[go: up one dir, main page]

WO2015145976A1 - Système de communication, dispositif d'instruction de commande, dispositif de mise en œuvre de commande, procédé de commande de communication, et support d'informations sur lequel est stocké un programme - Google Patents

Système de communication, dispositif d'instruction de commande, dispositif de mise en œuvre de commande, procédé de commande de communication, et support d'informations sur lequel est stocké un programme Download PDF

Info

Publication number
WO2015145976A1
WO2015145976A1 PCT/JP2015/000992 JP2015000992W WO2015145976A1 WO 2015145976 A1 WO2015145976 A1 WO 2015145976A1 JP 2015000992 W JP2015000992 W JP 2015000992W WO 2015145976 A1 WO2015145976 A1 WO 2015145976A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
communication status
packet
information
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2015/000992
Other languages
English (en)
Japanese (ja)
Inventor
玲未 沼尻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to JP2016509947A priority Critical patent/JPWO2015145976A1/ja
Publication of WO2015145976A1 publication Critical patent/WO2015145976A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the present invention relates to a communication system, a control instruction device, a control execution device, a communication control method, and a storage medium for storing a program.
  • Non-Patent Documents 1 and 2 OpenFlow is a technology that considers communication as an end-to-end flow and performs path control, failure recovery, load balancing, and optimization on a per-flow basis.
  • the OpenFlow switch specified in Non-Patent Document 2 includes a secure channel for communication with the OpenFlow controller, and operates according to a flow table that is appropriately added or rewritten from the OpenFlow controller. For each flow, a set of a match condition (Match Fields), flow statistical information (Counters), and an instruction (Instructions) that defines processing contents is defined for each flow (flow table). (For example, it is described in the section of “4.1 Flow Table” of Non-Patent Document 2).
  • the OpenFlow switch searches the flow table for an entry having a matching condition (see “4.3 Match Fields” in Non-Patent Document 2) that matches the header information of the received packet.
  • the OpenFlow switch updates the flow statistical information (counter) and executes the processing contents described in the instruction field of the entry on the received packet. To do.
  • the processing content is, for example, packet transmission from a designated port, flooding or discarding.
  • the OpenFlow switch sends an entry setting request to the OpenFlow controller via the secure channel, that is, a control for processing the received packet.
  • An information transmission request (Packet-In message) is transmitted.
  • the OpenFlow switch receives a flow entry whose processing content is defined and updates the flow table. As described above, the OpenFlow switch performs packet transfer using the entry stored in the flow table as control information.
  • Patent Document 1 discloses an example of an access control apparatus that performs role-based access control (Role-Based Access Control, hereinafter referred to as “RBAC”).
  • the access control device disclosed in Patent Literature 1 includes a user information table, a role information table, and an access control table.
  • the user information table stores a user and an attribute value that the user has in association with each other.
  • the role information table stores a combination of attribute values and a role defined by the combination of the attribute values in association with each other.
  • the access control table stores the content and role ID (Identifier) in association with each other.
  • the role ID defines an access condition for the content.
  • the access control device disclosed in Patent Literature 1 sets a list of users having attribute values corresponding to roles in the user list information table for each role based on the user information table and the role information table.
  • the access control unit identifies the role of the access condition based on the access control table, and sets the access authority depending on whether or not the access user is included in the user list of the specified role. judge.
  • the technique disclosed in the prior art document has a problem in that access control according to the current communication status of the node that is the transmission source or transmission destination of the packet cannot be performed. This is because the technology disclosed in the prior art document does not have a mechanism for detecting the current communication status of a certain node and performing access control.
  • Policy 1 While node A is accessing node C where customer confidential information is stored, communication from node A to node B is not permitted.
  • Policy 2 While node A is not accessing node C, communication from node A to node B is permitted.
  • An object of the present invention is to realize access control according to the current communication status of a node that is a transmission source of a packet or a node that is a transmission destination.
  • a first aspect of the present invention is a communication for storing a communication status between nodes that perform communication in a communication status storage unit via a control execution device that processes the packet based on an instruction to an inquiry regarding a packet processing method.
  • a communication status between a status management unit, a transmission source node or a transmission destination node of the packet to be inquired, and another node is obtained by referring to the communication status storage unit, and the transmission source node ,
  • the transmission destination node a determination unit that determines a processing method of the packet based on the communication status of at least one of the transmission source node and the transmission destination node, and the control of the determined processing method
  • a control instruction device comprising: an instruction unit that instructs the device.
  • a second aspect of the present invention is a communication system including a control execution device and a control instruction device, wherein the control execution device makes an inquiry to the control instruction device for a packet processing method, and the inquiry A packet processing unit that processes the packet based on an instruction to the communication status management, wherein the control instruction device stores a communication status between nodes that communicate via the control execution device in a communication status storage unit And a communication status between the source node or destination node of the packet to be inquired and another node by referring to the communication status storage unit, the source node, A processing method of the packet based on the communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node A determination unit for determining a, and a instructing unit for instructing the processing method described above determined for the control execution unit, a communication system.
  • a control execution apparatus that processes the packet and a control instruction apparatus that is communicably connected based on an instruction to an inquiry regarding a packet processing method are configured such that a node via the control execution apparatus A communication status storage unit that stores the communication status of the packet that is the target of the inquiry by referring to the communication status storage unit. Determining a processing method of the packet based on the communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node, and determining the determined processing method to the control execution device. It is a control method to instruct.
  • a control execution device that processes the packet and a computer that is communicably connected to a node between the nodes via the control execution device
  • a process for determining a processing method of the packet based on a communication status of the transmission destination node and at least one of the transmission source node and the transmission destination node, and the process determined for the control execution apparatus A computer-readable storage medium storing a program for executing a process for instructing a method.
  • the object of the present invention is also achieved by a program stored in the computer-readable storage medium.
  • the present invention it is possible to realize access control according to the current communication status of a node that is a transmission source or transmission destination of a packet.
  • FIG. 1 is a block diagram showing a configuration of a communication system 1000 according to the first embodiment of the present invention.
  • FIG. 2 is a block diagram showing the configuration of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 3 is a diagram illustrating an example of information stored in the instruction cache 130 according to the first embodiment of the present invention.
  • FIG. 4 is a diagram illustrating an example of information stored in the communication status storage unit 240 according to the first embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example of information stored in the first table 250 according to the first embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example of information stored in the second table 260 according to the first embodiment of the present invention.
  • FIG. 1 is a block diagram showing a configuration of a communication system 1000 according to the first embodiment of the present invention.
  • FIG. 2 is a block diagram showing the configuration of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 3 is a diagram illustrating an
  • FIG. 7 is a diagram for explaining the outline of processing of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 8 is a diagram for explaining an overview of processing of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 9 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 10 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment of the present invention.
  • FIG. 11 is a diagram illustrating an example of information stored in the first table 251 according to the first embodiment of the present invention.
  • FIG. 12 is a diagram illustrating an example of information stored in the first table 252 according to the first embodiment of the present invention.
  • FIG. 13 is a block diagram showing a configuration of a communication system 1000A according to the second embodiment of the present invention.
  • FIG. 14 is a block diagram showing a configuration of a communication control apparatus 300B according to the third embodiment of the present invention.
  • FIG. 15 is a block diagram illustrating an example of a configuration of a computer that can implement a communication execution device and a control instruction device, or a communication control device, according to each embodiment of the present invention.
  • a node is, for example, a terminal (information processing apparatus).
  • the node may be a virtual node realized by virtualization software.
  • the packet transmission source node is a term indicating a node that has transmitted the packet.
  • the packet transmission destination node is a term indicating a node which is a destination of the packet.
  • information for identifying a transmission source node of a packet is referred to as a “transmission source node identifier”.
  • information for identifying a transmission destination node of a packet is referred to as a “transmission destination node identifier”.
  • the node identifier is, for example, an IP (Internet Protocol) address or a MAC (Media Access Control) address, but is not limited thereto.
  • FIG. 1 is a block diagram showing a configuration of a communication system 1000 according to the first embodiment.
  • the communication system 1000 includes a control execution device 100 and a control instruction device 200.
  • the control execution device 100 is, for example, a network switch (hereinafter also referred to as “switch”).
  • a network switch is a communication device capable of switching a communication path in a communication network (hereinafter also referred to as “network”) by switching, for example, a transfer destination device of a packet flowing through the communication network.
  • the control execution apparatus 100 is connected to a network and performs processing for transferring a received packet.
  • the control execution apparatus 100 receives an instruction regarding the packet processing method from the control instruction apparatus 200.
  • the control execution apparatus 100 transfers the received packet according to the packet processing method instructed from the control instruction apparatus 200.
  • the control instruction device 200 is a controller, for example.
  • the control instruction device 200 is connected to a network, and is connected to the control execution device 100 via the network.
  • the control instruction device 200 receives an inquiry from the control execution device 100 regarding the packet transfer method.
  • the control instruction device 200 gives an instruction for the inquiry to the control execution device 100.
  • FIG. 2 is a block diagram showing a detailed configuration of the control execution device 100 and the control instruction device 200 shown in FIG.
  • control execution apparatus 100 includes a packet processing unit 110, an inquiry unit 120, and an instruction cache 130.
  • the packet processing unit 110 processes the received packet based on the processing method stored in the instruction cache 130.
  • the inquiry unit 120 will be described.
  • the inquiry unit 120 inquires the control instruction apparatus 200 about the received packet processing method. Also, the inquiry unit 120 receives an instruction (that is, a packet processing method) for the inquiry from the control instruction apparatus 200.
  • the inquiry unit 120 writes the received packet processing method in the instruction cache 130. As a result, packets having the same characteristics are processed using the entries stored in the instruction cache 130.
  • the instruction cache 130 will be described.
  • the instruction cache 130 stores an entry indicating the packet processing method received from the control instruction apparatus 200. For example, when the control execution apparatus 100 is an open flow switch, the instruction cache 130 corresponds to a flow table.
  • FIG. 3 is a diagram illustrating an example of information stored in the instruction cache 130.
  • the instruction cache 130 stores a plurality of entries.
  • the entry associates the node identifier of the packet source node (ie, the source node identifier), the node identifier of the packet destination node (ie, the identifier of the destination node), and the processing method of the packet. Information. For example, when the transmission source node of the packet received by the control execution apparatus 100 is the node 4 and the transmission destination node is the node 5, the control execution apparatus 100 should transmit the packet to the port 1.
  • control instruction device 200 includes an instruction unit 210, a determination unit 220, a communication status management unit 230, a communication status storage unit 240, a first table 250, and a second table 260.
  • the first table 250 and the second table 260 represent storage units that store information in the form of a table, for example.
  • the first table 250 is also referred to as a first information storage unit 250.
  • the second table 260 is also expressed as a second information storage unit 260.
  • the instruction unit 210 will be described.
  • the instruction unit 210 receives an inquiry about the packet processing method from the control execution apparatus 100.
  • the instruction unit 210 instructs the control execution apparatus 100 how to process the packet.
  • the instruction unit 210 transmits an instruction to delete a specific entry stored in the instruction cache 130 to the control execution apparatus 100 at a predetermined timing.
  • the determination unit 220 will be described.
  • the determination unit 220 refers to the information stored in the header of the packet to acquire the transmission source node identifier and the transmission destination node identifier of the packet.
  • the determination unit 220 searches the communication status storage unit 240, the first table 250, and the second table 260 based on the transmission source node identifier and the transmission destination node identifier. Details of the first table 250 and the second table 260 will be described later.
  • the determination unit 220 determines a processing method for the packet based on the result obtained by the search.
  • the communication status management unit 230 will be described.
  • the control instruction apparatus 200 detects that a connection has been established between a transmission source node and a transmission destination node of a packet
  • the communication status management unit 230 stores an entry for the packet in the communication status storage unit 240. To do.
  • the entry includes information in which the transmission source node identifier and the transmission destination node identifier of the packet are associated with each other.
  • the communication status management unit 230 stores an entry for the packet in the communication status storage unit 240. To do.
  • the communication status management unit 230 deletes the entry for the packet from the communication status storage unit 240. To do.
  • the determination unit 220 determines to disconnect the connection between the transmission source node and the transmission destination node of a certain packet, the communication status management unit 230 deletes the entry for the packet from the communication status storage unit 240. To do.
  • the communication status management unit 230 only needs to operate so as to maintain a state in which the above-described entry is stored in the communication status storage unit 240.
  • the operation of the communication status management unit 230 is not limited to the specific example described above.
  • the communication status storage unit 240 stores an entry in which a transmission source node identifier and a transmission destination node identifier are associated with each other.
  • FIG. 4 is a diagram illustrating an example of entries held in the communication status storage unit 240.
  • the entry in the first line illustrated in FIG. 4 includes a source node identifier, a destination node identifier, and a service or protocol identifier.
  • the communication status storage unit 240 may store a plurality of identifiers such as identifiers of each layer of the network, for example.
  • the communication status storage unit 240 may store, for example, an MAC address that is an identifier of a layer 2 (L2) or an IP address that is an identifier of a layer 3 (L3) of an OSI (Open Systems Interconnection) reference model.
  • the communication status storage unit 240 may store a plurality of transmission destination identifiers. Further, the communication status storage unit 240 may store not only one but also a plurality of identifiers of the source and destination services and protocols.
  • the communication status storage unit 240 may store a port number instead of the transmission source node identifier or the transmission destination node identifier.
  • the first table 250 (that is, the first information storage unit 250) will be described.
  • the first table 250 stores information (that is, first information) in which the identifier of the node, the current communication status of the node, and the role in the current communication status of the node are associated with each other. Yes.
  • the first table 250 may store the first information in a table format.
  • the first table 250 may store the first information in a format other than the table format.
  • the role of the node in the current communication state may be simply referred to as “node role”.
  • a role is sometimes called a “role”.
  • the communication status represents, for example, whether or not a connection with another specific node has been established.
  • the communication status may be represented by, for example, a combination of a node identifier and a value indicating whether or not a connection with the node specified by the identifier is established.
  • each node an organization network that the node can access is determined.
  • a certain node is a node that handles customer data
  • another node is a node that is used only locally, so roles that are not necessarily the same are assigned to the respective nodes.
  • the role and importance of these nodes are collectively expressed as roles.
  • FIG. 5 is a diagram illustrating an example of information stored in the first table 250.
  • the information shown in the first row indicates that the role of node 1 is “B” while node 1 establishes a connection with node 3.
  • the information shown in the second row indicates that the role of node 1 is “A” while node 1 has not established a connection with node 3.
  • the communication system 1000 has a configuration in which the role (role) of the node dynamically changes according to the current communication state of the node.
  • the information shown in the fifth line indicates that the role of the node 10 is “D” regardless of the current communication status.
  • the symbol “*” shown in the fifth and sixth lines indicates a wild card.
  • the communication status represented by the wild card is suitable for any communication status. Therefore, when a role is associated with an identifier of any node and a communication status represented by a wild card, the role of the node represented by the identifier is determined regardless of the communication status. In other words, the role of a node whose communication status is represented by a wild card is determined regardless of the communication status. Thus, there may be a node whose role is determined regardless of the current communication status.
  • the node that is first determined to be suitable for the communication status of the transmission source node and the transmission source node and the role associated with the communication status are the roles of the transmission source node. It is.
  • the node identifier represented by the wildcard matches any node identifier. Therefore, when the role is associated with the identifier of the node represented by the wild card and any communication status, the role of the node in the communication status is determined regardless of the node.
  • the information shown in the sixth line indicates that the role of the node that has established a connection with the current node 7 is “E” regardless of which node it is. Show. Thus, the role of a node may be determined regardless of which node the node is.
  • the second table 260 (that is, the second information storage unit 260) will be described.
  • the second table 260 includes information (that is, second information) in which a combination of a role of a transmission source node of a packet and a role of a transmission destination node of the packet is associated with a processing method for the packet. I remember it.
  • the second table 260 may store the second information in a table format.
  • the second table 260 may store the second information in a format other than the table format.
  • the processing method stored in the second table 260 may be information in a format that the control execution device 100 can interpret, or information in a format that the control execution device 100 cannot interpret as it is.
  • FIG. 6 is a diagram illustrating an example of information stored in the second table 260.
  • the role of the transmission source node and the role of the transmission destination node are represented by the above-described symbol “*” (that is, a wild card) that matches both roles. May be.
  • the processing method is determined by the role of the transmission destination node regardless of the role of the transmission source node.
  • the processing method is determined by the role of the source node, regardless of the role of the destination node.
  • the information shown in the first line indicates that when the role of the transmission source node of the packet is “A” and the role of the transmission destination node is “B”, the processing method of the packet is “ALLOW”. And exclusive ”. “ALLOW and exclusive” represents, for example, that a packet is transmitted exclusively (that is, the packet is transmitted while occupying a communication path).
  • the information shown in the second line is that the packet processing method is “DENY” when the role of the transmission destination node is “C” regardless of the role of the packet transmission source node. It shows that. “DENY” represents, for example, that the transmission of the packet is rejected.
  • the second information stored in the second table 260 may be a database in which documents such as security standards and procedure manuals are databased.
  • the security standard is, for example, PCI DSS (Payment Card Industry Data Security Standard).
  • the security standard describes, for example, security items that should be protected during system operation.
  • the second table 260 stores, for example, information obtained by converting a security standard described in a natural language into a format that can be automatically determined by the control instruction device 200 as second information.
  • Outline of communication control processing 7 and 8 are diagrams for conceptually explaining an outline of communication control processing performed by the communication system 1000 according to the first embodiment.
  • FIGS. 7 and 8 indicate the flow of packets from the node that is the source of the arrow (that is, the start point) to the node that is the tip of the arrow (that is, the end point).
  • the dotted arrows in FIGS. 7 and 8 indicate that a connection is established between the node that is the source of the arrow and the node that is the destination of the arrow.
  • node 1 is going to transmit a packet to node 2 from now on. That is, node 1 is a transmission source node, and node 2 is a transmission destination node. In FIG. 7, node 1 and node 3 are in a state where a connection is established.
  • the communication system 1000 controls the flow of packets from the transmission source node to the transmission destination node according to the current communication status of the transmission source node. For example, the communication system 1000 controls the flow of packets from the node 1 to the node 2 depending on whether or not the node 1 is currently establishing a connection with the node 3.
  • node 1 is a node which is going to transmit a packet to node 2 from now on. That is, node 1 is a transmission source node, and node 2 is a transmission destination node. In FIG. 8, the nodes 2 and 3 are in a state where a connection is established.
  • the communication system 1000 may control the flow of packets from the transmission source node to the transmission destination node according to the current communication state of the transmission destination node. For example, the communication system 1000 controls the flow of packets from the node 1 to the node 2 depending on whether or not the node 2 is currently establishing a connection with the node 3.
  • the communication system 1000 considers both the current communication status of the transmission source node and the current communication status of the transmission destination node, and the flow of packets from the transmission source node to the transmission destination node. May be controlled.
  • FIG. 9 is a sequence diagram illustrating an example of the operation of the communication system 1000 according to the first embodiment. In the following description, it is assumed that the transmission source node is node 1 and the transmission destination node is node 2.
  • the node 1 that is the transmission source node transmits the packet whose destination is the node 2 to the control execution apparatus 100. (Step S101).
  • the control execution apparatus 100 receives the packet.
  • the control execution apparatus 100 refers to the header of the packet and acquires the transmission source node identifier and the transmission destination node identifier of the packet.
  • the control execution apparatus 100 searches the instruction cache 130 based on the transmission source node identifier and the transmission destination node identifier. Specifically, the control execution apparatus 100 searches the instruction cache 130 to extract an entry (that is, an entry related to the packet) obtained from the packet and including the transmission source node identifier and the transmission destination node identifier. .
  • an entry related to the packet exists in the instruction cache 130 (YES in step S102).
  • the entry related to the packet stored in the instruction cache 130 includes a method for processing the packet.
  • the control execution apparatus 100 processes the packet according to the packet processing method stored in the instruction cache 130 (step S104).
  • control execution apparatus 100 inquires the control instruction apparatus 200 about the processing method of the packet.
  • the control instruction device 200 receives an inquiry about the packet processing method from the control execution device 100 and determines the packet processing method (step S103).
  • the control instruction device 200 instructs the control execution device 100 on the determined processing method.
  • the control instruction apparatus 200 may indicate the processing method to the control execution apparatus 100 by transmitting the determined processing method to the control execution apparatus 100. Details of the operation shown in step S103 will be described later.
  • the control execution apparatus 100 receives a processing method from the control instruction apparatus 200.
  • the control execution apparatus 100 processes the packet based on the received processing method (step S104).
  • the node 2 receives the packet (step S105).
  • FIG. 10 is a sequence diagram for explaining the operation shown in step S103 in more detail.
  • the instruction unit 210 receives an inquiry about the packet processing method from the control execution apparatus 100 (step S201).
  • the determination unit 220 refers to the header of the packet and acquires the transmission source node identifier and the transmission destination node identifier of the packet.
  • the determination unit 220 searches the communication status storage unit 240 using the acquired transmission source node identifier and transmission destination node identifier as keys (step S202). By performing such a search, the determination unit 220 extracts an entry including the transmission source node identifier of the packet. In addition, the determination unit 220 extracts an entry including the transmission destination node identifier of the packet.
  • the communication status storage unit 240 returns the current communication status of the transmission source node specified by the acquired transmission source node identifier to the determination unit 220.
  • the transmission source node of the packet is node 1.
  • the communication status storage unit 240 returns the current communication status of the transmission destination node specified by the acquired transmission destination node identifier to the determination unit 220.
  • the transmission destination node of the packet is the node 2.
  • the communication status of a node returned to the determination unit 220 by the communication status storage unit 240 may be information indicating another node with which the node has established a connection, for example.
  • the determination unit 220 may read the identifier of the node associated with the transmission source node identifier of the packet in the entry stored in the communication status storage unit 240 from the communication status storage unit 240. In addition, the determination unit 220 may read from the communication status storage unit 240 the node identifier associated with the destination node identifier of the packet in the entry stored in the communication status storage unit 240. As described above, when an entry including an identifier of a certain node is stored in the communication status storage unit 240, the determination unit 220 establishes a connection with another node whose identifier is included in the entry. Get the information. For example, when the communication status storage unit 240 stores only the entries shown in FIG.
  • the communication status storage unit 240 displays information that “the node 1 is currently establishing a connection with the node 3” as the determination unit 220. It may be returned to. In addition, the communication status storage unit 240 may return information that “the node 2 is not currently establishing a connection with any node” to the determination unit 220.
  • the determination unit 220 searches the first table 250 using the transmission source node identifier and the current communication status of the transmission source node as keys (step S204). Further, the determination unit 220 searches the first table 250 using the destination node identifier and the current communication status of the destination node as keys (step S204).
  • the determination unit 220 sets the role associated with the identifier of the node that matches the source node identifier and the communication status that matches the communication status of the returned source node as the role of the source node. What is necessary is just to extract from the information stored in the table 250. Further, the determination unit 220 sets the role associated with the identifier of the node that matches the destination node identifier and the communication status that matches the communication status of the returned destination node as the destination role. What is necessary is just to extract from the information stored in one table 250.
  • the source node identifier conforms to, for example, the same identifier as the source node identifier and the symbol “*” described above.
  • the destination node identifier conforms to, for example, the same identifier as the destination node identifier and the symbol “*” described above.
  • the communication status matches the same communication status as the communication status and the symbol “*” described above.
  • the information stored in the first table 250 may be set so that the roles of a plurality of transmission source nodes are not extracted with respect to the transmission source node identifier and the communication status of the transmission source node.
  • the determination unit 220 When the roles of a plurality of transmission source nodes are extracted with respect to the transmission source node identifier and the communication status of the transmission source node, the determination unit 220 performs one transmission from the extracted roles of the plurality of transmission source nodes.
  • the role of the original node may be selected according to a predetermined rule. In the example illustrated in FIG. 6, the determination unit 220 determines whether or not the node identifier and the communication status of the row in order from the first row match the source node identifier and the communication status, which are keys, respectively. What is necessary is just to determine.
  • the determination unit 220 may extract the role associated with the identifier and communication status of the node first determined to be compatible with the transmission source node identifier and the communication status as the role of the transmission source node. .
  • the determination unit 220 determines that the roles of the plurality of destination nodes extracted are as follows:
  • the role of one destination node may be selected according to a predetermined rule. In the case of the example illustrated in FIG. 6, the determination unit 220 determines whether or not the node identifier and the communication status of the row in order from the first row match the destination node identifier and the communication status, which are keys, respectively. What is necessary is just to determine.
  • the determination unit 220 may extract the role associated with the identifier of the node first determined to be compatible with the transmission source node identifier that is the key and the communication status as the role of the transmission destination node. .
  • the first table 250 returns the role of the transmission source node and the role of the transmission destination node to the determination unit 220 (step S205).
  • the determination unit 220 may read the role detected as the destination role from the first table 250. Furthermore, the determination unit 220 may read the role detected as the role of the transmission source node from the first table 250.
  • the first table 250 stores the information illustrated in FIG. 5, the role of the transmission source node (that is, the node 1) in the current communication state is “B”. Further, the role in the current communication state of the transmission destination node (ie, node 2) is “A”.
  • the determining unit 220 searches the second table 260 using the combination of the role of the transmission source node (B in the above example) and the role of the transmission destination node (A in the above example) as a key (step S206).
  • the determination unit 220 reads “the role of the transmission source node” and “the role of the transmission destination node” that match the combination of the role of the transmission source node and the role of the transmission destination node read from the first table 250. May be detected in the second table 260.
  • the determination unit 220 may extract the processing method associated with the detected combination of the “source node role” and the “destination node role” in the second table 260.
  • the role matches the role and the role represented by the symbol “*” described above.
  • the role of the transmission source node read from the first table 250 is, for example, the same role as that role in the second table 260, and “the role of the transmission source node”, which is the above-mentioned symbol “*”.
  • the role of the destination node read from the first table 250 is, for example, the same role as the role in the second table 260 and “the role of the destination node”, which is the above-mentioned symbol “*”.
  • the combination of “source node role” and “destination node role” that matches the source node role and destination node role included in the key combination is the key combination. Fits.
  • the information stored in the second table 260 may be set so that a plurality of processing methods are not extracted for one key.
  • the determination unit 220 may select one processing method from the extracted processing methods according to a predetermined method. For example, in the example illustrated in FIG. 6, the determination unit 220 may determine whether or not the role of the transmission source node and the role of the transmission destination node match the key in order from the first row. Then, the determination unit 220 may extract a processing method associated with the role of the transmission source node and the role of the transmission destination node that are first determined to be suitable for the key.
  • the second table 260 returns the processing method associated with the combination of the role of the transmission source node and the role of the transmission destination node to the determination unit 220 (step S207).
  • the determination unit 220 associates with the combination of “source role” and “destination role” that is read from the first table 250 and matches the combination of the role of the source node and the role of the destination node.
  • the processing method being used may be read from the second table 260. For example, when the second table 260 stores the information shown in FIG. 6, the processing method corresponding to the flow in which the role of the transmission source node is A and the role of the transmission destination node is B is “ALLOW and exclusive”. Is.
  • the determining unit 220 determines a processing method to be transmitted to the control execution apparatus 100 based on the processing method obtained by searching the second table 260 (step S208).
  • the determination unit 220 uses the processing method stored in the second table 260 as it is. May be sent to.
  • the determination unit 220 uses the processing method stored in the second table 260 as it is. May be sent to.
  • the determination unit 220 generates information that can be interpreted by the control execution apparatus 100 based on the processing method. Also good. Then, the determination unit 220 may transmit the generated information to the control execution apparatus 100 as a processing method.
  • the determination unit 220 determines whether the control execution device 100 interprets the predetermined processing method. Data representing an instruction that can be generated may be generated. Then, the determination unit 220 may determine the generated data as data to be transmitted to the control execution apparatus 100. The determination unit 220 may transmit the converted data representing the instruction to the control execution apparatus 100.
  • control instruction device 200 may transmit an instruction to discard the packet.
  • control instruction apparatus 200 may transmit an instruction to transfer the packet to a specific port.
  • the instruction unit 210 transmits the processing method determined by the determination unit 220 to the control execution apparatus 100 (step S209).
  • the communication status management unit 230 stores the entry related to the combination in the communication status storage unit 240. . Since the communication status storage unit 240 does not store an entry related to the combination of the identifier of the node 1 and the identifier of the node 2, the communication status management unit 230 stores the identifier of the node 1 and the identifier of the node 2 in the communication status storage unit 240. Add an entry for the combination.
  • the communication status management unit 230 sets an entry related to the combination of the transmission source node identifier and the transmission destination node identifier of the packet to the communication Not stored in the status storage unit 240. This is because no actual communication occurs when the packet is discarded.
  • the determination unit 220 may operate to search the communication status storage unit 240 using at least one of the transmission source node identifier and the transmission destination node identifier as a key.
  • the instruction unit 210 may transmit, to the control execution apparatus 100, an instruction to delete an entry related to the node from the instruction cache 130 at a timing when it is detected that the communication status of an arbitrary node has changed.
  • the instruction unit 210 instructs the control execution apparatus 100 to delete an entry related to the node from the instruction cache 130 at the timing when the determination unit 220 determines to change the communication status of an arbitrary node. You may send it.
  • control execution apparatus 100 may voluntarily delete the entry after a predetermined time has elapsed since the entry was registered in the instruction cache 130.
  • the control instruction device 200 may include a mechanism for detecting the end of communication between nodes (that is, disconnection of connection). The mechanism may determine whether an entry in the instruction cache 130 is necessary.
  • a mechanism for detecting the end of communication between nodes there is a method of checking a communication protocol end message of connection-type communication. For example, in TCP (Transmission Control Protocol), the end of communication can be detected by checking a FIN (finish) flag or an ACK (acknowledgement) flag from the opposite direction.
  • the control execution apparatus 100 transmits a message indicating that the entry in the instruction cache 130 has been deleted by detecting the end of communication (that is, the flow) to the control instruction apparatus 200.
  • the communication status management unit 230 can delete the corresponding entry stored in the communication status storage unit 240.
  • the OpenFlow switch (the control execution apparatus 100) disclosed in Non-Patent Document 2 uses the “Flow-removed” message to notify the OpenFlow controller (control instruction apparatus 200) that the flow entry has timed out. it can. More specifically, for example, an administrator sets a timeout in the flow entry of the flow table (instruction cache 130) of the OpenFlow switch. When a timeout is established, for example, by not receiving the packet for a certain period of time, the control execution apparatus 100 notifies the control instruction apparatus 200 of the timeout with a “Flow-removed” message.
  • the control instruction apparatus 200 Upon receiving the “Flow-removed” message, the control instruction apparatus 200 searches for an entry in the communication status storage unit 240 based on the transmission destination IP address and port number of the packet included in the timeout notification. The control instruction device 200 deletes the entry specified by the search.
  • the contents of the entry stored in the instruction cache 130 are automatically updated to the contents in accordance with the security policy in accordance with the communication status between the nodes.
  • the control execution apparatus 100 can be realized by an open flow switch, for example.
  • the control execution apparatus 100 may be implemented as a firewall or a network switch.
  • the control execution device 100 is not necessarily a physical device, and may be, for example, a personal firewall or a virtual switch implemented by software operating on a node, that is, on a communication terminal.
  • the function of the control execution apparatus 100 is realized by, for example, a CPU (Central Processing Unit) executing a computer program read into the memory.
  • CPU Central Processing Unit
  • the control instruction device 200 can be realized by an open flow controller, for example.
  • the function of the control instruction device 200 is realized, for example, when the CPU executes a computer program (software program, hereinafter simply referred to as “program”) read into the memory.
  • the control execution device 100 and the control instruction device 200 can be realized by using an open flow control device (controller) and a switch as described above.
  • the control execution apparatus 100 and the control instruction apparatus 200 can also be realized by a control instruction apparatus and a control execution apparatus having equivalent functions, which are not open flow control apparatuses (controllers) and switches.
  • each unit (processing unit) of the control execution device 100 and the control instruction device 200 illustrated in FIG. 2 performs the processing of each unit described above by using a computer that implements these devices and the hardware of the computer. It can also be realized by a computer program to be executed.
  • control execution device 100 and the control instruction device 200 are not necessarily separated from each other.
  • control execution device 100 and the control instruction device 200 may be the same device.
  • the control execution device 100 may have a function of operating as the control instruction device 200.
  • the communication status storage unit 240 is not necessarily installed in the same device as the device in which the communication status management unit 230 and the determination unit 220 are installed.
  • the communication status storage unit 240 only needs to be mounted so as to be accessible from the communication status management unit 230 and the determination unit 220.
  • the first table 250 and the second table 260 are not necessarily mounted in the same device as the device in which the determination unit 220 is mounted.
  • the first table 250 and the second table 260 may be mounted so as to be accessible from the determination unit 220.
  • control instruction apparatus 200 may refer to three tables as shown below.
  • a table storing information in which nodes, communication statuses and roles of the nodes are associated, 2) a table storing information in which a combination of a role of a transmission source node and a role of a transmission destination node and a flow defined by the combination are associated; 3) A table storing information in which a flow and an action for the flow are associated with each other.
  • the first table 251 (shown in FIG. 11) and the first table 252 (shown in FIG. 12) are other specific examples of the first table 250.
  • the first table 251 and the first table 252 will be described below.
  • FIG. 11 is a diagram for explaining information stored in the first table 251.
  • the first table 251 stores a node identifier of a node, a current communication status of the node, current position information of the node, and a role in association with each other.
  • the current location information of the node is information such as “inside Tokyo”, “in a specific building”, or “in a specific floor”, for example.
  • the current location information of the node includes, for example, the identifier of the physical node that operates the virtual node or the blade server that operates the virtual node. It may be information such as the position of the rack that is being used.
  • the control instruction device 200 acquires the current position information of the node.
  • the control instruction device 200 may acquire position information of a node from a position detection unit (not shown) that detects the position of the node using, for example, a GPS (Global Positioning System) provided in the node.
  • the determination unit 220 searches the first table 251 using the identifier of the node, the current communication status of the node, and the current position information of the node as keys.
  • the determination unit 220 obtains information regarding the role of the node as a search result.
  • the communication system 1000 can realize more detailed communication control that also considers the current position information of the transmission source node or transmission destination node. Can do.
  • the first table 251 has been described above.
  • FIG. 12 is a diagram for explaining information stored in the first table 252.
  • the first table 252 includes a node identifier, a current communication status of the node, “usage information” that is information indicating a user currently using the node, a role, Stores the associated information.
  • the usage information is, for example, information including at least one of the employee number, job title, department, age, etc. of the user currently using the node.
  • the control instruction device 200 acquires the current usage information of the node.
  • the control instruction apparatus 200 may acquire the usage information by, for example, reading user information stored in an ID card or the like owned by an individual using a card reader (not shown) or the like.
  • the determination unit 220 searches the first table 252 using the identifier of the node, the current communication status of the node, and the current usage information of the node as keys.
  • the determination unit 220 obtains information regarding the role of the node as a search result.
  • the communication system 1000 can realize more detailed communication control that also considers the current usage information of the transmission source node or transmission destination node. Can do.
  • the first table 252 which is another specific example of the first table 250 has been described above.
  • FIG. 13 is a block diagram illustrating a configuration of a communication system 1000A according to the second embodiment.
  • Communication system 1000A includes a control execution device 100A and a control instruction device 200A.
  • the control execution apparatus 100A includes a packet processing unit 110A and an inquiry unit 120A.
  • the inquiry unit 120A inquires of the control instruction apparatus 200A about the packet processing method.
  • the packet processing unit 110A processes the packet based on an instruction transmitted from the control instruction apparatus 200A in response to the inquiry.
  • the control execution apparatus 100A may be able to access a storage unit corresponding to the instruction cache 130 in the first embodiment.
  • the control instruction device 200A includes an instruction unit 210A, a determination unit 220A, and a communication status management unit 230A.
  • the communication status management unit 230A stores in the communication status storage unit 240A the communication status between nodes that communicate via the control execution apparatus 100A.
  • the determination unit 220A acquires the communication status between the transmission source node or the transmission destination node of the packet that is the target of the above-described inquiry and another node by referring to the communication status storage unit 240A.
  • the determination unit 220A determines a processing method of the packet based on the transmission state, the transmission destination node, and the communication status of at least one of the transmission source node and the transmission destination node.
  • the instruction unit 210A instructs the determined processing method to the control execution apparatus 100A.
  • the control instruction device 200A can access the communication status storage unit 240A, the storage unit corresponding to the first table 250 in the first embodiment, and the storage unit corresponding to the second table 260 in the first embodiment. It may be.
  • the communication status storage unit 240A may be mounted in the same device as the control instruction device 200A.
  • FIG. 14 is a block diagram illustrating a configuration of a communication control device 300B according to the third embodiment.
  • the communication control device 300B as one device is used as the control execution device 100 and the control instruction device 200 in the first embodiment, or the control execution device 100A and the control instruction device in the second embodiment. Operates as 200A.
  • the packet processing unit 310B processes the packet based on the instruction of the determination unit 320B.
  • the determination unit 320B obtains the communication status between the transmission source node or transmission destination node of the packet and another node by referring to the communication status storage unit 340B.
  • the determination unit 320B determines a processing method for the packet based on the transmission status of the transmission source node, the transmission destination node, and at least one of the transmission source node and the transmission destination node.
  • the communication status management unit 330B stores in the communication status storage unit 340B the communication status between nodes that communicate via the own device 300B.
  • the communication control device 300B can access a communication status storage unit 340B, a storage unit corresponding to the first table 250 in the first embodiment, and a storage unit corresponding to the second table 260 in the first embodiment. It may be.
  • the communication status storage unit 340B may be mounted in the same device as the communication control device 300B.
  • each block diagram is a configuration shown for convenience of explanation.
  • the present invention described by taking each embodiment as an example is not limited to the configuration shown in each block diagram in the implementation.
  • control execution apparatus 100 and the control instruction apparatus 200 according to the first embodiment can be realized by a computer and a program for controlling the computer, respectively.
  • Each of the control execution apparatus 100 and the control instruction apparatus 200 can be realized by dedicated hardware.
  • the control execution apparatus 100 and the control instruction apparatus 200 can be realized by a combination of a computer and a program for controlling the computer and dedicated hardware, respectively.
  • the control execution device 100A and the control instruction device 200A according to the second embodiment and the communication control device 300B according to the third embodiment can be realized by a computer and a program for controlling the computer, respectively.
  • the control execution device 100A, the control instruction device 200A, and the communication control device 300B can each be realized by dedicated hardware.
  • the control execution device 100A, the control instruction device 200A, and the communication control device 300B can be realized by a combination of a computer, a program for controlling the computer, and dedicated hardware, respectively.
  • FIG. 15 is a diagram illustrating an example of a hardware configuration of a computer 10000 that can implement the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, and the communication control apparatus 300B.
  • a computer 10000 includes a processor 10001, a memory 10002, a storage device 10003, and an I / O (Input / Output) interface 10004. Further, the computer 10000 can access the recording medium 10005.
  • the memory 10002 and the storage device 10003 are storage devices such as a RAM (Random Access Memory) and a hard disk, for example.
  • the recording medium 10005 is, for example, a storage device such as a RAM or a hard disk, a ROM (Read Only Memory), or a portable recording medium.
  • the storage device 10003 may be the recording medium 10005.
  • the processor 10001 can read and write data and programs from and to the memory 10002 and the storage device 10003.
  • the processor 10001 can access, for example, a node via the I / O interface 10004.
  • the processor 10001 can access the recording medium 10005.
  • the recording medium 10005 stores a program that causes the computer 10000 to operate as the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, or the communication control apparatus 300B.
  • the processor 10001 stores, in the memory 10002, a program that causes the computer 10000 stored in the recording medium 10005 to operate as the control execution apparatus 100, the control instruction apparatus 200, the control execution apparatus 100A, the control instruction apparatus 200A, or the communication control apparatus 300B. To load. When the processor 10001 executes the program loaded in the memory 10002, the computer 10000 operates as the control execution device 100, the control instruction device 200, the control execution device 100A, the control instruction device 200A, or the communication control device 300B. To do.
  • the plurality of units listed below are realized by, for example, a dedicated program that can be read from a recording medium 10005 that stores the program into the memory 10002 and that can realize the function of each unit, and a processor 10001 that executes the program. be able to.
  • the plurality of parts described above are as follows, for example.
  • Packet processor 110 Inquiry unit 120, Instruction unit 210, Determination unit 220, Communication status management unit 230, Packet processor 110A, Inquiry unit 120A, Instruction unit 210A, Decision unit 220A, Communication status manager 230A, Packet processor 310B, Determination unit 320B, And a communication status management unit 330B.
  • the instruction cache 130, the communication status storage unit 240, the first table 250, and the second table 260 can be realized by a memory 10002 included in the computer 10000 or a storage device 10003 such as a hard disk device.
  • the communication status storage unit 240A and the communication status storage unit 340B can be realized by a memory 10002 included in the computer 10000 or a storage device 10003 such as a hard disk device.
  • some or all of the plurality of units listed below can be realized by a dedicated circuit that realizes the function of each unit.
  • the plurality of parts are as follows, for example.
  • Packet processor 110 Inquiry unit 120, Instruction cache 130, Instruction unit 210, Determination unit 220, Communication status management unit 230, Communication status storage unit 240, First table 250, Second table 260, Packet processor 110A, Inquiry unit 120A, Instruction unit 210A, Decision unit 220A, Communication status manager 230A, Communication status storage unit 240A, Packet processor 310B, Decision unit 320B, Communication status management unit 330B, And a communication status storage unit 340B.
  • the present invention described using the above embodiments as an example can be applied to access control between computers, for example.
  • the security policy in the company states that the security policy “prohibit information retrieval via the web when accessing confidential customer information” is described.
  • access control that satisfies such a fine security policy can be realized.
  • Control execution device 110 Packet processing unit 120 Inquiry unit 130 Instruction cache 200

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention met en œuvre une commande d'accès appropriée pour l'état de communication actuel du nœud d'origine d'un paquet ou du nœud de destination dudit paquet. Ce dispositif d'instruction de commande comprend une unité de gestion d'état de communication, une unité de détermination et une unité d'instruction. L'unité de gestion d'état de communication stocke, dans une unité de stockage d'état de communication, l'état de communication entre des nœuds qui communiquent par l'intermédiaire d'un dispositif de mise en œuvre de commande. L'unité de détermination se réfère à ladite unité de stockage d'état de communication pour acquérir l'état de communication entre soit le nœud d'origine d'un paquet par rapport auquel une demande a été faite, soit le nœud de destination dudit paquet, et un autre nœud. Sur la base du nœud d'origine, du nœud de destination et l'état de communication du nœud d'origine et/ou du nœud de destination, l'unité de détermination détermine un procédé de traitement pour le paquet en question, et l'unité d'instruction ordonne au dispositif de mise en œuvre de commande d'appliquer ledit procédé de traitement.
PCT/JP2015/000992 2014-03-28 2015-02-26 Système de communication, dispositif d'instruction de commande, dispositif de mise en œuvre de commande, procédé de commande de communication, et support d'informations sur lequel est stocké un programme Ceased WO2015145976A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016509947A JPWO2015145976A1 (ja) 2014-03-28 2015-02-26 通信システム、制御指示装置、制御実施装置、通信制御方法およびプログラムを記憶する記憶媒体

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014-067522 2014-03-28
JP2014067522 2014-03-28

Publications (1)

Publication Number Publication Date
WO2015145976A1 true WO2015145976A1 (fr) 2015-10-01

Family

ID=54194532

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/000992 Ceased WO2015145976A1 (fr) 2014-03-28 2015-02-26 Système de communication, dispositif d'instruction de commande, dispositif de mise en œuvre de commande, procédé de commande de communication, et support d'informations sur lequel est stocké un programme

Country Status (2)

Country Link
JP (1) JPWO2015145976A1 (fr)
WO (1) WO2015145976A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020136707A1 (fr) * 2018-12-25 2020-07-02 三菱電機株式会社 Ecu, ecu de surveillance, et système can

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012086816A1 (fr) * 2010-12-24 2012-06-28 日本電気株式会社 Système de communication, dispositif de contrôle, dispositif de gestion de règles, procédé de communication et programme associé
WO2013150925A1 (fr) * 2012-04-03 2013-10-10 日本電気株式会社 Système de réseau, contrôleur et procédé d'authentification de paquets

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012086816A1 (fr) * 2010-12-24 2012-06-28 日本電気株式会社 Système de communication, dispositif de contrôle, dispositif de gestion de règles, procédé de communication et programme associé
WO2013150925A1 (fr) * 2012-04-03 2013-10-10 日本電気株式会社 Système de réseau, contrôleur et procédé d'authentification de paquets

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
REMI ANDO ET AL.: "Communication State-Based Access Control for Preventing Stepping-Stone Attacks", IPSJ SYMPOSIUM SERIES, vol. 2013, no. 4, 14 October 2013 (2013-10-14), pages 1018 - 1025 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020136707A1 (fr) * 2018-12-25 2020-07-02 三菱電機株式会社 Ecu, ecu de surveillance, et système can
JPWO2020136707A1 (ja) * 2018-12-25 2021-03-11 三菱電機株式会社 Ecu、監視ecuおよびcanシステム

Also Published As

Publication number Publication date
JPWO2015145976A1 (ja) 2017-04-13

Similar Documents

Publication Publication Date Title
US9178910B2 (en) Communication system, control apparatus, policy management apparatus, communication method, and program
JP5811171B2 (ja) 通信システム、データベース、制御装置、通信方法およびプログラム
JP5621778B2 (ja) コンテンツベーススイッチシステム、及びコンテンツベーススイッチ方法
JP5880560B2 (ja) 通信システム、転送ノード、受信パケット処理方法およびプログラム
JPWO2011162215A1 (ja) 通信システム、制御装置、ノードの制御方法およびプログラム
CN102763382A (zh) 前端系统和前端处理方法
JP6424820B2 (ja) 機器管理システム、機器管理方法及びプログラム
JP5445262B2 (ja) 検疫ネットワークシステム、検疫管理サーバ、仮想端末へのリモートアクセス中継方法およびそのプログラム
JPWO2014112616A1 (ja) 制御装置、通信装置、通信システム、スイッチの制御方法及びプログラム
JP5720340B2 (ja) 制御サーバ、通信システム、制御方法およびプログラム
KR101527377B1 (ko) Sdn 기반의 서비스 체이닝 시스템
JP5725236B2 (ja) 通信システム、ノード、パケット転送方法およびプログラム
JP2011159247A (ja) ネットワークシステム、コントローラ、ネットワーク制御方法
WO2014061583A1 (fr) Nœud de communication, dispositif de commande, système de communication, procédé de traitement de paquets, et programme
JP5747997B2 (ja) 制御装置、通信システム、仮想ネットワークの管理方法およびプログラム
JP6330814B2 (ja) 通信システム、制御指示装置、通信制御方法及びプログラム
WO2015145976A1 (fr) Système de communication, dispositif d'instruction de commande, dispositif de mise en œuvre de commande, procédé de commande de communication, et support d'informations sur lequel est stocké un programme
WO2014034119A1 (fr) Système de commande d'accès, procédé de commande d'accès et programme
WO2014020902A1 (fr) Système de communication, appareil de commande, procédé de communication, et programme
JP6649002B2 (ja) アクセス管理システム及びアクセス管理方法
JP2016116146A (ja) ネットワーク接続制御装置、ネットワーク接続制御方法、ネットワーク接続制御プログラム、およびネットワーク接続制御システム
WO2015129727A1 (fr) Terminal de communications, procédé de communications et programme

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15768087

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016509947

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase
122 Ep: pct application non-entry in european phase

Ref document number: 15768087

Country of ref document: EP

Kind code of ref document: A1