[go: up one dir, main page]

WO2017036535A1 - Distributed connection tracking - Google Patents

Distributed connection tracking Download PDF

Info

Publication number
WO2017036535A1
WO2017036535A1 PCT/EP2015/070160 EP2015070160W WO2017036535A1 WO 2017036535 A1 WO2017036535 A1 WO 2017036535A1 EP 2015070160 W EP2015070160 W EP 2015070160W WO 2017036535 A1 WO2017036535 A1 WO 2017036535A1
Authority
WO
WIPO (PCT)
Prior art keywords
connection
network
memory
connection tracking
data storage
Prior art date
Application number
PCT/EP2015/070160
Other languages
French (fr)
Inventor
Eshed GAL-OR
Eran Gampel
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2015/070160 priority Critical patent/WO2017036535A1/en
Priority to PCT/EP2016/070776 priority patent/WO2017037265A1/en
Publication of WO2017036535A1 publication Critical patent/WO2017036535A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1029Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers using data related to the state of servers by a load balancer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the present invention relates to a system for managing at least one network service, to a method for managing network services, and to a computer program product for implementing said method when carried out on a computing device.
  • the present invention suggests a distributed connection tracking mechanism, which is achieved by sharing connection tracking data across multiple network nodes of a network.
  • some conventional network services are operated in the so-called “silo" model, in which no information is shared between different network services.
  • a so-called “service chain” e.g. a chain of the network services: firewall -> network address translation (NAT) load-balancer -> hypervisor - application
  • all forwarding elements, through which the packets pass need to repeat certain computations required to maintain network connection states of each of the packets.
  • a performance/latency toll is inevitable.
  • the computed data could be shared between the network services of the service chain, the overall system performance could be significantly improved.
  • additional costs pertaining to reduced computation efforts in e.g. a data center could be reduced.
  • connection tracking mechanisms e.g. as employed in a conventional Linux kernel
  • a local memory data structure typically a hash table
  • network connection states of packets e.g. ESTABLISHED, RELATED, etc.
  • additional metadata e.g. ESTABLISHED, RELATED, etc.
  • the present invention aims to improve the conventional network service models.
  • the present invention has thereby particularly the object to improve the scalability of stateful network services.
  • the present invention also seeks to avoid that computations required for maintaining network connection states of packets are unnecessarily repeated. Accordingly, the present invention intends to increase the overall system performance, and to decrease latencies.
  • the present invention also intends to avoid all the above-mentioned disadvantages of the so-called "all- in-one" solutions.
  • the object of the present invention is achieved by the solution provided in the enclosed independent claims. Advantageous implementations of the present invention are further defined in the dependent claims.
  • the present invention proposes to decouple the location in a system, where the network connection state management runs, from the location, where the network service logic runs.
  • the present invention proposes changing the way, in which the connection tracking mechanism writes and reads data.
  • all read or write operations are directed to an external data storage or memory, without changing any of the lower and higher layers of the network service or the internal behavior of the network system, respectively.
  • a first aspect of the present invention provides a system for managing at least one network service, comprising at least one network node including at least one connection tracking module configured to perform connection tracking on at least one packet belonging to a network service session, at least one external data storage or memory configured to store connection tracking data obtained by the at least one connection tracking module, and to share the stored connection tracking data across all network nodes.
  • the connection tracking data may comprise a state of the at least one packet (e.g. a network connection state, like ESTABLISHED, RELATED etc.), forwarding information of the at least one packet, inspection data of the at least one packet, or similar information.
  • a state of the at least one packet e.g. a network connection state, like ESTABLISHED, RELATED etc.
  • connection tracking data is written and read to/from the external data storage or memory.
  • the external storage or memory is preferably able to provide a read/write performance comparable to a local memory in a network node (e.g. by utilizing any of various technologies gaining popularity, like distributed hash table (DHT), Random Access Memory cloud (RAM cloud), Silicon Photonics (SiPh), Network Virtual Memory (NVM), etc.).
  • DHT distributed hash table
  • RAM cloud Random Access Memory cloud
  • SiPh Silicon Photonics
  • NVM Network Virtual Memory
  • the external data storage or memory thus ensures that the reads and/or writes are fast enough to maintain the speed of the connection tracking logic (typically, in the order of microseconds). This allows an efficient sharing of the connection tracking data across all the network nodes.
  • the external data storage or memory, and the sharing of the connection tracking data across all network nodes greatly improves the scalability of the system.
  • the connection tracking data of all packets can be shared among all network nodes of the system, it is possible that once a network service session has been started in a specific instance of the network service, e.g. on a certain network node, consecutive packets of the same network service session must not necessarily be routed to the same instance, but can also be routed to other instances, e.g. to instances on other network nodes.
  • the at least one network node includes at least one internal data storage or memory configured to store the connection tracking data obtained by the at least one connection tracking module.
  • each network node is configured to access and update the connection tracking data stored in the at least one external data storage or memory.
  • the shared connection tracking data can be kept updated at all times, so that each network node of the system has access, for instance, to all current network connection states of packets.
  • a software hook is implemented in each connection tracking module. The software hook being configured to write and/or read connection tracking data to and/or from the at least one external data storage or memory.
  • a software hook represents a simple but fast and efficient implementation for intercepting computed connection tracking data, and writing it to / reading it from the external data storage or memory.
  • the at least one external data storage or memory is configured to store connection metadata, and to share the stored connection metadata across all network nodes.
  • the shared connection metadata allows an even more efficient routing of multiple packets of a network service session through different instances, for example, on different network nodes. Thus, the scalability of the system is further supported.
  • each network node is configured to add connection metadata, which is aggregated in the network node by processing the at least one packet, to the connection metadata stored in the at least one external data storage or memory.
  • connection metadata stored in the external storage or memory may be connection metadata obtained in each network node.
  • identical connection metadata obtained likewise in different network nodes must be stored only once since it is shared across all network nodes.
  • Each network node has access to the most recent connection metadata from each other network node.
  • an auxiliary network is configured to support all read and/or write operations of connection tracking data between the at least one network node and the at least one external data storage or memory.
  • each network node is configured to run at least an instance of at least one network service session.
  • a network service session can run in one or more instances on one or more network nodes in parallel. This allows increasing the system performance, for instance, by load balancing.
  • a distributed connection state is provided across all instances of the at least one network service session running on at least one network node. Consequently, each new packet of a network service session can be routed to any network node of the system without any performance loss.
  • the system is thus well scalable (for both scale-in and scale out).
  • a second aspect of the present invention provides a method for managing network services, comprising the steps of performing connection tracking in at least one network node on at least one packet belonging to a network service session, storing obtained connection tracking data in at least one external data storage or memory outside of the at least one network node, and sharing the connection tracking data stored in the at least one external data storage or memory across all network nodes.
  • the method comprises the steps of receiving a packet belonging to a network service session at one network node, intercepting obtained connection tracking data of the packet, and sending it to the at least one external data storage or memory, determining a state of the packet by matching the sent connection tracking data with connection tracking data stored in the at least one external data storage or memory, updating the connection tracking data stored in the at least one external data storage or memory by the sent connection tracking data, and processing the packet in the at least one network node based on the determined state.
  • the method comprises the steps of receiving a packet belonging to a network service session at one network node, intercepting obtained connection tracking data of the packet, and sending it to the at least one external data storage or memory, determining a state of the packet by matching the sent connection tracking data with connection tracking data stored in the at least one external data storage or memory, updating the connection tracking data stored in the at least one external data storage or memory by the sent connection tracking data, and processing the packet in the at least one network node based on the determined state.
  • the processing of the packet comprises generating connection metadata, storing the generated connection metadata in the at least one external data storage or memory, and sharing the connection metadata across all network nodes.
  • connection tracking data is stored in at least one internal data storage or memory of the at least one network node.
  • At least one network node accesses and updates the connection tracking data stored in the at least one external data storage or memory.
  • a software hook writes and/or reads connection tracking data from and/or to the at least one network node to and/or from the at least one external data storage or memory.
  • connection metadata is stored in the at least one external data storage or memory, and the stored connection metadata is shared across all network nodes.
  • at least one network node adds connection metadata, which is aggregated in the network node by processing the a least one packet, to the connection metadata stored in the at least one external data storage or memory.
  • connection tracking data between the at least one network node and the at least one external data storage or memory are supported by an auxiliary network.
  • At least one network node runs at least an instance of at least one network service session.
  • a distributed connection state is provided across all instances of the at least one network service session running on at least one network node.
  • the method of the second aspect achieves all advantages of the system of the first aspect as described above.
  • a third aspect of the present invention provides a computer program product for implementing, when carried out on a computing device, a method for providing network services according to the above second aspect and its implementation forms.
  • Fig. 1 shows a basic system according to an embodiment of the present invention.
  • Fig. 2 shows an advanced system according to an embodiment of the present invention.
  • Fig. 3 shows a basic method according to an embodiment of the present invention.
  • Fig. 4 shows an advanced method according to an embodiment of the present invention.
  • Fig. 1 shows a basic system 100 according to an embodiment of the present invention.
  • the system 100 is used for managing at least one network service 101, and comprises at least one network node 102, wherein preferably each network node 102 is configured to run at least an instance of at least one network service session, and at least one external data storage or memory 104.
  • the at least one network service may be one or more of e.g. a firewall, NAT, a load-balancer, a hypervisor, and application or the like.
  • the at least one network node 102 includes at least one connection tracking module 103, which is configured to perform connection tracking on at least one packet belonging to a network service session. Thereby, connection tracking data is obtained, for instance a network connection state or forwarding information of the at least one packet.
  • the at least one external data storage or memory 104 is configured to receive from the at least one network node 102 and store the connection tracking data obtained by the at least one connection tracking module 103. Likewise, it is configured to send the stored connection tracking data 105 to the at least one network node 102, and thereby share it across all network nodes 102 of the system 100.
  • the at least one data storage or memory 104 is preferably a distributed hash table (DHT), a Random Access Memory cloud (RAM cloud), or a distributed cache.
  • Fig. 2 shows an advanced implementation of the basic system shown in Fig. 1.
  • the system 100 includes three network nodes 102 (indicated with Node A, Node B, and Node C) and one external data storage or memory 104.
  • the network nodes 102 are preferably each operated by a Linux-based operation system, which includes a Kernel module 204.
  • the Kernel module 204 includes preferably the at least one connection tracking module 103.
  • the Kernel 204 may further include a network processor 203 acting, for instance, as a forwarding element for packets, and a local (i.e. internal) data storage or memory 200 configured to store the connection tracking data obtained by the at least one connection tracking module 103.
  • a software hook 201 may be implemented in each connection tracking module 103, preferably in an API thereof, and is configured to intercept, write and/or read connection tracking data from and/or to the external data storage or memory 104, instead of (or in addition to) the local connection tracking data storage or memory 200.
  • the external data storage or memory 104 is preferably a high-speed low- latency distributed memory (such as a Distributed Memory Data Base or a similar technology), to which the connection tracking data will be written, and from which the connection tracking data will be read, in order to share it across all network nodes 102. Thereby, a distributed connection state can be provided across all instances of the at least one network service session running on at least one network node 102.
  • a distributed connection state can be provided across all instances of the at least one network service session running on at least one network node 102.
  • connection metadata 202 also referred to as extended metadata
  • connection metadata can share the stored connection metadata 202 across all network nodes 102. That is, connection metadata that is continuously aggregated and added in each network node 102 of the system 100 processing a packet belonging to a network service can be written to and read from the external data storage or memory 104.
  • the connection metadata may also be stored in one or more internal data storages or memories 200.
  • connection tracking data may be readily accessible as e.g. a Global Connection Tracking 105 repository and an Extended Metadata 202 repository, respectively.
  • Fig. 3 shows a basic method 300 for managing network services according to an embodiment of the present invention.
  • connection tracking in at least one network node 102 is performed on at least one packet 301 arriving at said at least one network node 102, the packet 301 belonging to a network service session.
  • the obtained connection tracking data is stored in at least one external data storage or memory 104 located outside of the at least one network node 102.
  • the connection tracking data stored in the at least one external data storage or memory 104 is then shared across all network nodes 102.
  • Fig. 4 shows further an advanced operation of the basic method 300 shown in Fig. 3.
  • Fig. 4 shows a mode of operating of a system 100 as shown in Fig. 2.
  • a network node 102 for example a network node 102 running a first inline network service (e.g. "Service 1" on "Node A” as shown in Fig. 2).
  • the packet is then processed in the network node 102 ("Node A"), e.g. by the network processor 203 and/or by the connection tracking module 103.
  • the network node 102 may attempt to match a network connection state of the arriving packet, particularly by using a metadata hash tuple from the packet's header (e.g. obtained by a combination of L3 and L4 fields).
  • the software hook 201 intercepts this matching operation attempt and intercepts connection tracking data of the packet (step 401), and delegates them (step 402) to the external data storage or memory 104.
  • a network connection state of the packet may then be determined in the external data storage or memory 104 (step 403), particularly by matching the intercepted connection tracking data with connection tracking data already stored in e.g. the Global Connection Tracking 105 repository shown in Fig. 2.
  • a result of the determination is then received (step 409) by the software hook 201, and is returned (step 410) to the network node 102 (step 410).
  • the packet may be further processed (step 405) in the network node 102 based on the determined state.
  • the processing (step 405) of the packet may comprise generating (step 406) connection metadata, storing (step 407) the generated connection metadata in the external data storage or memory 104, e.g. in the Extended Metadata 202 repository shown in Fig. 2, and sharing (step 408) the stored connection metadata across all network nodes 102.
  • the network node 102 may attempt to create a state.
  • the software hook 201 may intercept this attempt to create a state (step 411) and may delegate it (step 412) to the external data storage or memory 104.
  • a state may then be created in the external data storage or memory 104, and may e.g. be inserted into the Global Connection Tracking repository 105 (step 404). That means that the connection tracking data stored in the external data storage or memory 104 is updated.
  • this updated connection tracking data is advantageously shared (step 408) across all network nodes 102.
  • the present invention provides a platform for stateful network services with improved dynamic scalability.
  • the platform provided by the present invention allows simple scale-out and scale-in.
  • the platform of the present invention also enables out-of-line load balancing, particularly by allowing network services to run in different instances on different network nodes in parallel. Further, no vendor lock- in is necessary, and high availability and network service continuity are well possible.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a system (100) for managing at least one network service (101). The system (100) comprises at least one network node (102) including at least one connection tracking module (103), which is configured to perform connection tracking on at least one packet belonging to a network service session. Further, the system also comprises at least one external data storage or memory (104) configured to store connection tracking data obtained by the at least one connection tracking module (103 9, and to share the stored connection tracking data (105) across all network nodes (102).

Description

DISTRIBUTED CONNECTION TRACKING
TECHNICAL FIELD The present invention relates to a system for managing at least one network service, to a method for managing network services, and to a computer program product for implementing said method when carried out on a computing device. In particular, the present invention suggests a distributed connection tracking mechanism, which is achieved by sharing connection tracking data across multiple network nodes of a network.
BACKGROUND
Conventional stateful network services (e.g. firewalls, load-balancers, etc.) are limited strongly with respect to their dynamic scalability. This is mainly due to their design, which requires that a network connection state of each packet of a network service session be kept in a local storage or memory of a network service host or device (e.g. of a network node). This necessity to locally store network connection states also means that once a network service session has been started in a specific instance of a network service, all consecutive packets of the same network service session will have to be routed to this instance as well.
However, especially for modern cloud networking, dynamic scalability is of utmost importance (i.e. both scaling-out and scaling-in), because traffic load is dynamic, and the network is typically software-defined and needs to adjust itself to automatically accommodate load fluctuations.
Moreover, nowadays the need for composing and chaining multiple different network services is very common. In this respect, conventional network service models have further limitations and drawbacks.
For instance, some conventional network services are operated in the so-called "silo" model, in which no information is shared between different network services. If in this "silo" model one or more packets traverse several network services in a so-called "service chain" (e.g. a chain of the network services: firewall -> network address translation (NAT) load-balancer -> hypervisor - application), all forwarding elements, through which the packets pass, need to repeat certain computations required to maintain network connection states of each of the packets. As a consequence, a performance/latency toll is inevitable. If, however, the computed data could be shared between the network services of the service chain, the overall system performance could be significantly improved. Furthermore, additional costs pertaining to reduced computation efforts in e.g. a data center could be reduced.
In order to address some of the above-mentioned problems in the state of the art, some conventional network services are operated in the so-called "all-in-one" model. For this model a big "all-in-one" machine is created, which contains a shared state. In other words, some network connection states of packets are shared between different network services. In this way, multiple network services can be driven, which are co-located in the same big "all-in-one" machine.
However, the main disadvantages of this "all-in-one" model are: · Vendor lock- in (i.e. all network services are pre-integrated into a closed system).
• Limited scalability (i.e. the scalability is based on the scale-up limitations of the product).
• Limited features and a constrained product roadmap.
· Limited capability to integrate with network services of third parties.
• High costs of purchasing and licensing.
• High costs for high-availability and redundancy.
Conventional connection tracking mechanisms (e.g. as employed in a conventional Linux kernel) use a local memory data structure (typically a hash table), in order to manage, for instance, network connection states of packets (e.g. ESTABLISHED, RELATED, etc.), as well as additional metadata. These conventional connection tracking mechanisms are fast, but not scalable. SUMMARY
In view of the above-mentioned problems and disadvantages, the present invention aims to improve the conventional network service models. The present invention has thereby particularly the object to improve the scalability of stateful network services. The present invention also seeks to avoid that computations required for maintaining network connection states of packets are unnecessarily repeated. Accordingly, the present invention intends to increase the overall system performance, and to decrease latencies. The present invention also intends to avoid all the above-mentioned disadvantages of the so-called "all- in-one" solutions. The object of the present invention is achieved by the solution provided in the enclosed independent claims. Advantageous implementations of the present invention are further defined in the dependent claims.
In particular the present invention proposes to decouple the location in a system, where the network connection state management runs, from the location, where the network service logic runs. To this end, the present invention proposes changing the way, in which the connection tracking mechanism writes and reads data. In particular, all read or write operations are directed to an external data storage or memory, without changing any of the lower and higher layers of the network service or the internal behavior of the network system, respectively. A first aspect of the present invention provides a system for managing at least one network service, comprising at least one network node including at least one connection tracking module configured to perform connection tracking on at least one packet belonging to a network service session, at least one external data storage or memory configured to store connection tracking data obtained by the at least one connection tracking module, and to share the stored connection tracking data across all network nodes.
The connection tracking data may comprise a state of the at least one packet (e.g. a network connection state, like ESTABLISHED, RELATED etc.), forwarding information of the at least one packet, inspection data of the at least one packet, or similar information.
In the system of the first aspect, the connection tracking data is written and read to/from the external data storage or memory. The external storage or memory is preferably able to provide a read/write performance comparable to a local memory in a network node (e.g. by utilizing any of various technologies gaining popularity, like distributed hash table (DHT), Random Access Memory cloud (RAM cloud), Silicon Photonics (SiPh), Network Virtual Memory (NVM), etc.). The external data storage or memory thus ensures that the reads and/or writes are fast enough to maintain the speed of the connection tracking logic (typically, in the order of microseconds). This allows an efficient sharing of the connection tracking data across all the network nodes. The external data storage or memory, and the sharing of the connection tracking data across all network nodes, greatly improves the scalability of the system.
Furthermore, since the connection tracking data of all packets can be shared among all network nodes of the system, it is possible that once a network service session has been started in a specific instance of the network service, e.g. on a certain network node, consecutive packets of the same network service session must not necessarily be routed to the same instance, but can also be routed to other instances, e.g. to instances on other network nodes. In a first implementation form of the system according to the first aspect, the at least one network node includes at least one internal data storage or memory configured to store the connection tracking data obtained by the at least one connection tracking module.
By means of this additional internal memory or cache for storing the connection tracking data, the speed performance of the respective network nodes and thus the whole system can be increased.
In a second implementation form of the system according to the first aspect as such or according to the first implementation form of the first aspect, each network node is configured to access and update the connection tracking data stored in the at least one external data storage or memory. Thus, the shared connection tracking data can be kept updated at all times, so that each network node of the system has access, for instance, to all current network connection states of packets. Thereby, the freedom to route consecutive packets belonging to the same network service session as a previous packet to any desired instance on any network node of the system is achieved. In a third implementation form of the system according to the first aspect as such or according to any of the previous implementation forms of the first aspect, a software hook is implemented in each connection tracking module. The software hook being configured to write and/or read connection tracking data to and/or from the at least one external data storage or memory.
A software hook represents a simple but fast and efficient implementation for intercepting computed connection tracking data, and writing it to / reading it from the external data storage or memory.
In a fourth implementation form of the system according to the first aspect as such or according to any of the previous implementation forms of the first aspect, the at least one external data storage or memory is configured to store connection metadata, and to share the stored connection metadata across all network nodes.
The shared connection metadata allows an even more efficient routing of multiple packets of a network service session through different instances, for example, on different network nodes. Thus, the scalability of the system is further supported.
In a fifth implementation form of the system according to the fourth implementation form of the first aspect, each network node is configured to add connection metadata, which is aggregated in the network node by processing the at least one packet, to the connection metadata stored in the at least one external data storage or memory.
Accordingly, the connection metadata stored in the external storage or memory may be connection metadata obtained in each network node. Advantageously, identical connection metadata obtained likewise in different network nodes must be stored only once since it is shared across all network nodes. Each network node has access to the most recent connection metadata from each other network node.
In a sixth implementation form of the system according to the first aspect as such or according to any of the previous implementation forms of the first aspect, an auxiliary network is configured to support all read and/or write operations of connection tracking data between the at least one network node and the at least one external data storage or memory.
By means of the auxiliary network, the system performance of sharing the connection tracking data, and optionally also the connection metadata, across all network nodes is improved. In a seventh implementation form of the system according to the first aspect as such or according to any of the previous implementation forms of the first aspect, each network node is configured to run at least an instance of at least one network service session.
Accordingly, a network service session can run in one or more instances on one or more network nodes in parallel. This allows increasing the system performance, for instance, by load balancing.
In an eighth implementation form of the system according to the seventh implementation form of the first aspect, a distributed connection state is provided across all instances of the at least one network service session running on at least one network node. Consequently, each new packet of a network service session can be routed to any network node of the system without any performance loss. The system is thus well scalable (for both scale-in and scale out).
A second aspect of the present invention provides a method for managing network services, comprising the steps of performing connection tracking in at least one network node on at least one packet belonging to a network service session, storing obtained connection tracking data in at least one external data storage or memory outside of the at least one network node, and sharing the connection tracking data stored in the at least one external data storage or memory across all network nodes.
In a first implementation form of the method according to the second aspect, the method comprises the steps of receiving a packet belonging to a network service session at one network node, intercepting obtained connection tracking data of the packet, and sending it to the at least one external data storage or memory, determining a state of the packet by matching the sent connection tracking data with connection tracking data stored in the at least one external data storage or memory, updating the connection tracking data stored in the at least one external data storage or memory by the sent connection tracking data, and processing the packet in the at least one network node based on the determined state.
In a second implementation form of the method according to the first implementation form of the second aspect, the method comprises the steps of receiving a packet belonging to a network service session at one network node, intercepting obtained connection tracking data of the packet, and sending it to the at least one external data storage or memory, determining a state of the packet by matching the sent connection tracking data with connection tracking data stored in the at least one external data storage or memory, updating the connection tracking data stored in the at least one external data storage or memory by the sent connection tracking data, and processing the packet in the at least one network node based on the determined state. In a third implementation form of the method according to the second implementation form of the second aspect, the processing of the packet comprises generating connection metadata, storing the generated connection metadata in the at least one external data storage or memory, and sharing the connection metadata across all network nodes.
In a fourth implementation form of the method according to the second aspect as such or according to any of the previous implementation forms of the second aspect, obtained connection tracking data is stored in at least one internal data storage or memory of the at least one network node.
In a fifth implementation form of the method according to the second aspect as such or according to any of the previous implementation forms of the second aspect, at least one network node accesses and updates the connection tracking data stored in the at least one external data storage or memory.
In a sixth implementation form of the method according to the second aspect as such or according to any of the previous implementation forms of the second aspect, a software hook writes and/or reads connection tracking data from and/or to the at least one network node to and/or from the at least one external data storage or memory.
In a seventh implementation form of the system according to the second aspect as such or according to any of the previous implementation forms of the second aspect, connection metadata is stored in the at least one external data storage or memory, and the stored connection metadata is shared across all network nodes. In an eighth implementation form of the method according to the seventh implementation form of the second aspect, at least one network node adds connection metadata, which is aggregated in the network node by processing the a least one packet, to the connection metadata stored in the at least one external data storage or memory.
In a ninth implementation form of the method according to the second aspect as such or according to any of the previous implementation forms of the second aspect, read and/or write operations of connection tracking data between the at least one network node and the at least one external data storage or memory are supported by an auxiliary network.
In a tenth implementation form of the method according to the second aspect as such or according to any of the previous implementation forms of the second aspect, at least one network node runs at least an instance of at least one network service session.
In an eleventh implementation form of the method according to the tenth implementation form of the second aspect, a distributed connection state is provided across all instances of the at least one network service session running on at least one network node.
The method of the second aspect achieves all advantages of the system of the first aspect as described above.
A third aspect of the present invention provides a computer program product for implementing, when carried out on a computing device, a method for providing network services according to the above second aspect and its implementation forms.
It has to be noted that all devices, elements, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application as well as the functionalities described to be performed by the various entities are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities. Even if, in the following description of specific embodiments, a specific functionality or step to be full formed by eternal entities is not reflected in the description of a specific detailed element of that entity which performs that specific step or functionality, it should be clear for a skilled person that these methods and functionalities can be implemented in respective software or hardware elements, or any kind of combination thereof.
BRIEF DESCRIPTION OF DRAWINGS
The above described aspects and implementation forms of the present invention will be explained in the following description of specific embodiments in relation to the enclosed drawings, in which Fig. 1 shows a basic system according to an embodiment of the present invention. Fig. 2 shows an advanced system according to an embodiment of the present invention. Fig. 3 shows a basic method according to an embodiment of the present invention. Fig. 4 shows an advanced method according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENTS
Fig. 1 shows a basic system 100 according to an embodiment of the present invention. The system 100 is used for managing at least one network service 101, and comprises at least one network node 102, wherein preferably each network node 102 is configured to run at least an instance of at least one network service session, and at least one external data storage or memory 104. The at least one network service may be one or more of e.g. a firewall, NAT, a load-balancer, a hypervisor, and application or the like.
The at least one network node 102 includes at least one connection tracking module 103, which is configured to perform connection tracking on at least one packet belonging to a network service session. Thereby, connection tracking data is obtained, for instance a network connection state or forwarding information of the at least one packet.
The at least one external data storage or memory 104 is configured to receive from the at least one network node 102 and store the connection tracking data obtained by the at least one connection tracking module 103. Likewise, it is configured to send the stored connection tracking data 105 to the at least one network node 102, and thereby share it across all network nodes 102 of the system 100. The at least one data storage or memory 104 is preferably a distributed hash table (DHT), a Random Access Memory cloud (RAM cloud), or a distributed cache.
Fig. 2 shows an advanced implementation of the basic system shown in Fig. 1. In this implementation, the system 100 includes three network nodes 102 (indicated with Node A, Node B, and Node C) and one external data storage or memory 104. The network nodes 102 are preferably each operated by a Linux-based operation system, which includes a Kernel module 204. The Kernel module 204 includes preferably the at least one connection tracking module 103. The Kernel 204 may further include a network processor 203 acting, for instance, as a forwarding element for packets, and a local (i.e. internal) data storage or memory 200 configured to store the connection tracking data obtained by the at least one connection tracking module 103.
Furthermore, a software hook 201 may be implemented in each connection tracking module 103, preferably in an API thereof, and is configured to intercept, write and/or read connection tracking data from and/or to the external data storage or memory 104, instead of (or in addition to) the local connection tracking data storage or memory 200.
The external data storage or memory 104 is preferably a high-speed low- latency distributed memory (such as a Distributed Memory Data Base or a similar technology), to which the connection tracking data will be written, and from which the connection tracking data will be read, in order to share it across all network nodes 102. Thereby, a distributed connection state can be provided across all instances of the at least one network service session running on at least one network node 102.
In addition to the connection tracking data, the external data storage or memory 104 of the system 100 shown in Fig. 2 can also store connection metadata 202 (also referred to as extended metadata), and can share the stored connection metadata 202 across all network nodes 102. That is, connection metadata that is continuously aggregated and added in each network node 102 of the system 100 processing a packet belonging to a network service can be written to and read from the external data storage or memory 104. The connection metadata may also be stored in one or more internal data storages or memories 200.
Furthermore, it is possible to make available an auxiliary network, preferably a separate physical high-speed, low-latency network, in order to support all connection tracking data reads and/or writes to/from the external data storage or memory 104. Thereby - as is indicated in Fig. 2 - the connection tracking data, and optionally also the connection metadata, may be readily accessible as e.g. a Global Connection Tracking 105 repository and an Extended Metadata 202 repository, respectively.
Fig. 3 shows a basic method 300 for managing network services according to an embodiment of the present invention. In a first step 302 of the method 300, connection tracking in at least one network node 102 is performed on at least one packet 301 arriving at said at least one network node 102, the packet 301 belonging to a network service session. In a second step 303, the obtained connection tracking data is stored in at least one external data storage or memory 104 located outside of the at least one network node 102. In a third step 304, the connection tracking data stored in the at least one external data storage or memory 104 is then shared across all network nodes 102.
Fig. 4 shows further an advanced operation of the basic method 300 shown in Fig. 3. In particular, Fig. 4 shows a mode of operating of a system 100 as shown in Fig. 2. Initially, an arriving packet of a network service session is received (step 400) at a network node 102, for example a network node 102 running a first inline network service (e.g. "Service 1" on "Node A" as shown in Fig. 2). The packet is then processed in the network node 102 ("Node A"), e.g. by the network processor 203 and/or by the connection tracking module 103. For example, the network node 102 may attempt to match a network connection state of the arriving packet, particularly by using a metadata hash tuple from the packet's header (e.g. obtained by a combination of L3 and L4 fields). The software hook 201 intercepts this matching operation attempt and intercepts connection tracking data of the packet (step 401), and delegates them (step 402) to the external data storage or memory 104. A network connection state of the packet may then be determined in the external data storage or memory 104 (step 403), particularly by matching the intercepted connection tracking data with connection tracking data already stored in e.g. the Global Connection Tracking 105 repository shown in Fig. 2.
A result of the determination is then received (step 409) by the software hook 201, and is returned (step 410) to the network node 102 (step 410). If the network connection state of the packet was matched, the packet may be further processed (step 405) in the network node 102 based on the determined state. The processing (step 405) of the packet may comprise generating (step 406) connection metadata, storing (step 407) the generated connection metadata in the external data storage or memory 104, e.g. in the Extended Metadata 202 repository shown in Fig. 2, and sharing (step 408) the stored connection metadata across all network nodes 102.
If a network connection state of the packet was not matched, the network node 102 may attempt to create a state. The software hook 201 may intercept this attempt to create a state (step 411) and may delegate it (step 412) to the external data storage or memory 104. A state may then be created in the external data storage or memory 104, and may e.g. be inserted into the Global Connection Tracking repository 105 (step 404). That means that the connection tracking data stored in the external data storage or memory 104 is updated. Finally, this updated connection tracking data is advantageously shared (step 408) across all network nodes 102.
In summary, by the proposed system and method, the present invention provides a platform for stateful network services with improved dynamic scalability. The platform provided by the present invention allows simple scale-out and scale-in. The platform of the present invention also enables out-of-line load balancing, particularly by allowing network services to run in different instances on different network nodes in parallel. Further, no vendor lock- in is necessary, and high availability and network service continuity are well possible.
The present invention has been described in conjunction with various embodiments as examples as well as implementations. However, other variations can be understood and effected by those persons skilled in the art and practicing the claimed invention, from the studies of the drawings, this disclosure and the independent claims. In the claims as well as in the description the word "comprising" does not exclude other elements or steps and the indefinite article "a" or "an" does not exclude a plurality. A single element or other unit may fulfil the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in the mutual different dependent claims does not indicate that a combination of these measures cannot be used in an advantageous implementation.

Claims

1. System (100) for managing at least one network service (101), comprising
at least one network node (102) including at least one connection tracking module (103) configured to perform connection tracking on at least one packet belonging to a network service session,
at least one external data storage or memory (104) configured to store connection tracking data obtained by the at least one connection tracking module, and to share the stored connection tracking data (105) across all network nodes (102).
2. System (100) according to claim 1, wherein
the at least one network node (102) includes at least one internal data storage or memory (200) configured to store the connection tracking data obtained by the at least one connection tracking module (103).
3. System (100) according to claim 1 or 2, wherein
each network node (102) is configured to access and update the connection tracking data (105) stored in the at least one external data storage or memory (104).
4. System (100) according to one of the claims 1 to 3, wherein
a software hook (201) is implemented in each connection tracking module (103), the software hook (201) being configured to write and/or read connection tracking data to and/or from the at least one external data storage or memory (104).
5. System (100) according to one of the claims 1 to 4, wherein
the at least one external data storage or memory (104) is configured to store connection metadata, and to share the stored connection metadata (202) across all network nodes (102).
6. System (100) according to claim 5, wherein
each network node (102) is configured to add connection metadata, which is aggregated in the network node (102) by processing the a least one packet, to the connection metadata (202) stored in the at least one external data storage or memory (104).
7. System (100) according to one of the claims 1 to 6, further comprising
an auxiliary network configured to support all read and/or write operations of connection tracking data between the at least one network node (102) and the at least one external data storage or memory (104).
8. System (100) according to one of the claims 1 to 7, wherein
each network node (102) is configured to run at least an instance of at least one network service session.
9. System (100) according to claim 8, wherein
a distributed connection state is provided across all instances of the at least one network service session running on at least one network node (102).
10. Method (300) for managing network services, comprising the steps of
performing (302) connection tracking in at least one network node (102) on at least one packet (301) belonging to a network service session,
storing (303) obtained connection tracking data in at least one external data storage or memory (104) outside of the at least one network node (102), and
sharing (304) the connection tracking data stored in the at least one external data storage or memory (104) across all network nodes (102).
11. Method (300) according to claim 10, comprising the steps of
receiving (400) a packet belonging to a network service session at one network node
(102),
intercepting (401) obtained connection tracking data of the packet, and sending (402) it to the at least one external data storage or memory (104),
determining (403) a state of the packet by matching the sent connection tracking data with connection tracking data stored in the at least one external data storage or memory (102),
updating (404) the connection tracking data stored in the at least one external data storage or memory (102) by the sent connection tracking data, and
processing (405) the packet in the at least one network node based on the determined state.
12. Method (30) according to claim 11, wherein
the processing (405) of the packet comprises generating (406) connection metadata, storing (407) the generated connection metadata in the at least one external data storage or memory (104), and sharing (408) the connection metadata across all network nodes (102).
13. Computer program product for implementing, when carried out on a computing device, a method (300) for providing network services according to one of the claims 10 to 12.
PCT/EP2015/070160 2015-09-03 2015-09-03 Distributed connection tracking WO2017036535A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/EP2015/070160 WO2017036535A1 (en) 2015-09-03 2015-09-03 Distributed connection tracking
PCT/EP2016/070776 WO2017037265A1 (en) 2015-09-03 2016-09-02 Distributed connection tracking and load balancing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2015/070160 WO2017036535A1 (en) 2015-09-03 2015-09-03 Distributed connection tracking

Publications (1)

Publication Number Publication Date
WO2017036535A1 true WO2017036535A1 (en) 2017-03-09

Family

ID=54065876

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/EP2015/070160 WO2017036535A1 (en) 2015-09-03 2015-09-03 Distributed connection tracking
PCT/EP2016/070776 WO2017037265A1 (en) 2015-09-03 2016-09-02 Distributed connection tracking and load balancing

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/070776 WO2017037265A1 (en) 2015-09-03 2016-09-02 Distributed connection tracking and load balancing

Country Status (1)

Country Link
WO (2) WO2017036535A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11399034B2 (en) 2016-06-22 2022-07-26 Huawei Cloud Computing Technologies Co., Ltd. System and method for detecting and preventing network intrusion of malicious data flows

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013036646A1 (en) * 2011-09-08 2013-03-14 Mcafee, Inc. Application state sharing in a firewall cluster
US20140136680A1 (en) * 2012-11-09 2014-05-15 Citrix Systems, Inc. Systems and methods for appflow for datastream
EP2768200A1 (en) * 2013-02-18 2014-08-20 Stonesoft Corporation Receiving data packets
US20140281030A1 (en) * 2013-03-15 2014-09-18 Vmware, Inc. Virtual Network Flow Monitoring

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6606316B1 (en) * 1999-07-02 2003-08-12 Cisco Technology, Inc. Gathering network statistics in a distributed network service environment
US7606929B2 (en) * 2003-06-30 2009-10-20 Microsoft Corporation Network load balancing with connection manipulation
US9331891B2 (en) * 2012-10-11 2016-05-03 International Business Machines Corporation Virtual consolidated appliance
US9553809B2 (en) * 2013-04-16 2017-01-24 Amazon Technologies, Inc. Asymmetric packet flow in a distributed load balancer

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013036646A1 (en) * 2011-09-08 2013-03-14 Mcafee, Inc. Application state sharing in a firewall cluster
US20140136680A1 (en) * 2012-11-09 2014-05-15 Citrix Systems, Inc. Systems and methods for appflow for datastream
EP2768200A1 (en) * 2013-02-18 2014-08-20 Stonesoft Corporation Receiving data packets
US20140281030A1 (en) * 2013-03-15 2014-09-18 Vmware, Inc. Virtual Network Flow Monitoring

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11399034B2 (en) 2016-06-22 2022-07-26 Huawei Cloud Computing Technologies Co., Ltd. System and method for detecting and preventing network intrusion of malicious data flows

Also Published As

Publication number Publication date
WO2017037265A1 (en) 2017-03-09

Similar Documents

Publication Publication Date Title
US11044314B2 (en) System and method for a database proxy
US10346475B2 (en) Hash table structures
Bayatpour et al. Bluesmpi: Efficient mpi non-blocking alltoall offloading designs on modern bluefield smart nics
US10091295B1 (en) Converged infrastructure implemented with distributed compute elements
US9137156B2 (en) Scalable and efficient flow-aware packet distribution
US11340807B2 (en) Mounting a shared data store of a server cluster on a client cluster for use as a remote data store
US11403141B2 (en) Harvesting unused resources in a distributed computing system
US9652344B2 (en) In-memory data store replication through remote memory sharing
CN106663033B (en) System and method for supporting a wraparound domain and proxy model and updating service information for cross-domain messaging in a transactional middleware machine environment
US11349922B2 (en) System and method for a database proxy
US11789609B2 (en) Allocating memory and redirecting memory writes in a cloud computing system based on temperature of memory modules
US10706005B2 (en) File system interface for remote direct memory access
US20190042313A1 (en) Shareable FPGA Compute Engine
WO2017036535A1 (en) Distributed connection tracking
US20220414001A1 (en) Memory inclusivity management in computing systems
US11321171B1 (en) Memory operations management in computing systems
US12204408B2 (en) Memory tiering techniques in computing systems
WO2017097352A1 (en) Managing a network through connection tracking
US20250110829A1 (en) Memory tiering techniques in computing systems
CN108696461B (en) Shared memory for intelligent network interface cards
WO2022197419A1 (en) Memory operations management in computing systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15760434

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15760434

Country of ref document: EP

Kind code of ref document: A1