Browse Prior Art Database

Method on OpenFlow Control

IP.com Disclosure Number: IPCOM000214117D
Publication Date: 2012-Jan-10

Publishing Venue

The IP.com Prior Art Database

Related Documents

61/419,451: PATAPP

Abstract

Embodiments of this invention apply to networks where configurable routers are deployed universally. The control servers exist to configure the routers directly. The function blocks of the control servers and the routers may be inside the same apparatus. Figure 1 shows the overview of the network in which the controllers and the routers are separate. The configurable router has the interface through which the controller remotely inserts, modifies, or deletes entries of its forwarding table as similar to OpenFlow switches. OpenFlow switches let their forwarding tables configured by their controllers. So, the controllers are connected their routers physically or logically. The host may be an end terminal, a web server, an application server, or even a network node like a load balancer or a NAT router.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 14% of the total text.

[Title]

Method on OpenFlow Control

[Background of the Invention and Related Art Statement]

Configurable nodes like OpenFlow switch have been proposed. Some of such nodes have been deployed as a campus network in universities or a testbed network. These nodes can be configured easily and remotely to some extent. In a network which is composed of such nodes, data traffic can be controlled over the entire network. However, there is a problem about authentication and authorization. In order to maintain a network safe, some mechanism is needed that protects against malicious or error configuration on these configurable nodes. This invention fixes what configuration should be authorized and proposes a mechanism that authenticates a host or a user to be permitted to do that configuration.

Public key infrastructure (PKI) is common as an authentication mechanism. However, it is not realistic in terms of costs and performance that a huge number of nodes likely to configure the nodes are all identified a priori and the keys of them are managed by PKI. This invention adopts an address ownership verification technique to solve such a problem about the scalability above. The public key of a certain host is not associated with its address. Existing techniques of proving the ownership of IP address have been proposed such as Return Routability (RR) (1) and Cryptographically Generated Addresses (CGA) (2). This invention is based on the fact that routing in the Internet is semi-reliable as is RR. In case of using RR, an attacker could tap the messages by RR near the node that verifies a host, and then spoof as the host. This invention is able to prevent attackers from spoofing even if any message by the mechanism of this invention is tapped. The basic idea of CGA is to create the interface address in IPv6 using the public key of the host. The host sends its public key with messages, and then the recipient can verify the message by the owner of the address. However, CGA is limited to IPv6 address and cannot be used in IPv4 network. This invention can apply to both IPv4 and IPv6 networks.

[Summary of the Invention]

This invention applies to networks where configurable routers are deployed universally. The control servers exist to configure the routers directly. The function blocks of the control servers and the routers may be inside the same apparatus. Figure 1 shows the overview of the network in which the controllers and the routers are separate. The configurable router has the interface through which the controller remotely inserts, modifies, or deletes entries of its forwarding table as similar to OpenFlow switches. OpenFlow switches let their forwarding tables configured by their controllers. So, the controllers are connected their routers physically or logically. The host may be an end terminal, a web server, an application server, or even a network node like a load balancer or a NAT router.

Figure 2 shows the system diagram in which there are four main pa...