U.S. patent application number 12/520114 was filed with the patent office on 2010-04-08 for apparatus and method for analysing a network.
Invention is credited to Andreas Kind, Jan Van Lunteren.
Application Number | 20100085891 12/520114 |
Document ID | / |
Family ID | 39322548 |
Filed Date | 2010-04-08 |
United States Patent
Application |
20100085891 |
Kind Code |
A1 |
Kind; Andreas ; et
al. |
April 8, 2010 |
APPARATUS AND METHOD FOR ANALYSING A NETWORK
Abstract
The invention relates to an apparatus for analysing a network
flow, comprising--a parser for extracting flow identification
information from the network flow, --a flow metering unit for
metering the network flow, --a programmable controller for
controlling the flow metering unit and the parser.
Inventors: |
Kind; Andreas; (Zurich,
CH) ; Van Lunteren; Jan; (Zurich, CH) |
Correspondence
Address: |
IBM CORPORATION, T.J. WATSON RESEARCH CENTER
P.O. BOX 218
YORKTOWN HEIGHTS
NY
10598
US
|
Family ID: |
39322548 |
Appl. No.: |
12/520114 |
Filed: |
November 2, 2007 |
PCT Filed: |
November 2, 2007 |
PCT NO: |
PCT/IB07/54447 |
371 Date: |
June 19, 2009 |
Current U.S.
Class: |
370/253 |
Current CPC
Class: |
H04L 63/1425 20130101;
H04L 43/026 20130101; H04L 43/08 20130101 |
Class at
Publication: |
370/253 |
International
Class: |
H04L 12/26 20060101
H04L012/26 |
Foreign Application Data
Date |
Code |
Application Number |
Dec 19, 2006 |
EP |
06126520.3 |
Claims
1. An apparatus for analysing a network flow, the apparatus
comprising: a parser for extracting flow identification information
from the network flow; a flow metering unit for metering the
network flow; and a programmable controller for controlling the
flow metering unit and the parser.
2. The apparatus according to claim 1, wherein the flow metering
unit is configured for sending flow status information to the
programmable controller and wherein the programmable controller is
configured for sending flow metering instructions to the flow
metering unit in dependence on the flow status information.
3. The apparatus according to claim 1, wherein the parser is
configured for sending parsing information to the programmable
controller and wherein the programmable controller is configured
for sending parsing instructions to the parser in dependence on the
parsing information.
4. The apparatus according to claim 1, wherein the programmable
controller is configured for: evaluating in parallel two or more
flow status information values of the flow metering unit; and
sending two or more flow metering instructions in parallel to the
flow metering unit.
5. The apparatus according to claim 1, wherein the programmable
controller comprises a program memory having two or more flow
metering programs.
6. The apparatus according to claim 1, wherein the programmable
controller is implemented as state machine.
7. The apparatus according to claim 6, wherein the state machine
comprises: a transition rule memory; a rule selector; and a state
register; wherein the rule selector is configured for receiving an
external input signal and an internal input signal from the state
register indicating the current state and wherein the rule selector
is configured for observing the internal and external input signal
by means of the transition rule memory for transition rules and for
changing the state of the state register and generation of an
output signal having parsing and/or flow metering instructions when
a transition rule applies.
8. The apparatus according to claim 1, wherein the flow metering
unit comprises: a flow table unit; a flow table management unit;
and a flow information export unit.
9. The apparatus according to claim 8, wherein the flow table
management unit comprises a programmable hash function unit
provided with two or more selectable hash functions for mapping the
flow identification information on a hash index, wherein the
programmable controller is configured for selecting one of the
selectable hash functions.
10. The apparatus according to claim 8, wherein the programmable
controller is configured for sending table management commands to
the table management unit.
11. The apparatus according to claim 1, wherein the apparatus is
implemented as hardware assist device.
12. The apparatus according to claim 1, further comprising: a
central processing unit; a memory; and a computer networking
device.
13. The apparatus according to claim 12, wherein the apparatus is
implemented in hardware as hardware assist device for the central
processing unit.
14. The apparatus according to claim 1, further comprising: two or
more virtual computing systems; wherein the apparatus is provided
for analysing the network flow between the virtual computing
systems and/or between the virtual computing systems and an
external device.
15. The apparatus according to claim 14, further comprising: a
software networking device for internal communication between the
virtual computing systems; and a hardware networking device for
external communication between the virtual computing systems and an
external device; wherein the software networking device and the
hardware networking device are provided for forwarding the network
flow between the virtual computing systems and/or between the
virtual computing systems and an external device for an analysis to
the apparatus.
16. The apparatus according to claim 15, wherein the apparatus is
arranged in the hardware networking device.
17. A method for analysing a network flow, comprising the steps of:
extracting flow identification information from the network flow
using a parser; metering the network flow using a flow metering
unit; and controlling the flow metering unit and the parser using a
programmable controller.
18. A computer readable program product tangibly embodying computer
executable instructions which when implemented, causes the computer
to carry out an analysis of a network flow according to the steps
of the method according to claim 17.
Description
TECHNICAL FIELD
[0001] The invention relates to an apparatus, a method and a
computer program for analysing a network flow.
BACKGROUND OF THE INVENTION
[0002] Communication networks, e.g. networks according to the
Internet Protocol (IP) are complex and difficult to analyse and to
monitor with respect to the end-to-end network traffic flows, also
denoted as network flows. A known protocol for analyzing a network
flow is the NetFlow protocol that is currently being standardized
by the Internet Engineering Task Force (IETF). Details are provided
in IETF IP Flow Information Export (IPFIX) at
http://www.ietf.org/html.charters/ipfix-charter.html.
[0003] The NetFlow protocol provides technology for network
accounting, bandwidth usage analysis, network anomaly detection,
traffic engineering and capacity management.
[0004] NetFlow is supported at routers, switches, metering
appliances and software-based traffic meters. Some high-end routers
and switches support NetFlow with dedicated hardware
extensions.
[0005] The realization of extensions in a router or switch for
NetFlow or for other network analysis protocols is typically
expensive because the extension has to be well integrated into the
specific forwarding and routing architecture of the router or
switch.
[0006] It is an object of the invention to provide improved
solutions for network flow analysis. It is a further object of the
invention to provide an improved apparatus, an improved method, an
improved computer system and an improved computer program for
analysing a network flow.
SUMMARY AND ADVANTAGES OF THE INVENTION
[0007] The present invention is directed to an apparatus, a
computer system, a computer program and a method as defined in
independent claims. Further embodiments of the invention are
provided in the appended dependent claims.
[0008] According to a first aspect of the invention there is
provided an apparatus for analysing to a network flow, comprising
[0009] a parser for extracting flow identification information from
the network flow, [0010] a flow metering unit for metering the
network flow, [0011] a programmable controller for controlling the
flow metering unit and the parser.
[0012] The architecture of the apparatus according to this aspect
of the invention allows for an efficient, flexible and fast
implementation of a flow metering function that is able to support
a large number of configuration options. Such configuration options
might cover different versions of today's or future standards. This
architecture provides the benefits of high performance without the
drawback of fixed metering functionality and interfaces which only
support a single standard.
[0013] The modular approach of this architecture comprises a parser
that is provided for receiving a network flow and for extracting
flow identification information from this network flow. The parser
can be programmed to extract any desirable combination of flow
identification information from the network flow. The flow
identification information might e.g. be contained in fields of
packet headers of a network flow. As an example, the parser can be
programmed to extract the corresponding header fields that are
relevant for a specific protocol standard. The flow identification
information might comprise e.g. the source and destination IP
address, the source and destination port and the IP protocol of the
analysed network flow.
[0014] The network flow identified by the flow identification
information is metered by a flow metering unit. The metering of the
flow identification information might e.g. comprise timestamps for
the respective network flow start and finish time, the number of
bytes and packets observed in the respective network flow and
various other features of the observed network flow.
[0015] Both the flow metering unit and the parser are controlled in
parallel by a programmable controller. The programmable controller
can be individually programmed for the respective application
environment, the used protocol standards of to the network flow
(e.g. NetFlow v5, v7, v9, IPFIX), the number of flows to be
supported and the speed of the respective network. Hence the parser
and the flow metering unit are generic units. The specific
functionality of these generic units is determined by the
programmable controller.
[0016] According to an embodiment of this aspect of the invention
the flow metering unit is provided for sending flow status
information to the programmable controller and the programmable
controller is provided for sending flow metering instructions to
the flow metering unit in dependence on the flow status
information.
[0017] Such a control loop between the flow metering unit and the
programmable controller facilitates an efficient, fast and flexible
flow metering process and processing.
[0018] According to another embodiment of this aspect of the
invention the parser is provided for sending parsing information to
the programmable controller and the programmable controller is
provided for sending parsing instructions to the parser in
dependence on the parsing information.
[0019] Such a control loop between the parser and the programmable
controller facilitates an efficient, fast and flexible parsing
process and processing.
[0020] According to another embodiment of this aspect of the
invention the programmable controller is provided for [0021]
evaluating in parallel two or more flow status information values
of the flow metering unit, [0022] sending two or more flow metering
instructions in parallel to the flow metering unit.
[0023] Such a parallel processing structure further facilitates an
efficient, fast and flexible flow metering process and
processing.
[0024] According to another embodiment of this aspect of the
invention the programmable controller comprises a program memory
comprising two or more flow metering to programs.
[0025] The two or more flow metering programs can e.g. be
programmed for different versions of network analysis protocols,
for different application environments, for different numbers of
flows to be supported and for different speeds of the network.
[0026] This allows for changing the configuration and application
of the apparatus very quickly and easily. Furthermore, it is a
flexible and cost effective solution.
[0027] According to another embodiment of this aspect of the
invention the programmable controller is implemented as
programmable state machine.
[0028] The implementation of the programmable controller as
programmable state machine is a flexible and cost effective
solution.
[0029] According to another embodiment of this aspect of the
invention the programmable state machine comprises a transition
rule memory, a rule selector and a state register, wherein the rule
selector is provided for receiving an external input signal and an
internal input signal from the state register indicating the
current state and wherein the rule selector is provided for
observing the internal and external input signal by means of the
transition rule memory for transition rules and for changing the
state of the state register and generation of an output signal
comprising parsing and/or flow metering instructions when a
transition rule applies.
[0030] This embodiment is an efficient way of implementing the
programmable state machine.
[0031] The transition rule memory is provided for storing a set of
transition rules. A set of transition rules may establish a flow
metering program. For different versions of network analysis
protocols, for different application environments, for different
numbers of flows to be supported and for different speeds of the
network a plurality of sets of transition rules might be loaded
into the transition rule memory.
[0032] The rule selector is provided for receiving an external
input signal and an internal input signal from the state register.
The internal input signal from the state register indicates the
current state of the programmable state machine. The external input
signal or the external input signals are received from the flow
metering unit and/or the parser. The external input signal of the
state machine may comprise flow status information, parser
information and various other information.
[0033] The rule selector observes the internal and external input
signal by means of the transition rule memory for transition rules.
If a predefined transition rules applies, the programmable state
machine changes the state of the state register and generation an
output signal comprising parsing and/or flow metering
instructions
[0034] In other words, the programmable state machine observes the
flow status information and/or the parsing information for
predefined states. The state machine changes its state, when such a
predefined state is detected. Then the changing state of the state
machine triggers control actions for the parser and/or the flow
metering unit.
[0035] According to another embodiment of this aspect of the
invention the flow-metering unit comprises [0036] a flow table unit
[0037] a flow table management unit and [0038] a flow information
export unit.
[0039] The flow table unit comprises a memory for storing
information about the network flows that are analysed by the
apparatus. The flow table might e.g. use the 5-tuple definition to
characterise a specific network flow. In other words, the flow
table may provide an entry for each specific network flow
characterized by the 5-tuple definition. According to the example
of the 5-tuple definition, a network flow is defined as a
unidirectional sequence of packets that have the same source and
destination IP address, the same source and destination port and
the same IP protocol.
[0040] For each such entry the flow table may store flow metering
information, e.g. to timestamps for the respective network flow
start and finish time, the number of bytes and packets observed in
the respective network flow and various other features of the
observed network flow.
[0041] The flow table management unit is provided for managing the
entries of the flow table. The flow table management unit is
controlled by the programmable controller. This flow table
management unit may be provided to execute various flow metering
instructions received from the programmable controller. Such flow
metering instructions may include instructions for updating the
flow table unit, creating a new entry in the flow table unit and
checking the status or specific entries of the flow table unit. The
flow table management unit may be implemented using a conventional
hard-wired state machine.
[0042] As an example, the flow table management unit may check upon
reception of a check-command from the programmable controller if
the flow table already contains an entry for an identified network
flow. As a result it could provide an indication (implemented as a
single-bit flag) back to programmable controller that indicates if
an entry for this identified network flow already exists or that
the identified network flow is a new flow that is not present in
the flow table of the flow table unit.
[0043] In response to receiving the indication that a network flow
either exists or not, the programmable controller may dispatch
further flow metering instructions to the table management unit to
either update an existing flow table entry, to create a new flow
table entry or to create a complete new flow table with a
corresponding "update", "create new flow table entry" or "create
new flow table" command.
[0044] The flow information export unit is provided for exporting
flow information to another location or entity. The flow
information export unit is controlled by the programmable
controller as well. The programmable controller may trigger the
export of flow metering information by dispatching an
export-command to the flow information export unit.
[0045] According to another embodiment of this aspect of the
invention the flow table management unit comprises a programmable
hash function unit provided with two or more selectable hash
functions for mapping the flow identification information on a hash
index, wherein the programmable controller is provided for
selecting one of the selectable hash functions.
[0046] Hash functions are widely used to improve the efficiency of
network flow analysis and network flow metering. However, different
standards and different protocol versions of flow metering
standards use different hash functions. By means of providing a
programmable hash function unit, the apparatus according to this
embodiment of the invention can support these different standards
and protocol versions.
[0047] According to another embodiment of this aspect of the
invention the programmable controller is provided for sending table
management commands to the table management unit.
[0048] Such table management commands may be e.g. an
update-command, a create-command or a check-command.
[0049] According to another embodiment of this aspect of the
invention the apparatus is implemented as hardware assist
device.
[0050] The implementation of the apparatus as hardware assist
device has the advantage that it can be implemented in a system
without requiring processor or processing load of this system.
[0051] A second aspect of the invention relates to a computer
system comprising a central processing unit, a memory and a
computer networking device, comprising an apparatus according to
the first aspect of the invention for analysing the network flow in
the computer networking device.
[0052] The computer networking device may be e.g. a switch or a
router. The apparatus works as hardware assist device for the
central processing unit of the computer system. This allows for an
analysis of the network flow without loading the central
processor.
[0053] A third aspect of the invention relates to a computer system
comprising two or more virtual computing systems, further
comprising an apparatus according to the first aspect of the
invention, wherein the apparatus is provided for analysing the
network flow between the virtual computing systems and/or between
the virtual computing systems and an external device.
[0054] This allows for monitoring and analysing the network flow
between the virtual computing systems in a scalable way without any
additional software to be available on the computer system and on
the virtual computing systems.
[0055] According to a further embodiment of this aspect of the
invention the computer system comprises [0056] a software
networking device for internal communication between the virtual
computing systems, [0057] a hardware networking device for external
communication between the virtual computing systems and an external
device, wherein the software networking device and the hardware
networking device are provided for forwarding the network flow
between the virtual computing systems and/or between the virtual
computing systems and an external device for an analysis to the
apparatus according to the first aspect of the invention.
[0058] This architecture allows for an efficient implementation of
a network flow function within a virtualized environment.
[0059] The software networking device may be e.g. a software
switch, i.e. a switch implemented in software. The hardware
networking device may be e.g. a hardware switch, i.e. a switch
implemented in hardware.
[0060] The external device can be e.g. another computer system, a
network, the internet or any other destination.
[0061] According to a further embodiment of this aspect of the
invention the apparatus is arranged in the hardware networking
device.
[0062] A fourth aspect of the invention relates to a method for
analysing a network flow, comprising the steps of [0063] extracting
flow identification information from the network flow by means of a
parser, [0064] metering the network flow by means of a flow
metering unit, [0065] controlling the flow metering unit and the
parser by means of a programmable controller.
[0066] A fifth aspect of the invention relates to a flow metering
computer program comprising instructions for carrying out a flow
metering program on a programmable controller, the flow metering
computer program being provided for controlling the flow metering
unit and the parser of an apparatus according to the first aspect
of the invention.
[0067] Preferred embodiments of the present invention are described
in detail below, by way of example only, with reference to the
following schematic drawings, in which:
DESCRIPTION OF THE DRAWINGS
[0068] FIG. 1 is a schematic drawing of an apparatus for analyzing
a network flow according to an embodiment of the invention,
comprising a programmable controller, a parser and a flow metering
unit,
[0069] FIG. 2 shows a schematic computer system comprising a
computer networking to device and an apparatus for analysing the
network flow in the computer networking device,
[0070] FIG. 3 is a schematic drawing of a programmable controller
implemented as state machine,
[0071] FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in
more detail,
[0072] FIG. 5 shows a flow chart illustrating a flow table update
function of the flow metering unit,
[0073] FIG. 6 shows a flow chart illustrating the determination of
expired table entries of a flow table unit,
[0074] FIG. 7 shows a flow chart illustrating the exportation of
expired table entries of the flow table unit,
[0075] FIG. 8 shows a schematic drawing of a computer system
comprising virtual computing systems and an apparatus for analysing
the network flow between the virtual computing systems.
[0076] The drawings are provided for illustrative purposes only and
do not necessarily represent practical examples of the present
invention to scale. In the figures, same reference signs are used
to denote the same or like parts.
[0077] FIG. 1 shows an apparatus 100 for analysing a network flow
105 according to an exemplary embodiment of the invention. The
apparatus 100 comprises a parser 110 for extracting flow
identification information from the network flow 105. The network
flow 105 may be any kind of communication traffic in a network, in
particular end to end network traffic. The network flow 105 may
comprise a sequence of data packets, wherein each data packet is
part of a communication between two distinct network addresses. The
apparatus 100 comprises a flow metering unit 130 for metering the
network flow 105 and a programmable controller 140 for controlling
the flow metering unit 130 and the parser 110.
[0078] The flow metering unit 130 is provided for sending flow
status information to the programmable controller 140 and the
programmable controller 140 is provided for sending flow metering
instructions to the flow metering unit 130 in dependence on the
flow status information. Furthermore, the parser 110 is provided
for sending parsing information to the programmable controller 140
and the programmable controller 140 is provided for sending parsing
instructions to the parser 110 in dependence on the parsing
information.
[0079] The programmable controller 140 comprises a central
processing unit 150 and a program memory 160. In the program memory
160 one or more flow metering programs 170 can be stored.
[0080] The apparatus 100 is preferably implemented in hardware and
may be used as hardware assist device. This is further illustrated
with reference to FIG. 2.
[0081] FIG. 2 shows a computer system 200 comprising a central
processing unit 210, a memory 220 and a computer networking device
230. Furthermore it comprises the apparatus 100 for analysing a
network flow. The apparatus 100 is implemented in hardware as
hardware assist device for the central processing unit 210. The
central processing unit 210, the memory 220, the computer
networking device 230 and the apparatus 100 are coupled via an
internal bus system 240.
[0082] The computer networking device 230 may be any kind of
Input/Output device, e.g. a router or a switch. In the example of
FIG. 2 the computer networking device 230 serves as router between
a first Local Area Network (LAN) 250, a second LAN 260 and the
Internet 270. Accordingly, the computer networking device 230 is
provided for routing network flows 280 between the first LAN 250,
the second LAN 260 and the Internet 270. The apparatus 100 is
provided for analysing and meter the network flow in the computer
networking device 230.
[0083] FIG. 3 shows a schematic block diagram of a programmable
controller 300 according to another exemplary embodiment of the
invention. The programmable controller 300 is implemented as
programmable state machine. The programmable controller 300
comprises a transition rule memory 310, a rule selector 320 and a
state register 330. The rule selector 320 is provided for receiving
as external input signal 340 parsing information from the parser
110 and flow status information from the flow metering unit 130 of
FIG. 1. Furthermore, the rule selector 320 is provided for
receiving an internal input signal 350 from the state register 330.
This internal input signal 350 indicates the current state of the
state register 330. The rule selector 320 observes the internal
input signal 350 and the external input signal 340 by means of the
transition rule memory 310 for transition rules. When a transition
rule applies, the rule selector 320 is provided for changing the
state of the state register 330 and sending parsing instructions to
the parser 110 and/or flow metering instructions to the flow
metering unit 130 of FIG. 1.
[0084] More details for implementation of a programmable state
machine as shown in FIG. 3 are described in US 2005/0132342A1 which
is herewith incorporated by reference.
[0085] FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in
more detail.
[0086] The parser 110 can be programmed by means of the
programmable controller 140 to extract any desirable flow
identification information from the network flow 105. According to
an exemplary embodiment of the invention the network flow 105
comprises packets including a packet header and the parser 110 uses
the packet headers to extract the flow identification information.
Accordingly, the parser 110 may be programmed to extract any
desirable combination of header fields from the packet header that
will be used for flow identification. Examples of such header
fields include IP source and destination addresses, Transmission
Control Protocol (TCP) source and destination port numbers,
Multi-Protocol Label Switching (MPLS) and Virtual Local to Area
Network (VLAN) tags etc. Based on the protocol standard of the
respective network analysis protocol, the parser 110 can be
programmed to extract the corresponding header fields that are
relevant for that protocol standard. The parser 110 is provided for
writing the flow identification information of these header fields
into a register unit 400. Hence the register unit 400 comprises
registers with flow identification information derived from packet
headers.
[0087] This flow identifying information is provided as input to a
programmable hash function unit 410. The programmable hash function
unit 410 maps the flow identification information stored in the
register unit 400 on a hash index. In other words, the programmable
hash function unit 410 maps the actual values of the selected
header fields upon a hash index. The programmable hash function
unit 410 may provide a variety of hash functions that cover all
desired functions for the protocol versions that the apparatus 100
shall support. The programmable controller 140 is provided for
selecting one of the available hash functions. The selection of one
of the hash functions may be implemented by sending a hash
identifier corresponding to that hash function from the
programmable controller 140 to the programmable hash function unit
410. Such a hash identifier can consist of a short bit vector that
uniquely corresponds to one of the implemented hash functions.
[0088] The flow metering unit 130 further comprises a flow table
management unit 420. The flow table management unit 420 is provided
to receive the hash index of the respective flow identification
information of the respective packet header from the programmable
hash function unit 410. The flow table management unit 420 manages
and controls a flow table unit 430. The flow table management unit
420 can execute as flow metering instructions flow table management
commands. Such flow table management commands may include e.g.
commands for updating the flow table unit 430, for creating a new
entry in the flow table unit 430, for checking entries of the flow
table unit 430, for removing entries from the flow table unit 430
and for scanning the entries of the flow table unit 430. Preferably
the flow table management unit 420 is implemented by means of a
hardwired state machine. The flow table management commands are
sent from the programmable controller 140 to the flow table
management unit 420. The flow table unit 430 comprises a memory
that stores network flow entries for network flows identified by
the respective hash index. The network flow entries comprise key
fields that define the flow and content fields that comprise
information about the defined flow. The content fields are updated
with every new packet of the network flow. The flow table unit 430
might e.g. use the 5-tuple definition to characterise and define
the network flow in the key fields. In this example the key fields
would comprise the source and destination IP address, the source
and destination port and the IP protocol of the respective network
flow.
[0089] For each such key field the flow table may store in the
corresponding content fields flow metering information, e.g.
timestamps for the respective network flow start and finish time,
the number of bytes and packets observed in the respective network
flow and various other features of the observed network flow.
[0090] As an example, upon reception of check-command from the
programmable controller 140, the flow table management unit 420
will check if the flow table unit 430 already contains an entry for
the network flow identified by the respective hash index. In return
it will provide as flow status information an indication to the
programmable controller 140 that indicates that the respective
network flow exists or that the hash index corresponds to a new
network flow that is not present in the flow table unit 430.
Dependent on the hash function the flow table management unit 420
can also have direct access to the actual register values of the
register unit 400, i.e. to the flow identification information
stored in the register unit 400.
[0091] In response to receiving the flow status information that an
identified network flow either exists or not, the programmable
controller 140 may dispatch as flow metering instructions table
management commands to the flow table management unit 420 to either
update an existing flow table entry or to create a new flow table
entry by means of an update or a create command.
[0092] Furthermore, the programmable controller 140 is provided for
controlling the scanning of the flow table unit 430 for expired
flow table entries. For this purpose, the to programmable
controller 140 will test the value of a programmable timer 450
which can be configured to meet the characteristics of the
supported protocol versions of the respective network analysis
protocol. This will trigger the programmable controller 140 to send
as table management command a scan instruction to the flow table
management unit 420 after certain periods and/or at regular
configurable intervals. The flow table management unit 420 will
then scan the flow table unit 430 and report any expired flow table
entries to the programmable controller 140. In response the
programmable controller 140 can send a remove-command to remove
these flow table entries to the flow table management unit 420.
Furthermore, the programmable controller 140 can trigger the export
of these expired flow table entries. In the latter case, the
programmable controller 140 triggers the creation of a flow
information packet containing information on the expired network
flow. The programmable controller 140 sends a "generate packet"
command to a flow information export unit 440. The flow information
export unit 440 is also denoted as packet generator. The flow
information export unit 440 can be implemented using a hardwired
state machine. The flow information export unit 440 exports a flow
information packet containing network flow information to a central
server or any other destination.
[0093] By means of this programmable concept of the apparatus 100
the flow metering functions of the flow metering unit 130 can be
implemented, configured and executed differently depending on the
application environment, the used protocol standards (e.g. NetFlow
v5, v7, v9, IPFIX), the number of network flows to be supported or
the speed of the respective network.
[0094] For example, NetFlow v9 and IPFIX do not use fixed record
fields, but a variable number of fields defined in flow templates.
A template determines the content of the flow table and the amount
of exported network flow information. In addition, multiple network
flows can be aggregated and mapped on the same flow table entry.
The flow table might contain various types of information for each
network flow. Furthermore, the rules that determine when network
flow information will be exported can vary.
[0095] FIG. 5 shows a flow chart illustrating a flow table update
function of the flow to metering unit 130.
[0096] In a step 510 the apparatus 100 receives a data packet of a
network flow that is observed. In step 520 the parser 110 parses
the header of the data packet, extracts the flow identification
information and writes it in the register unit 400. In step 530 the
programmable hash function unit 410 calculates the hash index of
the flow identification information and the flow table management
unit 420 performs a flow table (hash table) lookup in the flow
table unit 430. In step 540 the flow table management unit 420
evaluates whether a flow table entry already exists for the
respective hash index. If this is the case, the flow table
management unit 420 updates in step 550 the respective flow table
entry in the flow table unit 430. If this is not the case, the flow
table management unit 420 creates in step 560 a new flow table
entry in the flow table unit 430.
[0097] FIG. 6 shows a flow chart illustrating the determination of
expired flow table entries in the flow table unit 430.
[0098] In step 600 the programmable controller 140 sends as flow
metering instruction a scan-command to the flow table management
unit 420. This can happen after certain time periods and/or at
regular configurable intervals. The flow table management unit 420
will then scan the flow table unit 430. In step 610 the flow table
management unit 420 selects an initial entry of the flow table unit
430 and determines in step 620 the time t since the last update. If
the time t is larger than a predefined time, e.g. determined by the
timer 450, the respective entry of the flow table unit 430 is
marked as expired. In step 650 it is checked whether all entries of
the flow table unit 430 have been processed, i.e. have been checked
for expiration. If this is not the case, the flow table management
unit 420 will select the next entry and continue with step 620. If
the result of step 650 is that all entries of the flow table unit
430 have been processed, the scanning has been completed. The
scanning function of the flow table management unit 420 waits then
in step 670 for a time t' until it receives a new scan-command from
the programmable controller 140.
[0099] FIG. 7 shows a flow chart illustrating the export of expired
table entries to a server or another destination.
[0100] In step 700 the programmable controller 140 triggers the
export process by sending a "generate packet" command to the flow
information export unit (packet generator) 440. In step 710 flow
information export unit 440 selects an initial entry of the flow
table unit 430 and checks in step 720 if the respective entry is
marked as expired. If this is the case, the flow information export
unit 440 creates and transmits in step 730 a flow information
packet containing network flow information of the expired network
flow of the respective flow table entry. The flow information
export unit 440 may export a flow information packet to a central
server or any other destination. In a following step 740 the
respective table entry is removed from the flow table unit 430. In
a following step 750 the flow information export unit 440 checks if
all table entries have been processed, i.e. checked for flows that
are marked as expired. If the result of step 720 is that the
respective flow table entry is not marked as expired, the export
process continues with step 750 as well. If the checking of step
750 is negative, in step 760 the next flow table entry is selected
for processing and the export process is continued with step 720.
If the checking of step 750 is positive, the export process is
finished for the meantime. The exportation function of the flow
information export unit 440 waits then in step 770 for a time t''
until it receives a new generate packet command from the
programmable controller 140.
[0101] FIG. 8 shows a schematic drawing of a virtualized server
environment comprising an apparatus for analyzing the network flow
between virtual computing systems.
[0102] The virtualized server environment comprises a computer
system 800 comprising two or more virtual computing systems 810
that run on a central processing unit 820 of the computer system
800. The computer system 800 comprises further a software
networking device 830 for internal communication between the
virtual computing systems 810 and a hardware networking device 840
for external communication between the virtual computing systems
810 and an external device 850.
[0103] The software networking device 830 is provided for managing
and controlling the internal communication between the virtual
computing systems 810. It may be e.g. a software switch, i.e. a
switch implemented in software.
[0104] The hardware networking device 840 may be e.g. a network
adapter or a hardware switch. It is provided for managing and
controlling the external communication between the virtual
computing systems 810 and an external device 850. The external
device 850 can be e.g. another computer system, a network, the
internet or any other destination the computer system 800 would
like to communicate with.
[0105] The hardware networking device 840 comprises the apparatus
100 for analysing a network flow. The apparatus 100 is implemented
in hardware as hardware assist device for the central processing
unit 820 of the computer system 800.
[0106] The virtual computing systems 810 may communicate with each
other via the software networking device 830 and a virtual local
network 860. The virtual local network 860 could be e.g. a Virtual
Local Area Network (VLAN).
[0107] The hardware networking device 840 can communicate with the
virtual computing systems 810 and with the software networking
device 830 by means of a virtual Input/Output (I/O) server
partition 870
[0108] The software networking device 830 is provided for
forwarding the network flow or parts of the network flow occurring
in the software networking device 830 to the apparatus 100. The
hardware networking device 840 is provided for forwarding the
network flow or parts of the network flow occurring in the hardware
networking device 840 to the apparatus 100. The software networking
device 830 may use the virtual Input/Output (I/O) server partition
870 for forwarding the network flow or parts of the network flow to
the apparatus 100. The hardware networking device 840 may use a
hardware bus 880 for forwarding the network flow or parts of the
network flow to the apparatus 100.
[0109] The computer system 800 allows for monitoring and analysing
the network flow between the virtual computing systems 810 and/or
between the virtual computing systems 810 and the external device
850 in a scalable way. There is no additional software needed on
the computer system 800 and on the virtual computing systems
810.
[0110] The disclosed embodiments may be combined with one or
several of the other embodiments shown and/or described. This is
also possible for one or more features of the embodiments.
ADDITIONAL EMBODIMENT DETAILS
[0111] The described techniques may be implemented as a method,
apparatus or article of manufacture involving software, firmware,
micro-code, hardware and/or any combination thereof. The term
"article of manufacture" as used herein refers to code or logic
implemented in a medium, where such medium may comprise hardware
logic [e.g., an integrated circuit chip, Programmable Gate Array
(PGA), Application Specific Integrated Circuit (ASIC), etc.] or a
computer readable medium, such as magnetic storage medium (e.g.,
hard disk drives, floppy disks, tape, etc.), optical storage
(CD-ROMs, optical disks, etc.), volatile and non-volatile memory
devices [e.g., Electrically Erasable Programmable Read Only Memory
(EEPROM), Read Only Memory (ROM), Programmable Read Only Memory
(PROM), Random Access Memory (RAM), Dynamic Random Access Memory
(DRAM), Static Random Access Memory (SRAM), flash, firmware,
programmable logic, etc.]. Code in the computer readable medium is
accessed and executed by a processor. The medium in which the code
or logic is encoded may also comprise transmission signals
propagating through space or a transmission media, such as an
optical fiber, copper wire, etc. The transmission signal in which
the code or logic is encoded may further comprise a wireless
signal, satellite transmission, radio waves, infrared signals,
Bluetooth, etc. The transmission signal in which the code or logic
is encoded is capable of being transmitted by a transmitting
station and received by a receiving station, where the code or
logic encoded in the transmission signal may be decoded and stored
in hardware or a computer readable medium at the receiving and
transmitting stations or devices. Additionally, the "article of
manufacture" may comprise a combination of hardware and software
components in which the code is embodied, processed, and executed.
Of course, those skilled in the art will recognize that many
modifications may be made without departing from the scope of
embodiments, and that the article of manufacture may comprise any
information bearing medium. For example, the article of manufacture
comprises a storage medium having stored therein instructions that
when executed by a machine results in operations being
performed.
[0112] Certain embodiments can take the form of an entirely
hardware embodiment, an entirely software embodiment or an
embodiment containing both hardware and software elements. In a
preferred embodiment, the invention is implemented in software,
which includes but is not limited to firmware, resident software,
microcode, etc.
[0113] Furthermore, certain embodiments can take the form of a
computer program product accessible from a computer usable or
computer readable medium providing program code for use by or in
connection with a computer or any instruction execution system. For
the purposes of this description, a computer usable or computer
readable medium can be any apparatus that can contain, store,
communicate, propagate, or transport the program for use by or in
connection with the instruction execution system, apparatus, or
device. The medium can be an electronic, magnetic, optical,
electromagnetic, infrared, or semiconductor system (or apparatus or
device) or a propagation medium. Examples of a computer-readable
medium include a semiconductor or solid state memory, magnetic
tape, a removable computer diskette, a random access memory (RAM),
a read-only memory (ROM), a rigid magnetic disk and an optical
disk. Current examples of optical disks include compact disk--read
only memory (CD-ROM), compact disk--read/write (CD-R/W) and
DVD.
[0114] The terms "certain embodiments", "an embodiment",
"embodiment", "embodiments", "the embodiment", "the embodiments",
"one or more embodiments", "some embodiments", and "one embodiment"
mean one or more (but not all) embodiments to unless expressly
specified otherwise. The terms "including", "comprising", "having"
and variations thereof mean "including but not limited to", unless
expressly specified otherwise. The enumerated listing of items does
not imply that any or all of the items are mutually exclusive,
unless expressly specified otherwise. The terms "a", "an" and "the"
mean "one or more", unless expressly specified otherwise.
[0115] Devices that are in communication with each other need not
be in continuous communication with each other, unless expressly
specified otherwise. In addition, devices that are in communication
with each other may communicate directly or indirectly through one
or more intermediaries. Additionally, a description of an
embodiment with several components in communication with each other
does not imply that all such components are required. On the
contrary a variety of optional components are described to
illustrate the wide variety of possible embodiments. Further,
although process steps, method steps, algorithms or the like may be
described in a sequential order, such processes, methods and
algorithms may be configured to work in alternate orders. In other
words, any sequence or order of steps that may be described does
not necessarily indicate a requirement that the steps be performed
in that order. The steps of processes described herein may be
performed in any order practical. Further, some steps may be
performed simultaneously, in parallel, or concurrently.
[0116] When a single device or article is described herein, it will
be apparent that more than one device/article (whether or not they
cooperate) may be used in place of a single device/article.
Similarly, where more than one device or article is described
herein (whether or not they cooperate), it will be apparent that a
single device/article may be used in place of the more than one
device or article. The functionality and/or the features of a
device may be alternatively embodied by one or more other devices
which are not explicitly described as having such
functionality/features. Thus, other embodiments need not include
the device itself.
[0117] Computer program means or computer program in the present
context mean any expression, in any language, code or notation, of
a set of instructions intended to cause a system having an
information processing capability to perform a particular function
either directly or after either or both of the following a)
conversion to another language, code or notation; b) reproduction
in a different material form.
* * * * *
References