions, as a packet pattern that reaches the outgoing port from an intermediate port from which the packet pattern is output. Due to this, the backtrace function application unit calculates the packet patterns at the incoming ports of the packets that reach the outgoing ports.
Thus, in the present example embodiment, when calculating an incoming packet pattern of a physical link path, if the packet pattern from an intermediate port on that physical link path has been stored in the packet pattern cache, the already calculated packet pattern is used. That is, the present example embodiment can omit the process of applying the backtrace functions from the outgoing port to that intermediate port. Consequently, the present example embodiment can reduce the workload in calculating backtrace functions within a network by reusing the calculation results of backtrace functions that have been calculated once.
In the following, a second example embodiment of the present invention will be described in detail with reference to the drawings. In the drawings referred to in the description of the present example embodiment, the same configuration and the steps that operate in substantially the same manners as in the first example embodiment are given the same signs as the first example embodiment, and detailed descriptions thereof in the present example embodiment will be omitted.
The construction of the network inspection apparatus 2 as the second example embodiment of the present invention is shown in
Furthermore, in the present example embodiment, it is assumed that the inspection target network information acquisition unit 11 acquires from each switch a flow table that contains sets of information that respectively represents an input port, a matching pattern, an action, and an output port as a transfer rule. Here, the matching pattern represents a condition to which a packet pattern input to the input port conforms. The action represents a process content for a packet pattern in the case where the packet pattern conforms to the matching pattern. The output port represents a port to which the packet, to which a processing content according to the action is applied, is output.
The backtrace function generation unit 22 generates backtrace functions. Herein, a backtrace function is a function that accepts the packet pattern at the output port of a switch as an input, and outputs the packet pattern at the input port on the basis of the action and the matching pattern of a corresponding flow entry. The backtrace function generation unit 22 is configured so as to operate in a process performed by a backtrace function application unit 24 described later.
The physical link path acquisition unit 23 acquires physical link paths on the basis of the physical network topology information and the transfer rules, similarly to the physical link path acquisition unit 13 in the first example embodiment of the present invention. However, the physical link path acquisition unit 23 is configured so that at least a part of the functions thereof operate during the process performed by the backtrace function application unit 24 described later.
The backtrace function application unit 24 recursively executes a packet pattern calculation process. In particular, in the packet pattern calculation process, the backtrace function application unit 24 uses, as an input, information that represents an input port in a switch. With regard to a packet that reaches an outgoing port from an output port that corresponds to that input port in the switch, the backtrace function application unit 24 applies a backtrace function to the packet pattern of the packet at that output port. Due to this, the backtrace function application unit 24 calculates and outputs information that represents the packet pattern at the input port.
When the backtrace function application unit 24 executes the packet pattern calculation process, if a packet pattern at the output port that corresponds to the input port is stored in the packet pattern cache, the backtrace function application unit 24 reuses the packet pattern. That is, in this case, the backtrace function application unit 24 applies the backtrace function to the packet pattern stored in the packet pattern cache, to produce an output. The backtrace function application unit 24 is configured to perform the following process, if a packet pattern at the output port that corresponds to the input port is not stored in the packet pattern cache. That is, in this case, the backtrace function application unit 24 recursively executes the packet pattern calculation process by using information that represents an input port of the next switch which faces that output port as an input. Then the backtrace function application unit 24 stores into the packet pattern cache the packet pattern obtained from the recursively executed packet pattern calculation process as the packet pattern at the output port. The backtrace function application unit 24 also applies the backtrace function to the packet pattern obtained from the recursively executed packet pattern calculation process to produce an output.
The backtrace function application unit 24 sets a predetermined value as the packet pattern that is output from the outgoing port. The predetermined value may be, for example, a packet pattern that represents that the value of each attribute that constitutes a packet header can be throughout its value range.
In the packet pattern calculation process, the backtrace function application unit 24 may generate backtrace functions by using the backtrace function generation unit 22.
Furthermore, in the packet pattern calculation process, the backtrace function application unit 24 may recursively execute the packet pattern calculation process while searching a physical link path by using the physical link path acquisition unit 23.
The backtrace function application unit 24 may output a set of pairs of the packet pattern at the input port and the outgoing port of the searched physical link path as the output of the packet pattern calculation process. Furthermore, in this case, the backtrace function application unit 24 is able to store into the packet pattern cache a pair of the packet pattern at the input port and the outgoing port in association with the output port of a switch that precedes the input port.
Operations of the network inspection apparatus 2 configured as in the above will be described in detail with reference to
In the following, an overall operation of the network inspection apparatus 2 is shown in
In
Next, the physical link path acquisition unit 23, on the basis of the physical network topology information, acquires a set of ports “p” that can be the initial ports (incoming ports) of physical link paths in the inspection target network 900 (step B2).
Next, the backtrace function application unit 24 repeats the process of steps B3 to B4 for each incoming port “p”.
Here, first, the backtrace function application unit 24, by calling the packet pattern calculation process with using the incoming ports “p” as inputs, obtains a set of pairs of the packet pattern “π” at an incoming port “p” and the outgoing port “pg” in that case (step B3). Hereinafter, the pair of a packet pattern “π” at an incoming port “p” and the outgoing port “pg” in that case will be described as “π@pg” or “(π, pg)” as well.
Next, the inspection result output unit 15 outputs, as a result of inspection, information that represents the set of pairs of a packet pattern “π” at an incoming port “p” and the outgoing port “pg” (step B4).
When the process of steps B3 to B4 is completed for each incoming port, the network inspection apparatus 2 ends the operation.
Next, details of the packet pattern calculation process in step B3 are shown in
Here, first, the backtrace function application unit 24 substitutes an empty set for the operation variable δ provided for a return value (step CO.
Next, the backtrace function application unit 24, using the physical link path acquisition unit 23, obtains a set “E” of flow entries in which a port “p” is the input port (step C2).
Next, the backtrace function application unit 24 repeatedly executes the process of steps C3 to C13 as follows, separately for each flow entry “eεE” that is an element of E.
Firstly, the backtrace function application unit 24, by using the backtrace function generation unit 22, generates a backtrace function “ζe”, based on a flow entry “e” (step C3). Details of the backtrace function “ζe” will be described later.
Next, the backtrace function application unit 24, by using the physical link path acquisition unit 23, obtains the output port “p” of the flow entry “e” (step C4).
Next, with regard to the output port “p′”, the backtrace function application unit 24 checks whether or not a pair “(π′, pg)” of a packet pattern and an outgoing port that correspond to that output port “p′” is stored in the packet pattern cache and, if that pair is present, acquires the pair (step C5).
In the case where corresponding data are not stored in the packet pattern cache, the backtrace function application unit 24 examines whether or not the aforementioned output port “p′” is a terminating end switch port (outgoing port) (step C6).
In the case where the output port “p′” is a terminating end switch port, the backtrace function application unit 24 sets a packet pattern “πT” of which all of the attributes have a value of “T”, as a packet pattern from the output port “p′” (step C7).
Next, the backtrace function application unit 24 stores the pair of the packet pattern “πT” and the outgoing port “p′” in association with the output port “p′” into the packet pattern cache (step C8).
Next, the backtrace function application unit 24 obtains the packet pattern “ζe(πT)” at the input port “p” by applying the backtrace function “ζe” to the packet pattern “πT” output from the output port “p′ ”. Then the backtrace function application unit 24 adds the pair of the “ζe(πT)” and the outgoing port “p′” to the return values “δ” (step C9).
The backtrace function application unit 24 repeats the process from step C3 with respect to the next flow entry “e”.
On the other hand, in step C6, when the output port “p′” is not a terminating end switch port (outgoing port), the backtrace function application unit 24, by using the physical link path acquisition unit 23, finds a port “p″” that faces the output port “p′” in the physical link (step C10).
Next, the backtrace function application unit 24 calls a packet pattern calculation process, with the port “p″” as an input. Due to this, the backtrace function application unit 24 obtains a set of pairs“ (π′, pg)” of an outgoing port “pg” and the packet pattern “π′” that flows into the port “p″”, where the port “p″” is the input port (step C11).
Next, the backtrace function application unit 24 stores the set of “(π′, pg)” obtained in step C11 into the packet pattern cache, with the output port “p′” as a key (step C12).
Next, the backtrace function application unit 24 obtains the packet pattern “ζe(π′)” at the input port “p” by applying the backtrace function “ζe” to the packet pattern “π′” output from the output port “p′”. The backtrace function application unit 24 adds the pair of “ζe(π′)” and the outgoing port “pg” to the return values “δ” (step C13).
Then the backtrace function application unit 24 repeats the process from step C3 with respect to the next flow entry “e”.
In step C5, when corresponding data are stored in the packet pattern cache, the backtrace function application unit 24 executes the process of step C13 by using the corresponding data “(π′, pg)” in the packet pattern cache.
Then the backtrace function application unit 24 repeats the process from step C3 with respect to the next flow entry “e”.
When the process of steps C3 to C13 is completed with regard to each flow entry “e” that belongs to the set “E” of flow entries obtained in step C2, the backtrace function application unit 24 returns the values “δ” and goes back to the process that called this packet pattern calculation process.
Detail of the packet pattern calculation process has been explained as above.
In the following, the backtrace function “ζe” that is generated in step C3 will be described. The backtrace function application unit 24, on the basis of a flow entry “e”, may generate, for example, a backtrace function “ζe” that is defined as follows.
As stated above, a flow entry “e” is constituted to include four pieces of information that respectively represent an input port, a matching pattern, an action, and an output port.
Here, it is assumed that the matching pattern is constituted by attribute values “Am_1”, . . . , “Am_n”. Furthermore, it is assumed that the action is constituted by attribute values “Aa_1”, . . . , “Aa_n”. Incidentally, the attribute value “Am_i” of the matching pattern can take a value representing a point set “{v}”, an entire set “T” of the range of the value, a subset “r” of the range such as an IP subnetwork or the like, an empty set “⊥”, or a difference set “(A′m_i−A″m_i)” obtained by subtracting an attribute value “A″m_i” from an attribute value “A′m_i”. The attribute value “Aa_1” of the action can take a value “v” or an entire set “T” of the range of the value “v”.
It is also assumed that the packet pattern “π” is constituted by attribute values “Aπ_1”, . . . , “Aπ_n”. The attribute value “Aπ_i” of the packet pattern can take a value “v”, the entire set “T” of range the value, a subset “r” of the range, such as IP subnetworks and the like, an empty set “⊥”, a difference set “(A′m_i−A″m_i)” obtained by subtracting an attribute value “A″m_i” from an attribute value “A′m_i”, or a sum set “(A′m_i∪A″m_i)” of an attribute value “A′m_i” and an attribute value “A″m_i”.
In this case, a backtrace function “ζe” based on a flow entry “e” is defined as in the following equation (1).
e((Aπ_1, . . . ,Aπ_n)):=(μ(Am_1,α(Aa_1,Aπ_l)), . . . ,μ(Am_n,α(Aa_n,Aπ_n))) (1)
Here, the function “α: (the attribute value of an action)×(the pattern of the attribute value of a packet header)→(the packet pattern)” in the equation (1) is defined as in Table 1 below.
Furthermore, the function “μ: (the attribute value of matching rule)×(the pattern of the attribute value of a packet header)→(the packet pattern)” in the equation (1) is defined as in Table 2.
Due to the definitions of the backtrace functions as above, the packet pattern at each output port is determined, independently of the forward trace path from the incoming port to the outgoing port, but depending only on the backtrace path from the outgoing port. In consequence, cache data about the packet pattern can be reused.
An example of the definition of the backtrace function generated in step C3 has been explained as above.
In the following, by referring to specific examples, operations of the second example embodiment of the present invention will be described.
It is also assumed that some of the flow entries in this inspection target network 901 have been defined as in
In the inspection target network 901 as above, it is assumed that the backtrace function application unit 24 performs inspection first, about a case that the sw5_p2 is the incoming port. Then, the backtrace function application unit 24 executes a packet pattern calculation process, with the sw5_p2 as an input (step B3). Hereinafter, the packet pattern calculation process using the swi_pi as an input will be described also as packet pattern calculation process (swi_pi).
It is assumed that, in this case, the packet pattern cache does not store a packet pattern with regard to the output port sw5_p1 of the flow entry whose input port is the sw5_p2 (No in step C5). Furthermore, the output port sw5_p1 is not a terminating endpoint port (No in step C6). Then, in the packet pattern calculation process (sw5_p2), the backtrace function application unit 24 recursively calls a packet pattern calculation process (sw4_p1), with the sw4_p1, as input, that faces the output port sw5_p1 (step C11).
It is assumed that in this case, the packet pattern cache does not store a packet pattern with regard to the output port sw4_p2 for the flow entry whose input port is the sw4_p1 (No in step C5). The output port sw4_p2 is not a terminating endpoint port (No in step C6). Then, in the packet pattern calculation process (sw4_p1), the backtrace function application unit 24 recursively calls a packet pattern calculation process (sw6_p1), with the sw6_p1, as input, that faces the sw4_p2 (step C11).
Here, in the packet pattern calculation process (sw6_p1), the backtrace function application unit 24 obtains, regarding one of the flow entries “e”, the sw6_p3 as the output port “p′” for that flow entry “e” (step C4). Although the packet patterns regarding the sw6_p3 are not stored in the packet pattern cache (No in step C5), the sw6_p3 is a terminating endpoint port (outgoing port) (Yes in step C6). Then, the backtrace function application unit 24 associates the pair “πT@sw6_p3” of the packet pattern “πT” and the outgoing port sw6_p3 with the sw6_p3 and thus stores it in the packet pattern cache (steps C7 to C8).
It is assumed that the packet pattern has three attributes of mac_da, vlan, and ip_da, and which are described as “πT=(mac_da=T, vlan=T, ip_da=T)”. Although, in some cases, a packet pattern may have many kinds of attributes, it is assumed here that the packet pattern has these three attributes for simplicity for explanation. As described above, “T” is the entire set of the ranges that the attributes can take. In this case, it means that data “A” indicated in
The backtrace function application unit 24 applies the backtrace function “ζe” with regard to the flow entry “e” at this time, to the “πT@sw6_p3”, and calculates “ζe(πT)@sw6_p3”. Results of this calculation are as follows.
{(mac_da=m8, vlan=3, ip_da=T)@sw6_p3,
(mac_da=m7, vlan=2, ip_da=T)@sw6_p3}.
And the backtrace function application unit 24 adds the results of the above calculation to the return values “δ” of the packet pattern calculation process (sw6_p1) (step C9).
Next, in the packet pattern calculation process (sw6_p1), the backtrace function application unit 24 obtains the sw6_p2 as the output port “p′” with regard to the next flow entry “e” (step C4). Here, although a packet pattern regarding the sw6_p2 is not stored in the packet pattern cache (No in step C5), the sw6_p2 is a terminating endpoint port (outgoing port) (Yes in step C6). Therefore, the backtrace function application unit 24 associates the “πT@sw6_p2” with the sw6_p2 and stores it into the packet pattern cache (steps C7 to C8). As a result of this, data “B” indicated in
The backtrace function application unit 24 applies the backtrace function “ζe” regarding the then flow entry “e” to the “πT@sw6_p2”, and calculates the “ζe(πT)@sw6_p2”. Results of this calculation are as follows.
{(mac_da=m6, vlan=3, ip_da=T)@sw6_p2,
(mac_da=m5, vlan=2, ip_da=T)@sw6_p2}.
The backtrace function application unit 24 adds the aforementioned results of the calculation to the return values “δ” of the packet pattern calculation process (sw6_p1) (step C9).
It is assumed that in the packet pattern calculation process (sw6_p1), there is no other flow entry whose input port is the sw6_p1. Therefore, the return values “δ” of the packet pattern calculation process (sw6_p1) are as follows.
{(mac_da=m8, vlan=3, ip_da=T)@sw6_p3,
(mac_da=m7, vlan=2, ip_da=T)@sw6_p3,
(mac_da=m6, vlan=3, ip_da=T)@sw6_p2,
(mac_da=m5, vlan=2, ip_da=T)@sw6_p2}.
Here, the return values of the packet pattern calculation process (sw6_p1) are results of step C11 in the process of the packet pattern calculation process (sw4_p1). Therefore, the backtrace function application unit 24 stores the return values “δ” into the packet cache pattern, with the sw4_p2 as a key (step C12). As a result of this, data “C” indicated in
Next, the backtrace function application unit 24 applies the backtrace function “ζe” regarding the then flow entry “e” to the return values of the packet pattern calculation process (sw6_p1). Results of this calculation are as follows.
{(mac_da=T, vlan=3, ip_da=a8)@sw6_p3,
(mac_da=T, vlan=2, ip_da=a7)@sw6_p3,
(mac_da=T, vlan=3, ip_da=a6)@sw6_p2,
(mac_da=T, vlan=2, ip_da=a5)}@sw6_p2}.
The backtrace function application unit 24 adds this value to the return values δ of the packet pattern calculation process (sw4_p1) (step C13).
It is assumed that in the packet pattern calculation process (sw4_p1) there is no other flow entry whose input port is the sw4_p1. Therefore, the values “δ” are the return values of the packet pattern calculation process (sw4_p1).
Here, the return values of the packet pattern calculation process (sw4_p1) are a result of step C11 in the process of the packet pattern calculation process (sw5_p2). Then, the backtrace function application unit 24 stores the aforementioned return values “δ” into the packet cache pattern, with the sw5_p1 as a key (step C12). Here, data “D” indicated in
Next, the backtrace function application unit 24 applies the backtrace function “ζe” regarding the then flow entry “e” to the return values of the packet pattern calculation process (sw4_p1). Results of this calculation are as follows.
{[(mac_da=m9, vlan=3, ip_da=a8)@sw6_p3,
(mac_da=m9, vlan=2, ip_da=a7)@sw6_p3,
(mac_da=m9, vlan=3, ip_da=a6)@sw6_p2,
(mac_da=m9, vlan=2, ip_da=a5)@sw6_p2}
The backtrace function application unit 24 adds this value to the return values “δ” of the packet pattern calculation process (sw5_p2) (step C13).
It is assumed that in the packet pattern calculation process (sw5_p2) there is no other flow entry whose input port is the sw5_p2. Therefore, the aforementioned values of “δ” are return values of the packet pattern calculation process (sw5_p2).
In this manner, the backtrace function application unit 24 is able to find pairs of an incoming packet pattern at the incoming port sw5_p2 and an outgoing port.
Next, an inspection result display unit 25 outputs results of inspection (1) to (3) as follows, on the basis of the pairs of an incoming packet pattern at the aforementioned incoming port sw5_p2 and an outgoing port.
In the case where a packet that satisfies a condition “A” flows into the incoming port sw5_p2, the packet always flows out from the sw6_p3.
Here, the condition “A” is a condition that
the destination MAC address (mac_da) is “m9” and the VLAN ID (vlan) is 3 and the IP address (ip_da) is “a8” or
the destination MAC address (mac_da) is “m9” and the VLAN ID (vlan) is 2 and the IP address (ip_da) is “a7”.
In the case where a packet that satisfies a condition “B” flows into the incoming port sw5_p2, the packet always flows out from the sw6_p2.
Here, the condition “B” is a condition that
the destination MAC address (mac_da) is “m9” and the VLAN ID (vlan) is 3 and the IP address (ip_da) is “a6” or
the destination MAC address (mac_da) is “m9” and the VLAN ID (vlan) is 2 and the IP address (ip_da) is “a5”.
The incoming packet from the sw5_p2 which does not satisfy the condition “A” does not arrive at the sw6_p3. Furthermore, the incoming packet from the sw5_p2 which does not satisfy the condition B does not arrive at the sw6_p2.
Next, likewise, the backtrace function application unit 24 performs inspection with the sw5_p3 as the incoming port. First, the backtrace function application unit 24 executes the packet pattern calculation process (sw5_p3), with the sw5_p3 as an input. In this case, the sw5_p1 is the output port of a flow entry whose input port (step C4). Here, the packet pattern cache stores packet patterns (data “D”) with the output port sw5_p1 as a key, as illustrated in
Therefore, the backtrace function application unit 24 acquires packet patterns of which key is the output port sw5_p1 from the packet pattern cache, and applies the backtrace function “ζe” regarding the flow entry “e” to the acquired packet patterns. By this, pairs of an incoming packet pattern at the incoming port sw5_p3 and an outgoing port are calculated.
As described above, the backtrace function application unit 24 is able to find the pairs of an incoming packet pattern at the incoming port sw5_p3 and an outgoing port, by reusing the packet pattern cache having the sw5_p1 as the key. Because of reuse of the packet pattern cache, the backtrace function application unit 24 can find the incoming packet patterns at the sw5_p3 without recursively executing the packet pattern calculation processes with using the sw4_p1 and the sw6_p1 as respective inputs. Because of this, the backtrace function application unit 24 is able to realize high-speed inspection.
This will be further explained by referring to
On the other hand, in the case where the related technology mentioned in NPL 1 is employed, intermediate calculation result cannot be reused as stated above. This will be explained by referring to
In the following, results of evaluation between the time of inspection in the case where a technology mentioned in NPL 1 is implemented on actual apparatus and the time of inspection in the case where the present example embodiment is implemented on actual apparatus, are shown in
The operation of the second example embodiment of the present invention has been explained in detail as above.
In the following, advantageous effects of the second example embodiment of the present invention will be described.
The network inspection apparatus as the second example embodiment of the present invention is able to further reduce the processing time for calculating the incoming packet patterns with regard to a network.
A reason for that is because the backtrace function application unit recursively executes the packet pattern calculation process which outputs the packet pattern at the input port by applying a backtrace function to a packet pattern at an output port of a switch. It is also because, when the packet pattern at that output port is stored in the packet pattern cache, the backtrace function application unit reuses that the packet pattern. It is also because when the packet pattern at that output port is not stored in the packet pattern cache, the backtrace function application unit, in order to find that packet pattern, recursively executes the packet pattern calculation process using, as an input, the input port of the next switch which faces that output port. It is also because, in this case, the backtrace function application unit stores into the packet pattern cache the packet pattern obtained by the recursively executed packet pattern calculation process and then applies a backtrace function to the obtained packet pattern. It is also because when the transfer rule includes pieces of information that respectively represent the input port, the matching pattern, the action, and the output port, the backtrace function generation unit operates as follows. That is, it is because the backtrace function generation unit, using the packet pattern at the output port as an input, generates a backtrace function so as to output a packet pattern input to the input port, on the basis of the matching pattern and the action.
Due to this, the present example embodiment stores, in the packet pattern cache, results of intermediate calculation which are pairs of a packet pattern and an outgoing port in that case, for each output port on the physical link path. Description will be made with a certain physical link path “p1”, . . . , “pn” as an example. Here, it is assumed that “pi” (i=1 to n) represents the output ports of the switches swi on the physical link path. Furthermore, it is assumed that each switch swi includes a flow entry “ei” that is applied to the physical link path. In this case, a result of calculation of packet patterns at the output port “pi” by backtrace functions is represented as “ζei” . . . “ζen(πT)” depending only on a series of flow entries “ei”, . . . , “en” applied along the path from that output port “pi” to the outgoing port “pn”.
Therefore, in the present example embodiment, when a packet pattern at an intermediate port “pi” is stored in the packet pattern cache, the relevant value can be reused regardless of which incoming port the calculation is started. In this manner, in the present example embodiment, a pair of an outgoing port and a packet pattern calculated with regard to an intermediate port during calculation of a pair of a packet pattern from an incoming port and the outgoing port can be reused in calculation of a pair of a packet pattern from another incoming port and an outgoing port. In consequence, in the present example embodiment, it is enough to calculate a pair of a packet pattern and an outgoing port once with respect to the same port.
On the other hand, a case of finding the packet pattern by using the related technology described in NPL 1 will be described. In this related technology, first, assuming that the packet pattern at an incoming port is “πT”, a packet pattern “(φen′ . . . φei . . . φe1)(πT)” at the outgoing port is calculated. Note that “φei” represents a transfer function based on a flow entry “ei”. And, in this related technology, a transfer inverse function is applied to the packet pattern at the outgoing port to find a packet pattern) “(φ−1ei· . . . ·φ−1en)·(φen· . . . φei . . . ·φe1)(ηT)” at an intermediate output port “pi”. In this manner, it can be understood that in this related technology, the packet pattern at an intermediate output port “p1” is affected by results of calculation performed from the incoming port “p1” to the output port “pi”. Therefore, in the case of paths whose incoming ports are different, the cache cannot be reused.
In the following, advantageous effects of the aforementioned present example embodiment will be described by using a schematic inspection target network shown in
First, using
In this case, it is assumed that the present example embodiment finds an incoming packet pattern at the incoming port “p1” on the first physical link path, at first. In this case, the packet patterns at the output ports of the intermediate sw1, sw2, and sw4 are not stored in the packet pattern cache yet. Therefore, the present example embodiment finds the packet pattern “π5=ζe5 (πT)” at the input port of the sw5, with use of the “πT” which is packet pattern cache from the outgoing port “p0” of the sw5. The present example embodiment associates the calculated packet pattern with the output port of the sw4, and stores in the packet pattern cache. Likewise, the present example embodiment finds the packet pattern “π4=ζe4 (π5)” at the input port of the sw4 on this physical link path, associates with the output port of the sw2, and stores in the packet pattern cache. Likewise, the present example embodiment finds the packet pattern “π2=ζe2 (π4)” at the input port of the sw2, associates with the output port of the sw1 on this physical link path, and stores in the packet pattern cache. Then, the present example embodiment is able to find the packet pattern “π1=ζe1 (π2)” at the input port of the sw1, that is, at the incoming port p1. In
In
In the following, for comparison, a process for finding a packet pattern at an incoming port of the inspection target network shown in
In the following, finding of an incoming packet pattern of the second physical link path by this related technology will be considered. In
As described above by using
In the second example embodiment of the present invention, the processing in which the backtrace function application unit recursively executes processing of applying backtrace functions was mainly described. The backtrace function application unit in the present invention is not limited to the processing as described above, and may employ another processing when applying backtrace functions from the outgoing port toward the incoming port of a physical link path. Such another process procedure may be a procedure for reusing an already calculated packet pattern cache with respect to an intermediate port, if such a cache is stored, to apply backtrace functions from that intermediate port toward the incoming port.
Furthermore, in the second example embodiment of the present invention, an example of the format of information stored in the packet pattern cache was shown in drawings for explanation. Besides that format, the information stored in the packet pattern cache may be represented in another format as long as the another format is able to represent the packet pattern at an intermediate port and the outgoing port which the packet pattern reaches from that intermediate port.
In each example embodiment of the present invention described above, the network inspection apparatus need not to be connected to the inspection target network, and it is sufficient for the network inspection apparatus to be able to acquire the physical network topology information thereabout and the transfer rules from a storage apparatus, an input apparatus, ant the like.
In each example embodiment of the present invention described above, the example, in which various functional blocks of the network inspection apparatus are realized by the CPU that executes computer programs stored in the storage apparatus or the ROM, was mainly described. The network inspection apparatus is not limited to this, but part or the whole of each functional block or a combination thereof may be realized by dedicated hardware.
Furthermore, in each example embodiment of the present invention described above, the functional blocks of the network inspection apparatus may be realized by distributed apparatuses.
In each example embodiment of the present invention described above, the operations of the network inspection apparatus described with reference to the flowcharts may be stored as a computer program with regard to the present invention, in the storage apparatus (storage medium) of a computer apparatus. The CPU of that computer apparatus may read and execute such a computer program. In such a case, the present invention is constituted by codes of the above described computer program or a storage medium thereof.
The present invention has been described by use of the aforementioned example embodiments as typical examples. However, the present invention is not limited to the aforementioned example embodiments. That is, in the present invention, various variations understandable by a person with ordinary skill in the art can be applied within the scope of the present invention.
This application claims the right of priority based on Japanese Patent Application No. 2014-150077 filed Jul. 23, 2014 and the entire disclosure thereof is incorporated herein.
Number | Date | Country | Kind |
---|---|---|---|
2014-150077 | Jul 2014 | JP | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2015/003534 | 7/13/2015 | WO | 00 |