[go: up one dir, main page]

WO2014034119A1 - Access control system, access control method, and program - Google Patents

Access control system, access control method, and program Download PDF

Info

Publication number
WO2014034119A1
WO2014034119A1 PCT/JP2013/005109 JP2013005109W WO2014034119A1 WO 2014034119 A1 WO2014034119 A1 WO 2014034119A1 JP 2013005109 W JP2013005109 W JP 2013005109W WO 2014034119 A1 WO2014034119 A1 WO 2014034119A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
forwarding node
control
control information
access
Prior art date
Application number
PCT/JP2013/005109
Other languages
French (fr)
Inventor
Kentaro Sonoda
Hideyuki Shimonishi
Yoichi Hatano
Masayuki Nakae
Masaya Yamagata
Yoichiro Morita
Takayuki Sasaki
Original Assignee
Nec Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Corporation filed Critical Nec Corporation
Priority to JP2015511530A priority Critical patent/JP2015530763A/en
Publication of WO2014034119A1 publication Critical patent/WO2014034119A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present invention is based upon and claims the benefit of the priority of Japanese Patent Application No. 2012-190316 (filed on August 30, 2012), the disclosure of which is incorporated herein in its entirety by reference.
  • the present invention relates to an access control system, an access control method, and a program. More specifically, the invention relates to an access control system, an access control method, and a program, for a network where a control apparatus for concentrically controlling a forwarding node is disposed.
  • OpenFlow OpenFlow
  • Non Patent Literatures 1 and 2 OpenFlow identifies communications as end-to-end flows, and performs path control, failure recovery, load distribution, and optimization on a per-flow basis.
  • An OpenFlow switch specified in Non Patent Literature 2 includes a secure channel for communication with an OpenFlow controller.
  • the OpenFlow switch operates according to a flow table in which appropriate adding or rewriting is instructed by the OpenFlow controller.
  • a set of a matching condition (Match Fields) to be matched to a packet header, flow statistics information (Counters), and instructions (Instructions) defining processing content is defined for each flow (refer to section "4.1 Flow Table" in Non Patent Literature 2).
  • the OpenFlow switch When the OpenFlow switch receives a packet, for example, the OpenFlow switch searches in the flow table for an entry having a matching condition that matches header information of the received packet (refer to "4.3 Match Fields" in Non Patent Literature 2). When the entry that matches the received packet is found as a result of the search, the OpenFlow switch updates the flow statistics information (one or more Counters), and executes processing content (e.g., transmission of the packet from a specified port, flooding of the packet, discarding of the packet, or the like) described in the instruction field of the entry.
  • processing content e.g., transmission of the packet from a specified port, flooding of the packet, discarding of the packet, or the like
  • the OpenFlow switch transmits to the OpenFlow controller a request for setting an entry, or a request (Packet-In message) for transmitting control information for processing the received packet, through a secure channel.
  • the OpenFlow switch receives the flow entry in which the processing content is defined, and then updates the flow table. In this manner, the OpenFlow switch performs packet forwarding by using the entry stored in the flow table as the control information.
  • Patent Literature 1 describes that an OpenFlow controller performs permission check by referring to a policy file when a new flow is generated, and then calculates a path, thereby performing access control.
  • Patent Literature 2 discloses a network access control system in which the need for forwarding an authentication request to a server on an external network and the need for temporarily setting an access control policy for an information terminal beyond management and control are eliminated, and the information terminal and a user beyond management and control can use a target network.
  • an access request apparatus does not directly make a request to an authentication processing apparatus.
  • a proxy request apparatus makes a request to the authentication processing apparatus, using authentication data of the proxy request apparatus.
  • the authentication processing apparatus distributes access control data based on a result of the authentication process to an access control apparatus. Accordingly, even the access request apparatus that is the information terminal beyond management and control can access the network.
  • the access request apparatus makes the access request to the proxy request apparatus that is an information terminal under management and control, and then processes of the proxy request apparatus, the access control apparatus, and the authentication apparatus are executed. After execution of the processes, control by the access control apparatus for an access to the network from the access request apparatus that has made the access request is changed. Then, the access request apparatus can make the access to the network
  • user authentication is performed using information such as a company employee ID that can uniquely identify a user, for example. Then, communication between the terminal of the user and a server can be controlled, based on a result of the authentication.
  • Patent Literature and Non Patent Literatures are incorporated herein by reference.
  • the following analysis has been given by the present invention.
  • a plurality of resources such as servers may be connected to the network using OpenFlow described in each of Patent Literature 1 and Non Patent Literatures 1 and 2, so that communication may occur between these resources.
  • a method of setting a flow entry by the OpenFlow controller whenever the communication newly occurs may be conceived.
  • Patent Literature 2 is not suited to the access control between the resources in the network using OpenFlow described in Patent Literature 1 and Non Patent Literatures 1 and 2.
  • an access control system comprising: a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node; a forwarding node configured to process the received packet by referring to the control information; an authentication apparatus configured to authenticate a resource connected to the forwarding node, using identification information obtained from the resource; and a policy management apparatus configured to determine a communication policy for the resource, using a result of the authentication and the identification information; the control apparatus generates the control information associated with the communication policy and setting the generated control information in the forwarding node.
  • an access control method comprising the step of: using an apparatus connected to a communication system including a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node, and a forwarding node configured to process the received packet by referring to the control information; authenticating a resource connected to the forwarding node, using identification information obtained from the resource; determining a communication policy for the resource, using a result of the authentication and the identification information; and generating the control information associated with the communication policy and setting the generated control information in the forwarding node.
  • This method is associated with a specific machine, which is the at least one apparatus that authenticates the resource, determines the communication policy, and generates and sets the control information.
  • a program for a computer installed in an apparatus connected to a communication system comprising a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node, and a forwarding node configured to process the received packet by referring to the control information, the program causing the computer to execute the processes of: authenticating a resource connected to the forwarding node, using identification information obtained from the resource; determining a communication policy for the resource, using a result of the authentication and the identification information; and generating the control information associated with the communication policy and setting the generated control information in the forwarding node.
  • This program can be recorded in a computer-readable (non-transient) storage medium. That is, the present invention can also be embodied as a computer program product.
  • the present invention can contribute to reduction of a management burden of access control between resources and improvement in convenience of the access control, in a network using OpenFlow described in Patent Literature 1 and Non Patent Literatures 1 and 2.
  • Fig. 1 is a diagram showing a configuration of exemplary embodiment of the present disclosure.
  • Fig. 2 is a diagram showing a configuration of an access control system in a first exemplary embodiment of the present disclosure.
  • Fig. 3 includes tables each showing an example of resource identification information in the first exemplary embodiment of the present disclosure.
  • Fig. 4 is a table showing examples of resource identification information held in an identification information storage apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 5 is a table showing examples of communication policies held in a policy storage apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 6 is a table showing examples of resource information held in the policy storage apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 1 is a diagram showing a configuration of exemplary embodiment of the present disclosure.
  • Fig. 2 is a diagram showing a configuration of an access control system in a first exemplary embodiment of the present disclosure.
  • Fig. 3 includes tables each showing an example of resource identification information in the first exemplary embodiment
  • FIG. 7 is a table showing examples of communication policies to be provided to a control apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 8 is a block diagram showing a detailed configuration of the control apparatus in the first exemplary embodiment of the present disclosure.
  • Fig. 9 is a sequence diagram showing operations of the first exemplary embodiment of the present disclosure.
  • Fig. 10 is a diagram continuing from Fig. 9.
  • Fig. 11 shows examples of control information to be generated by the control apparatus in the first exemplary embodiment of the present disclosure.
  • the exemplary embodiment of the present disclosure can be implemented by a configuration including: a control apparatus (100 in Fig. 1) configured to generate control information defining processing content to be applied to a received packet and then to set the control information in a forwarding node (200 in Fig. 1), a forwarding node (200 in Fig. 1) configured to process the received packet by referring to the control information, an authentication apparatus (600 in Fig. 1) configured to authenticate a resource connected to the forwarding node, using identification information obtained from the resource, and a policy management apparatus (310 in Fig. 1) configured to determine a communication policy for the resource, using a result of the authentication and the identification information.
  • the control apparatus when the communication policy is determined by the policy management apparatus (310 in Fig. 1), the control apparatus (100 in Fig. 1) generates the control information associated with the communication policy, and sets the control information in the forwarding node (200 in Fig. 1).
  • a timing at which the authentication apparatus (600 in Fig. 1) authenticates the resource can be set to a time when the resource is connected to the forwarding node.
  • communication policy determination and control information setting are automatically completed based on identification information of a new resource whenever the new resource is connected to the forwarding node.
  • the forwarding node (200 in Fig. 1) disposes of the control information which has not been used or the like.
  • the forwarding node (200 in Fig. 1) deletes the control information upon establishment of a condition (of a hard timeout) that a predetermined time period has passed after setting of the control information or a condition (of an idle timeout) that a predetermined time period has passed since a packet which matches the control information was last received.
  • Fig. 2 is a diagram showing a configuration of an access control system in the first exemplary embodiment of the present disclosure. Referring to Fig. 2, the configuration including a forwarding node 200, a control apparatus 100 configured to control the forwarding node 200, a policy management apparatus 310 configured to notify a communication policy to the control apparatus 100, an authentication apparatus 600 configured to authenticate a resource, and an identification information storage apparatus 700 is shown.
  • the forwarding node 200 is a switching device configured to process a received packet, according to control information that associates a matching condition to be matched against the received packet and processing content (action) to be applied to a packet that matches the matching condition.
  • an OpenFlow switch in Non Patent Literature 2 configured to operate, using a flow entry set by an OpenFlow controller as the control information can also be used.
  • a resource 410 and a resource 420 are connected to the forwarding node 200 in Fig. 2, and the resource 410 and the resource 420 can be therefore communicated through the forwarding node 200.
  • Each of the resources 410 and 420 is a computer represented by a server, a PC (Personal Computer), or the like.
  • the respective resources hold respective identification information 510 and 520 each for uniquely identifying the resource itself.
  • the identification information is represented by a combination of the name of the computer, the MAC address of the computer, and an arbitrary character string, for example. Any identification information may be used if the identification information is a character string that can uniquely identify the resource.
  • the description will be given, assuming that each of the resources 410 and 420 is a device connected to the forwarding node 200 by wire.
  • Each of the resources 410 and 420 may be a mobile terminal such as a tablet terminal or a smart phone wirelessly connected to the forwarding node 200.
  • Fig. 3 includes tables each showing an example of the identification information held by the resource.
  • the upper stage of Fig. 3 indicates an example of the identification information 510 of the resource 410, while the lower stage of Fig. 3 indicates an example of the identification information 520 of the resource 420.
  • Each of the information has a same format, and is constituted from a set of the name of the resource, and the MAC address and the IP address of the resource.
  • the identification information 510 of the resource 410 for example, has the name of the resource of "aaa”, the MAC address of "aa:aa:aa:aa:aaa:aaa”, and the IP address of "1.1.1.1".
  • the resource name is essential for the identification information of each resource, and the MAC address and the IP address are arbitrary.
  • the identification 520 of the resource 420 in Fig. 3 is constituted from the resource name of "bbb" alone.
  • the authentication apparatus 600 refers to the identification information of each resource held in the identification information storage apparatus 700, authenticates each resource, and then transmits a result of the authentication to the policy management apparatus 310.
  • the authentication apparatus 600 receives from the resource 410 the identification information 510 held in the resource 410.
  • the authentication apparatus 600 receives from the resource 420 the identification information 520 held in the resource 420. Then, the authentication apparatus 600 checks the resource identification information held in the identification information storage apparatus 700 against the identification information received from each of the resources, and determines (authenticates) whether or not each resource is a valid resource capable of being connected to the network.
  • the authentication apparatus 600 transmits a result of the authentication to the policy management apparatus 310.
  • the authentication apparatus 600 and the identification information storage apparatus 700 are separately provided.
  • a storage apparatus such as a hard disk provided for the authentication apparatus 600 can also be used as the identification information storage apparatus 700.
  • Fig. 4 is a table showing a configuration of each identification information (resource identification information) held in the identification information storage apparatus 700.
  • each of the resource identification information is shown where the name of a resource, a role ID, a MAC address, an IP address, a connection switch, and a connection port are associated with one another.
  • the MAC address, the IP address, the connection switch, and the connection port are arbitrary items, and are to be used for an authentication process only when values of the MAC address, the IP address, the connection switch, and the connection port are set. For this reason, when the resource having the resource name of ddd is authenticated, the values of the MAC address and the connection switch are not to be used.
  • the policy management apparatus 310 refers to information held in the policy storage apparatus 320 to determine a communication policy for the resource connected to the forwarding node, and then transmits a result of the determination to the control apparatus 100.
  • the policy management apparatus 310 determines the communication policy for the corresponding resource.
  • the policy management apparatus 310 and the policy storage apparatus 320 are separately provided.
  • a storage apparatus such as a hard disk provided for the policy management apparatus 310 can also be used as the policy storage apparatus 320.
  • Fig. 5 is a table showing examples of communication policies held in the policy storage apparatus 320.
  • the examples in Fig. 5 show a table storing entries in each of which a resource group ID given to a resource group and an access right are set, for each role identified by a role ID.
  • a user having the role ID of role_0001 is allowed to make access to both of the resource group ID of resource_group_0001 and the resource group ID of resource_group_0002.
  • a user having the role ID of role_0002 is prohibited to make access to the resource group ID of resource_group_0001, and is allowed to make access to the resource group ID of resource_group_0002.
  • Fig. 6 is a table showing examples of resource information held in the policy storage apparatus 320.
  • the ID of each resource belonging to the resource group ID described above is associated with a detailed attribute of the resource.
  • the resource having the resource ID of resource_0001, the resource having the resource ID of resource_0002, and the resource having the resource ID of resource_0003 are included in the group identified by the resource group ID of resource_group_0001.
  • the name, the IP address, and the MAC address of each resource, or a port number of each resource used for a service can be identified.
  • the policy management apparatus 310 determines the communication policy for the resource authenticated by the authentication apparatus 600 by referring to the communication policies and the resource information as described above, and then notifies the communication policy to the control apparatus 100.
  • the resource group ID linked to the corresponding role ID and the content of the access right to the resource group ID can be identified from information on the policies in Fig. 5, using the role ID included in the authentication information received from the authentication apparatus 600. Then, the resource that can be accessed from a certain resource or the resource for which access from the certain resource is prohibited can be identified, using the information on each resource belonging to the resource group ID in the resource information in Fig. 6.
  • Fig. 7 shows examples of communication policies to be generated from the information shown in Figs. 4, 5, and 6 and to be provided to the control apparatus 100.
  • the resource name of aaa of the resource connected to the network this time is set in the transmission source resource name field of a first entry in Fig. 7.
  • the names of resources (“bbb”, “ppp”, “qqq”, and "sss") that can be accessed or cannot be accessed based on the role ID of the resource are set in a destination resource name field.
  • the same value as that of the access right for the role ID of role_0001 of the policy information in Fig. 5 is set in an access right field.
  • the service and the port number set in the resource attribute field of Fig. 6 are set in a condition (option) field.
  • the condition (option) field in Fig. 7 is an item that can be arbitrarily set, and can be arbitrarily omitted.
  • the policy management apparatus 310 includes a mechanism (herein referred to a communication policy editing function) configured to receive generation, a change in setting, or the like of the communication policy from a user, and provides a result of the generation, the change in setting, or the like to the control apparatus 100.
  • the communication policy editing function is an application program for implementing the communication policy editing function, for example, by which the user can freely generate, modify, and delete the communication policy.
  • the policy management apparatus 310 stores updated communication policy information in the policy storage apparatus 320, and also generates a communication policy for a resource, based on the updated communication policy information and the resource information. The policy management apparatus 310 then transmits the communication policy for the resource to the control apparatus 100.
  • the user can freely perform a management operation such as generation, modification, deletion or the like of the communication policy.
  • a policy management mechanism may be provided to the user as a Web-based system, may be provided as an independent application running on a PC, or may be provided in the form of a CLI (Command Line Interface) rather than as an application using a GUI (Graphical User Interface).
  • the policy management mechanism may be provided in any form.
  • the control apparatus 100 When the control apparatus 100 receives the communication policy for the resource from the policy management apparatus 310, the control apparatus 100 generates control information for causing a request (Packet-In message in Non Patent Literature 2) to be transmitted, and then sets the control information in the forwarding node 20.
  • the request is for setting the control information for processing a packet from the resource to which the communication policy is to be applied to.
  • the control apparatus 100 calculates the forwarding path of the packet between terminal points defined in the communication policy, based on information on the packet included in the request for setting the control information. Then, the control apparatus 100 generates the control information for causing each forwarding node on this forwarding path to execute forwarding of the packet along the forwarding path, and then sets the control information in the forwarding node on the forwarding path.
  • Fig. 8 is a block diagram showing a detailed configuration of the control apparatus 100 in this exemplary embodiment.
  • the control apparatus 100 is configured to include a node communication unit 11 for communicating with the forwarding node 200, a control message processing unit 12, a control information management unit 13, a control information storage unit 14, a forwarding node management unit 15, a path-action calculation unit 16, a topology management unit 17, a resource location management unit 18, a communication policy management unit 19, and a communication policy storage unit 20.
  • Each of these units operates as follows.
  • the control message processing unit 12 analyzes a control message received from each forwarding node, and delivers control message information to corresponding processing means in the control apparatus 100.
  • the control information management unit 13 manages what control information is set in which forwarding node. Specifically, the control information management unit 13 registers the control information generated by the path-action calculation unit 16 in the control information storage unit 14 and sets the control information in the forwarding node. Further, the control information management unit 13 handles a change in the control information set in the forwarding node that uses a notification of deletion of the control information from the forwarding node or the like, and then updates the information registered in the control information storage unit 14.
  • the forwarding node management unit 15 manages capabilities of the forwarding node (such as the number and the type of ports, the type of an action to be supported and the like) to be controlled by the control apparatus 100.
  • the path-action calculation unit 16 When receiving the communication policy for the resource from the communication policy management unit 19, the path-action calculation unit 16 first refers to the topology of the network held in the topology management unit 17, generates the control information for causing the forwarding node 200 that receives a packet from the resource to execute the request for setting the control information with respect to the packet from the resource, and then sets the control information in the forwarding node 200.
  • the path-action calculation unit 16 When receiving the request for setting the control information based on the above-mentioned control information, the path-action calculation unit 16 generates the forwarding path of the packet and the control information for implementing the forwarding path, based on the information on the packet included in the request for setting the control information. Specifically, the path-action calculation unit 16 calculates the forwarding path of the packet between the resources, based on the information on the location of the resource managed by the resource location management unit 18 and the information on the network topology constructed by the topology management unit 17.
  • the path-action calculation unit 16 obtains information on the port of each forwarding node on the forwarding path and the like from the forwarding node management unit 15, and then determines an action to be executed by the forwarding node on the path for implementing the calculated forwarding path and a matching condition for identifying a flow to which the action is to be applied.
  • the matching condition can be generated by using the information on the packet included in the request for setting the control information, the condition (option) in Fig. 7, and the like.
  • each control information is generated, which defines an action of forwarding a packet addressed from the transmission source resource name of aaa to the destination resource name of bbb from the port connected to the forwarding node as a next hop or the resource.
  • control information for implementing not only packet forwarding for the packet for which the control information setting request has been made, but also packet forwarding to any resource for which the resource has the access right may be generated and set (it may be so configured that an inquiry about information on a destination resource or the like is made to the identification information storage device or the policy management apparatus 310, as necessary).
  • the topology management unit 17 constructs the network topology information, based on a connection relationship of the forwarding node 200 collected through the node communication unit 11.
  • the resource location management unit 18 manages information for identifying the location of each resource connected to the communication system.
  • the description will be given, assuming that the name of a resource is used as information for identifying the resource and the forwarding node identifier and the port of each forwarding node to which the resource is connected is used as information for identifying the location of the resource.
  • the resource and the location of the resource may be of course identified, using information carried from the policy management apparatus 310 or the authentication apparatus 600, for example, in place of these information.
  • the communication policy management unit 19 When receiving the communication policy from the policy management apparatus 310, the communication policy management unit 19 stores the communication policy in the communication policy storage unit 20, and transmits the communication policy to the path-action calculation unit 16.
  • the communication policies shown in Fig. 7 are stored in the communication policy storage unit 20. Then, in response to a request from the path-action calculation unit 16, the communication policy for the resource associated with the request can be provided.
  • the control apparatus 100 as described above can also be implemented, based on an OpenFlow controller described in each of Non Patent Literatures 1 and 2 and by addition of a function of generating a processing rule (flow entry) using receipt of the above-mentioned communication policy as a trigger.
  • Each unit (processing means) of the control apparatus 100 in Fig. 8 can also be implemented by a computer program configured to cause a computer constituting the control apparatus 100 to store each of the above-mentioned information and to execute each process described above, using hardware of the computer.
  • Figs. 9 and 10 are sequence diagrams showing a series of operations of this exemplary embodiment.
  • the description will be given about a process where the resource 410 is newly connected to the forwarding node 200, and setting for transmitting a packet from the resource 410 to the resource 420 is automatically performed.
  • step S001 in Fig. 9 the resource 410 transmits information of the identification information 510 held by the resource 410 to the authentication apparatus 600 through the forwarding node.
  • the authentication apparatus 600 receives the identification information 510 of the resource 410, and then performs an authentication process for determining whether or not to connect the resource 410 to the network by referring to each resource identification information stored in the identification information storage apparatus 700 (in step S002 in Fig. 9).
  • the authentication apparatus 600 determines as a result of the authentication process that the resource 410 may be connected to the network (when the authentication is all right), the authentication apparatus 600 transmits to the policy management apparatus 310 the information (authentication information) corresponding to the resource 410 in the identification information storage apparatus 700 (in step S003 in Fig. 9).
  • the authentication apparatus 600 may notify to the control apparatus 100 that the authentication has failed. With this arrangement, control information for discarding a packet from the corresponding resource can be set in the control apparatus 100.
  • the policy management apparatus 310 determines the communication policy for the resource 410, by referring to the information held in the policy storage apparatus 320 (in step S004 in Fig. 9), and then transmits the communication policy to the control apparatus 100 (in step S005 in Fig. 9).
  • the control apparatus 100 When receiving the communication policy for the resource 410 from the policy management apparatus 310, the control apparatus 100 generates control information for causing a request for setting control information to be made with respect to the packet using the resource 410 as a transmission source or a packet using the resource 410 as a destination (in step S006 in Fig. 9). Then, the control apparatus 100 transmits a control message instructing setting of the control information to the forwarding node 200 (in step S007 in Fig. 9). According to the control message from the control apparatus 100, the forwarding node 200 sets the control information therein (in step S008 in Fig. 9), and then finishes a series of the processes.
  • the description will be directed to subsequent process operations when the packet is transmitted from the resource 410 to the resource 420, using Fig. 10.
  • the resource 410 transmits the packet addressed to the resource 420 (in step S101 in Fig. 10).
  • the packet transmitted from the resource 410 arrives at the forwarding node 200.
  • the forwarding node 200 requests the control apparatus 100 to set the control information, according to the control information set in step S008 in Fig. 9 (in step S103 in Fig. 10).
  • the control apparatus 100 that has received the request for setting the control information calculates the forwarding path of the packet addressed from the resource 410 to the resource 420 by referring to the information stored in the topology storage unit 17, the resource location management unit 18, and the communication policy storage unit 20. Further, the control apparatus 100 generates the control information for causing the forwarding node 200 on the calculated forwarding path to forward the packet from the resource 410 to the resource 420 (in step S104 in Fig. 10).
  • Fig. 11 shows an example of the control information to be generated in step S104 in Fig. 10.
  • a matching condition for identifying the packet addressed from the resource 410 to the resource 420 by a combination of the MAC address and the IP address of each of the resources 410 and 420 and an action to be applied to the packet that matches this matching condition are set.
  • the control apparatus 100 transmits to the forwarding node 200 a control message that instructs setting of the control information and forwarding of the packet received from the resource 410 (in step S105 in Fig. 10).
  • the forwarding node 200 sets the control information therein (in step S106 in Fig. 10) and transmits the packet received from the resource 410 to the resource 420 (in step S107 in Fig. 10).
  • the forwarding node 200 refers to the control information set in step S106 in Fig. 10, determines the forwarding destination of the received packet (in step S202 in Fig. 10), and then forwards the packet (in step S203 in Fig. 10). With the arrangement as described above, communication between the resource 410 and the resource 420 becomes possible.
  • necessary communication setting can be completed just by performing authentication using the name of a resource to be newly connected to the network, without setting the IP address or notifying the MAC address in advance according to the environment of the network.
  • the communication policy for the resource can be automatically determined according to the communication policy (communication policy for each role in Fig. 5) set in advance, so that the burden of the management operation of a network manager or the like can be reduced.
  • Figs. 3 to 7 were shown, and the description was given, assuming that the role ID of a resource is inferred to perform access control.
  • a configuration not using the role ID can also be employed.
  • a communication policy defining permission/prohibition of access is determined, based on a resource name given for each resource, an access ID such as a MAC address, resource location information, or the like, and the access control can be performed based on this communication policy.
  • the description was given, assuming that the resource 410 performs an authentication procedure with the authentication apparatus 600 through the forwarding node 200.
  • a configuration where the resource 410 directly communicates with the authentication apparatus 600 to perform the authentication procedure can also be employed.
  • the control information when the resource 410 is connected, only the control information for causing the request for setting the control information to be made with respect to the packet from the resource 410 is set (refer to Fig. 9). Then, the control information is set in a stage where an actual communication flow has occurred (refer to Fig. 10). In the stage from steps S006 to S008 in Fig. 9, calculation of the path (starting from or ending at the resource 410) and generation of the control information that are necessary may be performed, and then, the control information may be set in the forwarding node 200.
  • the access control system in the first mode further includes: an identification information storage apparatus configured to associate and store the identification information of the resource and a role ID; the authentication apparatus performs the authentication process by checking the identification information obtained from the resource against content stored in the identification information storage apparatus, and transmits the role ID to the policy management apparatus when the authentication succeeds; and the policy management apparatus determines the communication policy for the resource, using information indicating permission/inhibition of access set for each role ID.
  • the information indicating the permission/inhibition of access includes permission/inhibition of access to each resource group that groups resources; and the policy management apparatus refers to the permission/inhibition of access to each resource group, thereby determining the communication policy for the resource.
  • the control apparatus when receiving the communication policy for the resource from the policy management apparatus, the control apparatus sets, in the forwarding node connected to the resource, control information for causing the forwarding node to make a request for setting the control information to the control apparatus with respect to the packet using the resource as a transmission source or a destination; and when communication using the resource as the transmission source or the destination occurs, the control apparatus sets, in each forwarding node on a forwarding path of the packet using the resource as the transmission source or the destination, the control information for forwarding the packet using the resource as the transmission source or the destination, based on the communication policy for the resource.
  • ⁇ Fifth Mode> In the access control system in any one of the first to third modes, when receiving the communication policy for the resource from the policy management apparatus, the control apparatus calculates the forwarding path of the packet located between the resources starting from or ending at the resource, based on the communication policy for the resource, and sets, in each forwarding node on the forwarding path, the control information for forwarding the packet located between the resources.
  • ⁇ Sixth Mode> See the access control method according to the second aspect described above.
  • ⁇ Seventh Mode> See the program according to the third aspect described above).
  • the sixth and seventh modes can be developed into the second to fifth modes, like the first mode.
  • control apparatus forwarding node 310 policy management apparatus 320 policy storage apparatus 410, 420 resource 510, 520 identification information 600 authentication apparatus 700 identification information storage apparatus

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention aims at reducing a management burden of access control between resources and improving convenience of the access control, in a network using OpenFlow. An access control system according to the invention includes a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the control information in a forwarding node, the forwarding node configured to process the received packet by referring to the control information, an authentication apparatus configured to authenticate a resource connected to the forwarding node, using identification information obtained from the resource, and a policy management apparatus configured to determine a communication policy for the resource, using a result of the authentication and the identification information. The control apparatus generates the control information associated with the communication policy and then sets the control information in the forwarding node.

Description

ACCESS CONTROL SYSTEM, ACCESS CONTROL METHOD, AND PROGRAM
(CROSS-REFERENCE TO RELATED APPLICATIONS)
The present invention is based upon and claims the benefit of the priority of Japanese Patent Application No. 2012-190316 (filed on August 30, 2012), the disclosure of which is incorporated herein in its entirety by reference.
The present invention relates to an access control system, an access control method, and a program. More specifically, the invention relates to an access control system, an access control method, and a program, for a network where a control apparatus for concentrically controlling a forwarding node is disposed.
Background
In recent years, the technology called OpenFlow (OpenFlow) is proposed (refer to Non Patent Literatures 1 and 2). OpenFlow identifies communications as end-to-end flows, and performs path control, failure recovery, load distribution, and optimization on a per-flow basis. An OpenFlow switch specified in Non Patent Literature 2 includes a secure channel for communication with an OpenFlow controller. The OpenFlow switch operates according to a flow table in which appropriate adding or rewriting is instructed by the OpenFlow controller. In the flow table, a set of a matching condition (Match Fields) to be matched to a packet header, flow statistics information (Counters), and instructions (Instructions) defining processing content is defined for each flow (refer to section "4.1 Flow Table" in Non Patent Literature 2).
When the OpenFlow switch receives a packet, for example, the OpenFlow switch searches in the flow table for an entry having a matching condition that matches header information of the received packet (refer to "4.3 Match Fields" in Non Patent Literature 2). When the entry that matches the received packet is found as a result of the search, the OpenFlow switch updates the flow statistics information (one or more Counters), and executes processing content (e.g., transmission of the packet from a specified port, flooding of the packet, discarding of the packet, or the like) described in the instruction field of the entry. On the other hand, when the entry that matches the received packet is not found as a result of the search, the OpenFlow switch transmits to the OpenFlow controller a request for setting an entry, or a request (Packet-In message) for transmitting control information for processing the received packet, through a secure channel. The OpenFlow switch receives the flow entry in which the processing content is defined, and then updates the flow table. In this manner, the OpenFlow switch performs packet forwarding by using the entry stored in the flow table as the control information.
Paragraph [0052] of Patent Literature 1 describes that an OpenFlow controller performs permission check by referring to a policy file when a new flow is generated, and then calculates a path, thereby performing access control.
Patent Literature 2 discloses a network access control system in which the need for forwarding an authentication request to a server on an external network and the need for temporarily setting an access control policy for an information terminal beyond management and control are eliminated, and the information terminal and a user beyond management and control can use a target network. According to Patent Literature 2, in this network access control system, an access request apparatus does not directly make a request to an authentication processing apparatus. Upon receipt of the request from the access request apparatus, a proxy request apparatus makes a request to the authentication processing apparatus, using authentication data of the proxy request apparatus. Upon receipt of that request, the authentication processing apparatus distributes access control data based on a result of the authentication process to an access control apparatus. Accordingly, even the access request apparatus that is the information terminal beyond management and control can access the network. In order to do so, the access request apparatus makes the access request to the proxy request apparatus that is an information terminal under management and control, and then processes of the proxy request apparatus, the access control apparatus, and the authentication apparatus are executed. After execution of the processes, control by the access control apparatus for an access to the network from the access request apparatus that has made the access request is changed. Then, the access request apparatus can make the access to the network
According to the network access control system in Patent Literature 2 as described above, user authentication is performed using information such as a company employee ID that can uniquely identify a user, for example. Then, communication between the terminal of the user and a server can be controlled, based on a result of the authentication.
International Publication WO 2008/095010 Japanese Patent No. 4832516 B
Nick McKeown and seven other authors, "OpenFlow: Enabling Innovation in Campus Networks", [on line], [Searched on July 13, Heisei 24 (2012)], Internet <URL: http://www.openflow.org/documents/openflow-wp-latest.pdf>. "OpenFlow Switch Specification" Version 1.0.0 Implemented (Wire Protocol 0x02), [online] [Searched on July 13, Heisei 24 (2012)], Internet <URL: http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf>.
Summary
The entire disclosures of the above-listed Patent Literature and Non Patent Literatures are incorporated herein by reference.
The following analysis has been given by the present invention. A plurality of resources such as servers may be connected to the network using OpenFlow described in each of Patent Literature 1 and Non Patent Literatures 1 and 2, so that communication may occur between these resources. In this case, a method of setting a flow entry by the OpenFlow controller whenever the communication newly occurs may be conceived. However, there is a demand for reducing a burden of management to be applied to setting of the communication between the resources and a load on the OpenFlow controller, as much as possible.
In the system described in Patent Literature 2, for example, access control over the user terminal of the user is implemented, based on the ID held by the user (such as the company employee ID). Thus, this system cannot be applied to access control between resources not having IDs of this type. In order to implement such access control between the resources, a manager generates an access control rule, using an IP (Internet Protocol) address or a MAC (Media Access Control) address set for that server, as the ID. In this case, however, there is a problem that, unless the manager grasps IP addresses and MAC addresses of all resources to be managed, the manager cannot generate an access control rule covering accessible/inaccessible ranges from the resource.
Further, in the case of the above-mentioned system, it is necessary to change the access control rule whenever a change has occurred in the IP address or the MAC address held by the resource, so that there is a problem that the management gets complicated. Accordingly, the approach disclosed in Patent Literature 2 is not suited to the access control between the resources in the network using OpenFlow described in Patent Literature 1 and Non Patent Literatures 1 and 2.
It is an object of the present invention to provide an access control system, an access control method, and a program that can contribute to reduction of a management burden of access control between resources represented by the above-mentioned servers and improvement in convenience of the access control, in the network using OpenFlow described in Patent Literature 1 and Non Patent Literatures 1 and 2.
According to a first aspect, there is provided an access control system, comprising:
a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node;
a forwarding node configured to process the received packet by referring to the control information;
an authentication apparatus configured to authenticate a resource connected to the forwarding node, using identification information obtained from the resource; and
a policy management apparatus configured to determine a communication policy for the resource, using a result of the authentication and the identification information;
the control apparatus generates the control information associated with the communication policy and setting the generated control information in the forwarding node.
According to a second aspect, there is provided an access control method, comprising the step of: using an apparatus connected to a communication system including a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node, and a forwarding node configured to process the received packet by referring to the control information;
authenticating a resource connected to the forwarding node, using identification information obtained from the resource;
determining a communication policy for the resource, using a result of the authentication and the identification information; and
generating the control information associated with the communication policy and setting the generated control information in the forwarding node.
This method is associated with a specific machine, which is the at least one apparatus that authenticates the resource, determines the communication policy, and generates and sets the control information.
According to a third aspect, there is provided a program for a computer installed in an apparatus connected to a communication system comprising a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node, and a forwarding node configured to process the received packet by referring to the control information, the program causing the computer to execute the processes of:
authenticating a resource connected to the forwarding node, using identification information obtained from the resource;
determining a communication policy for the resource, using a result of the authentication and the identification information; and
generating the control information associated with the communication policy and setting the generated control information in the forwarding node. This program can be recorded in a computer-readable (non-transient) storage medium. That is, the present invention can also be embodied as a computer program product.
The present invention can contribute to reduction of a management burden of access control between resources and improvement in convenience of the access control, in a network using OpenFlow described in Patent Literature 1 and Non Patent Literatures 1 and 2.
Fig. 1 is a diagram showing a configuration of exemplary embodiment of the present disclosure. Fig. 2 is a diagram showing a configuration of an access control system in a first exemplary embodiment of the present disclosure. Fig. 3 includes tables each showing an example of resource identification information in the first exemplary embodiment of the present disclosure. Fig. 4 is a table showing examples of resource identification information held in an identification information storage apparatus in the first exemplary embodiment of the present disclosure. Fig. 5 is a table showing examples of communication policies held in a policy storage apparatus in the first exemplary embodiment of the present disclosure. Fig. 6 is a table showing examples of resource information held in the policy storage apparatus in the first exemplary embodiment of the present disclosure. Fig. 7 is a table showing examples of communication policies to be provided to a control apparatus in the first exemplary embodiment of the present disclosure. Fig. 8 is a block diagram showing a detailed configuration of the control apparatus in the first exemplary embodiment of the present disclosure. Fig. 9 is a sequence diagram showing operations of the first exemplary embodiment of the present disclosure. Fig. 10 is a diagram continuing from Fig. 9. Fig. 11 shows examples of control information to be generated by the control apparatus in the first exemplary embodiment of the present disclosure.
First, an overview of an exemplary embodiment of the present disclosure will be described with reference to a drawing. A reference sign in the drawing appended to this overview is appended to each element for convenience as an example of help understanding, and does not intend to limit the present disclosure to the mode that has been illustrated.
The exemplary embodiment of the present disclosure can be implemented by a configuration including: a control apparatus (100 in Fig. 1) configured to generate control information defining processing content to be applied to a received packet and then to set the control information in a forwarding node (200 in Fig. 1), a forwarding node (200 in Fig. 1) configured to process the received packet by referring to the control information, an authentication apparatus (600 in Fig. 1) configured to authenticate a resource connected to the forwarding node, using identification information obtained from the resource, and a policy management apparatus (310 in Fig. 1) configured to determine a communication policy for the resource, using a result of the authentication and the identification information.
More specifically, when the communication policy is determined by the policy management apparatus (310 in Fig. 1), the control apparatus (100 in Fig. 1) generates the control information associated with the communication policy, and sets the control information in the forwarding node (200 in Fig. 1).
With the above-mentioned arrangement, setting of inter-resource communication is completed. Then, once the setting is completed, the inter-resource communication is controlled by the control information on a per-flow basis. Further, even if a change has occurred in an IP address or a MAC address held by each resource, modification should be made by the authentication apparatus (600 in Fig. 1) so that a correct authentication process is performed. Thus, a problem that management gets complicated hardly arises.
A timing at which the authentication apparatus (600 in Fig. 1) authenticates the resource can be set to a time when the resource is connected to the forwarding node. With this arrangement, communication policy determination and control information setting are automatically completed based on identification information of a new resource whenever the new resource is connected to the forwarding node.
It can also be so configured that a valid time limit is provided for the control information and that the forwarding node (200 in Fig. 1) disposes of the control information which has not been used or the like. To take an example, there may be conceived a configuration or the like in which the forwarding node (200 in Fig. 1) deletes the control information upon establishment of a condition (of a hard timeout) that a predetermined time period has passed after setting of the control information or a condition (of an idle timeout) that a predetermined time period has passed since a packet which matches the control information was last received.
<First Exemplary Embodiment>
Next, a first exemplary embodiment of the present disclosure will be described in detail with reference to drawings. Fig. 2 is a diagram showing a configuration of an access control system in the first exemplary embodiment of the present disclosure. Referring to Fig. 2, the configuration including a forwarding node 200, a control apparatus 100 configured to control the forwarding node 200, a policy management apparatus 310 configured to notify a communication policy to the control apparatus 100, an authentication apparatus 600 configured to authenticate a resource, and an identification information storage apparatus 700 is shown.
The forwarding node 200 is a switching device configured to process a received packet, according to control information that associates a matching condition to be matched against the received packet and processing content (action) to be applied to a packet that matches the matching condition. As such a forwarding node, an OpenFlow switch in Non Patent Literature 2 configured to operate, using a flow entry set by an OpenFlow controller as the control information can also be used. A resource 410 and a resource 420 are connected to the forwarding node 200 in Fig. 2, and the resource 410 and the resource 420 can be therefore communicated through the forwarding node 200. In the example in Fig. 2, it is assumed that one forwarding node is used. However, a plurality of forwarding nodes may be connected.
Each of the resources 410 and 420 is a computer represented by a server, a PC (Personal Computer), or the like. The respective resources hold respective identification information 510 and 520 each for uniquely identifying the resource itself. The identification information is represented by a combination of the name of the computer, the MAC address of the computer, and an arbitrary character string, for example. Any identification information may be used if the identification information is a character string that can uniquely identify the resource. In this exemplary embodiment, the description will be given, assuming that each of the resources 410 and 420 is a device connected to the forwarding node 200 by wire. Each of the resources 410 and 420, however, may be a mobile terminal such as a tablet terminal or a smart phone wirelessly connected to the forwarding node 200.
Fig. 3 includes tables each showing an example of the identification information held by the resource. The upper stage of Fig. 3 indicates an example of the identification information 510 of the resource 410, while the lower stage of Fig. 3 indicates an example of the identification information 520 of the resource 420. Each of the information has a same format, and is constituted from a set of the name of the resource, and the MAC address and the IP address of the resource. The identification information 510 of the resource 410, for example, has the name of the resource of "aaa", the MAC address of "aa:aa:aa:aa:aa:aa", and the IP address of "1.1.1.1". The resource name is essential for the identification information of each resource, and the MAC address and the IP address are arbitrary. To take an example, the identification 520 of the resource 420 in Fig. 3 is constituted from the resource name of "bbb" alone.
The authentication apparatus 600 refers to the identification information of each resource held in the identification information storage apparatus 700, authenticates each resource, and then transmits a result of the authentication to the policy management apparatus 310. In this exemplary embodiment, when the resource 410 is connected to the forwarding node 200, the authentication apparatus 600 receives from the resource 410 the identification information 510 held in the resource 410. When the resource 420 is connected to the forwarding node 200, the authentication apparatus 600 receives from the resource 420 the identification information 520 held in the resource 420. Then, the authentication apparatus 600 checks the resource identification information held in the identification information storage apparatus 700 against the identification information received from each of the resources, and determines (authenticates) whether or not each resource is a valid resource capable of being connected to the network. Then, the authentication apparatus 600 transmits a result of the authentication to the policy management apparatus 310. In the example in Fig. 2, the authentication apparatus 600 and the identification information storage apparatus 700 are separately provided. However, a storage apparatus such as a hard disk provided for the authentication apparatus 600 can also be used as the identification information storage apparatus 700.
Fig. 4 is a table showing a configuration of each identification information (resource identification information) held in the identification information storage apparatus 700. Referring to Fig. 4, each of the resource identification information is shown where the name of a resource, a role ID, a MAC address, an IP address, a connection switch, and a connection port are associated with one another. When it is confirmed that the resource having the resource name of aaa has the MAC address of aa:aa:aa:aa:aa:aa, the IP address of 1.1.1.1, the connection switch of a switch 1, and the connection port of 1, authentication succeeds, so that the role ID of role_0001 is given. Similarly, when it is confirmed that the resource having the resource name of ddd has the IP address of 4.4.4.4 and the connection port of 2, authentication succeeds, so that the role ID of role_0004 is given. In each example in Fig. 4, the MAC address, the IP address, the connection switch, and the connection port are arbitrary items, and are to be used for an authentication process only when values of the MAC address, the IP address, the connection switch, and the connection port are set. For this reason, when the resource having the resource name of ddd is authenticated, the values of the MAC address and the connection switch are not to be used.
The policy management apparatus 310 refers to information held in the policy storage apparatus 320 to determine a communication policy for the resource connected to the forwarding node, and then transmits a result of the determination to the control apparatus 100. In this exemplary embodiment, at a timing of receipt of authentication information and the identification information from the authentication apparatus 600, or at a timing of a request for transmitting the communication policy from the control apparatus 100, the policy management apparatus 310 determines the communication policy for the corresponding resource. In the example in Fig. 2, the policy management apparatus 310 and the policy storage apparatus 320 are separately provided. However, a storage apparatus such as a hard disk provided for the policy management apparatus 310 can also be used as the policy storage apparatus 320.
Fig. 5 is a table showing examples of communication policies held in the policy storage apparatus 320. The examples in Fig. 5 show a table storing entries in each of which a resource group ID given to a resource group and an access right are set, for each role identified by a role ID. To take an example, a user having the role ID of role_0001 is allowed to make access to both of the resource group ID of resource_group_0001 and the resource group ID of resource_group_0002. On the other hand, a user having the role ID of role_0002 is prohibited to make access to the resource group ID of resource_group_0001, and is allowed to make access to the resource group ID of resource_group_0002.
Fig. 6 is a table showing examples of resource information held in the policy storage apparatus 320. In each example in Fig. 6, the ID of each resource belonging to the resource group ID described above is associated with a detailed attribute of the resource. To take an example, the resource having the resource ID of resource_0001, the resource having the resource ID of resource_0002, and the resource having the resource ID of resource_0003 are included in the group identified by the resource group ID of resource_group_0001. The name, the IP address, and the MAC address of each resource, or a port number of each resource used for a service can be identified.
The policy management apparatus 310 determines the communication policy for the resource authenticated by the authentication apparatus 600 by referring to the communication policies and the resource information as described above, and then notifies the communication policy to the control apparatus 100. To take an example, the resource group ID linked to the corresponding role ID and the content of the access right to the resource group ID can be identified from information on the policies in Fig. 5, using the role ID included in the authentication information received from the authentication apparatus 600. Then, the resource that can be accessed from a certain resource or the resource for which access from the certain resource is prohibited can be identified, using the information on each resource belonging to the resource group ID in the resource information in Fig. 6.
Fig. 7 shows examples of communication policies to be generated from the information shown in Figs. 4, 5, and 6 and to be provided to the control apparatus 100. The resource name of aaa of the resource connected to the network this time is set in the transmission source resource name field of a first entry in Fig. 7. The names of resources ("bbb", "ppp", "qqq", and "sss") that can be accessed or cannot be accessed based on the role ID of the resource are set in a destination resource name field. The same value as that of the access right for the role ID of role_0001 of the policy information in Fig. 5 is set in an access right field. The service and the port number set in the resource attribute field of Fig. 6 are set in a condition (option) field. The condition (option) field in Fig. 7 is an item that can be arbitrarily set, and can be arbitrarily omitted.
The policy management apparatus 310 includes a mechanism (herein referred to a communication policy editing function) configured to receive generation, a change in setting, or the like of the communication policy from a user, and provides a result of the generation, the change in setting, or the like to the control apparatus 100. The communication policy editing function is an application program for implementing the communication policy editing function, for example, by which the user can freely generate, modify, and delete the communication policy. The policy management apparatus 310 stores updated communication policy information in the policy storage apparatus 320, and also generates a communication policy for a resource, based on the updated communication policy information and the resource information. The policy management apparatus 310 then transmits the communication policy for the resource to the control apparatus 100.
In this manner, according to the policy management apparatus 310 and the policy storage apparatus 320 in this exemplary embodiment, the user can freely perform a management operation such as generation, modification, deletion or the like of the communication policy. Such a policy management mechanism may be provided to the user as a Web-based system, may be provided as an independent application running on a PC, or may be provided in the form of a CLI (Command Line Interface) rather than as an application using a GUI (Graphical User Interface). The policy management mechanism may be provided in any form.
When the control apparatus 100 receives the communication policy for the resource from the policy management apparatus 310, the control apparatus 100 generates control information for causing a request (Packet-In message in Non Patent Literature 2) to be transmitted, and then sets the control information in the forwarding node 20. The request is for setting the control information for processing a packet from the resource to which the communication policy is to be applied to. When receiving the request for setting the control information from the forwarding node 200 based on the control information, the control apparatus 100 calculates the forwarding path of the packet between terminal points defined in the communication policy, based on information on the packet included in the request for setting the control information. Then, the control apparatus 100 generates the control information for causing each forwarding node on this forwarding path to execute forwarding of the packet along the forwarding path, and then sets the control information in the forwarding node on the forwarding path.
Fig. 8 is a block diagram showing a detailed configuration of the control apparatus 100 in this exemplary embodiment. Referring to Fig. 8, the control apparatus 100 is configured to include a node communication unit 11 for communicating with the forwarding node 200, a control message processing unit 12, a control information management unit 13, a control information storage unit 14, a forwarding node management unit 15, a path-action calculation unit 16, a topology management unit 17, a resource location management unit 18, a communication policy management unit 19, and a communication policy storage unit 20. Each of these units operates as follows.
The control message processing unit 12 analyzes a control message received from each forwarding node, and delivers control message information to corresponding processing means in the control apparatus 100.
The control information management unit 13 manages what control information is set in which forwarding node. Specifically, the control information management unit 13 registers the control information generated by the path-action calculation unit 16 in the control information storage unit 14 and sets the control information in the forwarding node. Further, the control information management unit 13 handles a change in the control information set in the forwarding node that uses a notification of deletion of the control information from the forwarding node or the like, and then updates the information registered in the control information storage unit 14.
The forwarding node management unit 15 manages capabilities of the forwarding node (such as the number and the type of ports, the type of an action to be supported and the like) to be controlled by the control apparatus 100.
When receiving the communication policy for the resource from the communication policy management unit 19, the path-action calculation unit 16 first refers to the topology of the network held in the topology management unit 17, generates the control information for causing the forwarding node 200 that receives a packet from the resource to execute the request for setting the control information with respect to the packet from the resource, and then sets the control information in the forwarding node 200.
When receiving the request for setting the control information based on the above-mentioned control information, the path-action calculation unit 16 generates the forwarding path of the packet and the control information for implementing the forwarding path, based on the information on the packet included in the request for setting the control information. Specifically, the path-action calculation unit 16 calculates the forwarding path of the packet between the resources, based on the information on the location of the resource managed by the resource location management unit 18 and the information on the network topology constructed by the topology management unit 17. Next, the path-action calculation unit 16 obtains information on the port of each forwarding node on the forwarding path and the like from the forwarding node management unit 15, and then determines an action to be executed by the forwarding node on the path for implementing the calculated forwarding path and a matching condition for identifying a flow to which the action is to be applied. The matching condition can be generated by using the information on the packet included in the request for setting the control information, the condition (option) in Fig. 7, and the like.
Accordingly, in the case of the first entry of the communication policy in Fig. 7, each control information is generated, which defines an action of forwarding a packet addressed from the transmission source resource name of aaa to the destination resource name of bbb from the port connected to the forwarding node as a next hop or the resource. In the case of setting the control information, control information for implementing not only packet forwarding for the packet for which the control information setting request has been made, but also packet forwarding to any resource for which the resource has the access right, may be generated and set (it may be so configured that an inquiry about information on a destination resource or the like is made to the identification information storage device or the policy management apparatus 310, as necessary).
The topology management unit 17 constructs the network topology information, based on a connection relationship of the forwarding node 200 collected through the node communication unit 11.
The resource location management unit 18 manages information for identifying the location of each resource connected to the communication system. In this exemplary embodiment, the description will be given, assuming that the name of a resource is used as information for identifying the resource and the forwarding node identifier and the port of each forwarding node to which the resource is connected is used as information for identifying the location of the resource. The resource and the location of the resource may be of course identified, using information carried from the policy management apparatus 310 or the authentication apparatus 600, for example, in place of these information.
When receiving the communication policy from the policy management apparatus 310, the communication policy management unit 19 stores the communication policy in the communication policy storage unit 20, and transmits the communication policy to the path-action calculation unit 16. The communication policies shown in Fig. 7 are stored in the communication policy storage unit 20. Then, in response to a request from the path-action calculation unit 16, the communication policy for the resource associated with the request can be provided.
The control apparatus 100 as described above can also be implemented, based on an OpenFlow controller described in each of Non Patent Literatures 1 and 2 and by addition of a function of generating a processing rule (flow entry) using receipt of the above-mentioned communication policy as a trigger.
Each unit (processing means) of the control apparatus 100 in Fig. 8 can also be implemented by a computer program configured to cause a computer constituting the control apparatus 100 to store each of the above-mentioned information and to execute each process described above, using hardware of the computer.
Next, operations of this exemplary embodiment will be described in detail with reference to drawings. Figs. 9 and 10 are sequence diagrams showing a series of operations of this exemplary embodiment. Herein, the description will be given about a process where the resource 410 is newly connected to the forwarding node 200, and setting for transmitting a packet from the resource 410 to the resource 420 is automatically performed.
Referring to Fig. 9, first, when the resource 410 is connected to the forwarding node, packet forwarding is performed to the authentication apparatus 600 (in step S001 in Fig. 9). In this case, the resource 410 transmits information of the identification information 510 held by the resource 410 to the authentication apparatus 600 through the forwarding node.
The authentication apparatus 600 receives the identification information 510 of the resource 410, and then performs an authentication process for determining whether or not to connect the resource 410 to the network by referring to each resource identification information stored in the identification information storage apparatus 700 (in step S002 in Fig. 9).
When the authentication apparatus 600 determines as a result of the authentication process that the resource 410 may be connected to the network (when the authentication is all right), the authentication apparatus 600 transmits to the policy management apparatus 310 the information (authentication information) corresponding to the resource 410 in the identification information storage apparatus 700 (in step S003 in Fig. 9). When the authentication apparatus 600 determines as a result of the authentication process that the authentication has failed, the authentication apparatus 600 may notify to the control apparatus 100 that the authentication has failed. With this arrangement, control information for discarding a packet from the corresponding resource can be set in the control apparatus 100.
When receiving the information on the resource 410 from the authentication apparatus 600, the policy management apparatus 310 determines the communication policy for the resource 410, by referring to the information held in the policy storage apparatus 320 (in step S004 in Fig. 9), and then transmits the communication policy to the control apparatus 100 (in step S005 in Fig. 9).
When receiving the communication policy for the resource 410 from the policy management apparatus 310, the control apparatus 100 generates control information for causing a request for setting control information to be made with respect to the packet using the resource 410 as a transmission source or a packet using the resource 410 as a destination (in step S006 in Fig. 9). Then, the control apparatus 100 transmits a control message instructing setting of the control information to the forwarding node 200 (in step S007 in Fig. 9). According to the control message from the control apparatus 100, the forwarding node 200 sets the control information therein (in step S008 in Fig. 9), and then finishes a series of the processes.
Next, the description will be directed to subsequent process operations when the packet is transmitted from the resource 410 to the resource 420, using Fig. 10. Referring to Fig. 10, first, the resource 410 transmits the packet addressed to the resource 420 (in step S101 in Fig. 10). The packet transmitted from the resource 410 arrives at the forwarding node 200. The forwarding node 200 requests the control apparatus 100 to set the control information, according to the control information set in step S008 in Fig. 9 (in step S103 in Fig. 10).
The control apparatus 100 that has received the request for setting the control information calculates the forwarding path of the packet addressed from the resource 410 to the resource 420 by referring to the information stored in the topology storage unit 17, the resource location management unit 18, and the communication policy storage unit 20. Further, the control apparatus 100 generates the control information for causing the forwarding node 200 on the calculated forwarding path to forward the packet from the resource 410 to the resource 420 (in step S104 in Fig. 10).
Fig. 11 shows an example of the control information to be generated in step S104 in Fig. 10. In the example in Fig. 11, a matching condition for identifying the packet addressed from the resource 410 to the resource 420 by a combination of the MAC address and the IP address of each of the resources 410 and 420 and an action to be applied to the packet that matches this matching condition are set. With this arrangement, when the forwarding node 200 receives the packet addressed from the resource 410 to the resource 420, a process of forwarding the packet from a connection port 2 of the forwarding node 200 is performed, according to the control information in Fig. 11. With this process, the packet addressed from the resource 410 to the resource 420 is forwarded to the resource 420.
The control apparatus 100 transmits to the forwarding node 200 a control message that instructs setting of the control information and forwarding of the packet received from the resource 410 (in step S105 in Fig. 10). According to the control message from the control apparatus 100, the forwarding node 200 sets the control information therein (in step S106 in Fig. 10) and transmits the packet received from the resource 410 to the resource 420 (in step S107 in Fig. 10).
Thereafter, when the resource 410 transmits a packet addressed to the resource 420 (in step S201), the forwarding node 200 refers to the control information set in step S106 in Fig. 10, determines the forwarding destination of the received packet (in step S202 in Fig. 10), and then forwards the packet (in step S203 in Fig. 10). With the arrangement as described above, communication between the resource 410 and the resource 420 becomes possible.
As described above, according to this exemplary embodiment, necessary communication setting can be completed just by performing authentication using the name of a resource to be newly connected to the network, without setting the IP address or notifying the MAC address in advance according to the environment of the network. Further, according to this exemplary embodiment, the communication policy for the resource can be automatically determined according to the communication policy (communication policy for each role in Fig. 5) set in advance, so that the burden of the management operation of a network manager or the like can be reduced.
Though the above description was given about each exemplary embodiment of the present disclosure, the present disclosure is not limited to the above-mentioned exemplary embodiments, and further variations, substitutions, and adjustments may be added within a scope without departing from the basic technical concept of the present disclosure. To take an example, in each exemplary embodiment described above, the description was given, assuming that each of the control apparatus 100, the policy management apparatus 310, the policy storage apparatus 320, the authentication apparatus 600, and the identification information storage apparatus 700 is independently provided. A configuration where these apparatuses are appropriately combined can also be employed.
In the above-mentioned exemplary embodiment, Figs. 3 to 7 were shown, and the description was given, assuming that the role ID of a resource is inferred to perform access control. A configuration not using the role ID, however, can also be employed. To take an example, a communication policy defining permission/prohibition of access is determined, based on a resource name given for each resource, an access ID such as a MAC address, resource location information, or the like, and the access control can be performed based on this communication policy.
In the above-mentioned exemplary embodiment, the description was given, assuming that the resource 410 performs an authentication procedure with the authentication apparatus 600 through the forwarding node 200. A configuration where the resource 410 directly communicates with the authentication apparatus 600 to perform the authentication procedure can also be employed.
In the above-mentioned exemplary embodiment, when the resource 410 is connected, only the control information for causing the request for setting the control information to be made with respect to the packet from the resource 410 is set (refer to Fig. 9). Then, the control information is set in a stage where an actual communication flow has occurred (refer to Fig. 10). In the stage from steps S006 to S008 in Fig. 9, calculation of the path (starting from or ending at the resource 410) and generation of the control information that are necessary may be performed, and then, the control information may be set in the forwarding node 200.
Each disclosure of the above-listed Patent Literatures and Non Patent Literatures is incorporated herein by reference. Modification and adjustment of each exemplary embodiment are possible within the scope of the overall disclosure (including the claims) of the present disclosure and based on the technical concept of the present disclosure. Various combinations and selections of various disclosed elements are possible within the scope of the claims of the present disclosure. That is, the present disclosure naturally includes various variations and modifications that could be made by those skilled in the art according to the overall disclosure including the claims and the technical concept.
Finally, preferred modes of the present disclosure are summarized.
<First Mode>
(See the access control system according to the first aspect described above).
<Second Mode>
The access control system in the first mode further includes:
an identification information storage apparatus configured to associate and store the identification information of the resource and a role ID;
the authentication apparatus performs the authentication process by checking the identification information obtained from the resource against content stored in the identification information storage apparatus, and transmits the role ID to the policy management apparatus when the authentication succeeds; and
the policy management apparatus determines the communication policy for the resource, using information indicating permission/inhibition of access set for each role ID.
<Third Mode>
In the access control system in the second mode,
the information indicating the permission/inhibition of access includes permission/inhibition of access to each resource group that groups resources; and
the policy management apparatus refers to the permission/inhibition of access to each resource group, thereby determining the communication policy for the resource.
<Fourth Mode>
In the access control system in any one of the first to third modes,
when receiving the communication policy for the resource from the policy management apparatus, the control apparatus sets, in the forwarding node connected to the resource, control information for causing the forwarding node to make a request for setting the control information to the control apparatus with respect to the packet using the resource as a transmission source or a destination; and
when communication using the resource as the transmission source or the destination occurs, the control apparatus sets, in each forwarding node on a forwarding path of the packet using the resource as the transmission source or the destination, the control information for forwarding the packet using the resource as the transmission source or the destination, based on the communication policy for the resource.
<Fifth Mode>
In the access control system in any one of the first to third modes,
when receiving the communication policy for the resource from the policy management apparatus, the control apparatus calculates the forwarding path of the packet located between the resources starting from or ending at the resource, based on the communication policy for the resource, and sets, in each forwarding node on the forwarding path, the control information for forwarding the packet located between the resources.
<Sixth Mode>
(See the access control method according to the second aspect described above).
<Seventh Mode>
(See the program according to the third aspect described above).
The sixth and seventh modes can be developed into the second to fifth modes, like the first mode.
Each disclosure of the above-listed Patent Literatures and Non Patent Literatures is incorporated herein by reference. Modification and adjustment of each exemplary embodiment and each example are possible within the scope of the overall disclosure (including the claims) of the present invention and based on the technical concept of the present invention. Various combinations and selections of various disclosed elements (including each element in each claim, each element in each exemplary embodiment and each example, and each element in each drawing) are possible within the scope of the claims of the present invention. That is, the present invention naturally includes various variations and modifications that could be made by those skilled in the art according to the overall disclosure including the claims and the technical concept. In particular, it should be interpreted that an arbitrary numerical value and an arbitrary small range included in a numerical value range described herein is specifically described unless otherwise stated herein.
11 node communication unit
12 control message processing unit
13 control information management unit
14 control information storage unit
15 forwarding node management unit
16 path-action calculation unit
17 topology management unit
18 resource location management unit
19 communication policy management unit
20 communication policy storage unit
100 control apparatus
200 forwarding node
310 policy management apparatus
320 policy storage apparatus
410, 420 resource
510, 520 identification information
600 authentication apparatus
700 identification information storage apparatus

Claims (13)

  1. An access control system, comprising:
    a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node;
    a forwarding node configured to process the received packet by referring to the control information;
    an authentication apparatus configured to authenticate a resource connected to the forwarding node, using identification information obtained from the resource; and
    a policy management apparatus configured to determine a communication policy for the resource, using a result of the authentication and the identification information; wherein
    the control apparatus generates the control information associated with the communication policy and setting the generated control information in the forwarding node.
  2. The access control system according to claim 1, further comprising:
    an identification information storage apparatus configured to associate and store the identification information of the resource and a role ID;
    the authentication apparatus performing the authentication process by checking the identification information obtained from the resource against content stored in the identification information storage apparatus and transmitting the role ID to the policy management apparatus when the authentication succeeds;
    the policy management apparatus determining the communication policy for the resource, using information indicating permission/inhibition of access set for each role ID.
  3. The access control system according to claim 2, wherein
    the information indicating the permission/inhibition of access includes permission/inhibition of access to each resource group that groups resources; and
    the policy management apparatus refers to the permission/inhibition of access to each resource group, thereby determining the communication policy for the resource.
  4. The access control system according to any one of claims 1 to 3, wherein
    when receiving the communication policy for the resource from the policy management apparatus, the control apparatus sets, in the forwarding node connected to the resource, control information for causing the forwarding node to make a request for setting the control information to the control apparatus with respect to a packet using the resource as a transmission source or a destination; and
    when a communication using the resource as the transmission source or the destination occurs, the control apparatus sets, in each forwarding node on a forwarding path of the packet using the resource as the transmission source or the destination, the control information for forwarding the packet using the resource as the transmission source or the destination, based on the communication policy for the resource.
  5. The access control system according to any one of claims 1 to 3, wherein
    when receiving the communication policy for the resource from the policy management apparatus, the control apparatus calculates a forwarding path of the packet located between the resources starting from or ending at the resource, based on the communication policy for the resource, and sets, in each forwarding node on the forwarding path, the control information for forwarding the packet located between the resources.
  6. An access control method, comprising the step of:
    using an apparatus connected to a communication system including a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node, and a forwarding node configured to process the received packet by referring to the control information;
    authenticating a resource connected to the forwarding node, using identification information obtained from the resource;
    determining a communication policy for the resource, using a result of the authentication and the identification information; and
    generating the control information associated with the communication policy and setting the generated control information in the forwarding node.
  7. The access control method according to claim 6, wherein
    in the step of authenticating the resource connected to the forwarding node, using the identification information obtained from the resource,
    performing the authentication process by checking the identification information obtained from the resource against content stored in an identification information storage apparatus configured to associate and store the identification information of the resource and a role ID, and identifying the role ID when the authentication succeeds; and
    in the step of determining the communication policy for the resource, using the result of the authentication and the identification information,
    determining the communication policy for the resource, using information indicating permission/inhibition of access set for each role ID.
  8. The access control method according to claim 7, wherein
    the information indicating the permission/inhibition of access includes permission/inhibition of access to each resource group that groups resources; and
    the communication policy for the resource is determined by referring to the permission/inhibition of access to each resource group.
  9. The access control method according to any one of claims 6 to 8, further comprising the steps of:
    by the control apparatus,
    setting, in the forwarding node connected to the resource, control information for causing the forwarding node to make a request for setting the control information to the control apparatus with respect to the packet using the resource as a transmission source or a destination, based on the communication policy for the resource; and
    setting, in each forwarding node on a forwarding path of the packet using the resource as the transmission source or the destination, the control information for forwarding the packet using the resource as the transmission source or the destination, based on the communication policy for the resource, based on the communication policy for the resource, when communication using the resource as the transmission source or the destination occurs.
  10. The access control method according to any one of claims 6 to 8, further comprising the step of:
    by the control apparatus,
    calculating a forwarding path of the packet located between the resources starting from or ending at the resource, based on the communication policy for the resource, and setting, in each forwarding node on the forwarding path, the control information for forwarding the packet located between the resources.
  11. A program for a computer installed in an apparatus connected to a communication system comprising a control apparatus configured to generate control information defining processing content to be applied to a received packet and then to set the generated control information in a forwarding node, and a forwarding node configured to process the received packet by referring to the control information, the program causing the computer to execute the processes of:
    authenticating a resource connected to the forwarding node, using identification information obtained from the resource;
    determining a communication policy for the resource, using a result of the authentication and the identification information; and
    generating the control information associated with the communication policy and setting the generated control information in the forwarding node.
  12. The program according to claim 11, wherein
    in the process of authenticating the resource connected to the forwarding node, using the identification information obtained from the resource, the program causes the computer to execute the process of:
    performing the authentication process by checking the identification information obtained from the resource against content stored in an identification information storage apparatus configured to associate and store the identification information of the resource and a role ID, and identifying the role ID when the authentication succeeds; and
    in the process of determining the communication policy for the resource, using the result of the authentication and the identification information, the program causes the computer to perform the process of:
    determining the communication policy for the resource, using information indicating permission/inhibition of access set for each role ID.
  13. The program according to claim 12, wherein
    the information indicating the permission/inhibition of access includes permission/inhibition of access to each resource group that groups resources; and
    the communication policy for the resource is determined by referring to the permission/inhibition of access to each resource group.
PCT/JP2013/005109 2012-08-30 2013-08-29 Access control system, access control method, and program WO2014034119A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2015511530A JP2015530763A (en) 2012-08-30 2013-08-29 Access control system, access control method and program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2012-190316 2012-08-30
JP2012190316 2012-08-30

Publications (1)

Publication Number Publication Date
WO2014034119A1 true WO2014034119A1 (en) 2014-03-06

Family

ID=50182953

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/005109 WO2014034119A1 (en) 2012-08-30 2013-08-29 Access control system, access control method, and program

Country Status (2)

Country Link
JP (1) JP2015530763A (en)
WO (1) WO2014034119A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016163927A1 (en) * 2015-04-10 2016-10-13 Telefonaktiebolaget Lm Ericsson (Publ) Methods and devices for access control of data flows in software defined networking system
WO2020134711A1 (en) * 2018-12-29 2020-07-02 华为技术有限公司 Message forwarding method and apparatus

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101763653B1 (en) * 2016-01-04 2017-08-14 아토리서치(주) Method and apparatus for recognizing and managing network resource

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012077603A1 (en) * 2010-12-09 2012-06-14 日本電気株式会社 Computer system, controller, and network monitoring method
WO2012086816A1 (en) * 2010-12-24 2012-06-28 日本電気株式会社 Communication system, control device, policy management device, communication method, and program

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8032558B2 (en) * 2007-01-10 2011-10-04 Novell, Inc. Role policy management

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012077603A1 (en) * 2010-12-09 2012-06-14 日本電気株式会社 Computer system, controller, and network monitoring method
WO2012086816A1 (en) * 2010-12-24 2012-06-28 日本電気株式会社 Communication system, control device, policy management device, communication method, and program

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016163927A1 (en) * 2015-04-10 2016-10-13 Telefonaktiebolaget Lm Ericsson (Publ) Methods and devices for access control of data flows in software defined networking system
US10313397B2 (en) 2015-04-10 2019-06-04 Telefonaktiebolaget Lm Ericsson (Publ) Methods and devices for access control of data flows in software defined networking system
WO2020134711A1 (en) * 2018-12-29 2020-07-02 华为技术有限公司 Message forwarding method and apparatus

Also Published As

Publication number Publication date
JP2015530763A (en) 2015-10-15

Similar Documents

Publication Publication Date Title
JP5862577B2 (en) COMMUNICATION SYSTEM, CONTROL DEVICE, POLICY MANAGEMENT DEVICE, COMMUNICATION METHOD, AND PROGRAM
US9397949B2 (en) Terminal, control device, communication method, communication system, communication module, program, and information processing device
US9338090B2 (en) Terminal, control device, communication method, communication system, communication module, program, and information processing device
JP5880560B2 (en) Communication system, forwarding node, received packet processing method and program
JP5811171B2 (en) COMMUNICATION SYSTEM, DATABASE, CONTROL DEVICE, COMMUNICATION METHOD, AND PROGRAM
JP5811179B2 (en) COMMUNICATION SYSTEM, CONTROL DEVICE, POLICY MANAGEMENT DEVICE, COMMUNICATION METHOD, AND PROGRAM
US9935876B2 (en) Communication system, control apparatus, communication apparatus, communication control method, and program
US9887920B2 (en) Terminal, control device, communication method, communication system, communication module, program, and information processing device
US9544194B2 (en) Network management service system, control apparatus, method, and program
WO2014142299A1 (en) Communication terminal, communication control apparatus, communication system, communication control method and program
JPWO2012141086A1 (en) Computer system, controller, and network access policy control method
JP2014516215A (en) Communication system, control device, processing rule setting method and program
JPWO2014112616A1 (en) Control device, communication device, communication system, switch control method and program
US20130275620A1 (en) Communication system, control apparatus, communication method, and program
WO2013141200A1 (en) Communication node, packet processing method and program
WO2014061583A1 (en) Communication node, control device, communication system, packet processing method, and program
WO2014034119A1 (en) Access control system, access control method, and program
US10469498B2 (en) Communication system, control instruction apparatus, communication control method and program
WO2014020902A1 (en) Communication system, control apparatus, communication method, and program
WO2015129727A1 (en) Communication terminal, communication method and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13834141

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015511530

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13834141

Country of ref document: EP

Kind code of ref document: A1