« ZurückWeiter »
GENERATING TRAFFIC FROM A
PREDETERMINED AMOUNT OF
RELATED APPLICATION INFORMATION 5
Priority claim under 35 U.S.C. 120: This application is a Continuation of Ser. No. 10/706,404, filed Nov. 12, 2003, entitled "Generating Processed Traffic", now U.S. Pat. No. 7,327,686 B2. 10
NOTICE OF COPYRIGHTS AND TRADE DRESS
A portion of the disclosure of this patent document contains material which is subject to copyright protection. This 15 patent document may show and/or describe matter which is or may become trade dress of the owner. The copyright and trade dress owner has no objection to the facsimile reproduction by any one of the patent disclosure as it appears in the Patent and Trademark Office patent files or records, but otherwise 20 reserves all copyright and trade dress rights whatsoever.
BACKGROUND OF THE INVENTION
1. Field 25 The present invention relates to generating processed traffic.
2. Description of Related Art
Networks such as the Internet provide a variety of data communicated using a variety of network devices including 30 servers, routers, hubs, switches, and other devices. Before placing a network into use, the network, including the network devices included therein, may be tested to ensure successful operation. Network devices may be tested, for example, to ensure that they function as intended, comply 35 with supported protocols, and can withstand anticipated traffic demands.
To assist with the construction, installation and maintenance of networks and network devices, networks may be augmented with network analyzing devices, network con- 40 formance systems, network monitoring devices, and network traffic generators, all which are referred to herein as network testing systems. The network testing systems may allow for the sending, capturing and/or analyzing of network communications. 45
Current network traffic analysis tools and traffic generation systems exist as separate entities. Several techniques for gathering and analyzing network data exist. These techniques include direct playback of recorded data and synthetic generation of packet based traffic. 50
Rapid advances in communication technology have accentuated the need for security in IP networks such as the Internet. To solve this problem, the IP Security Protocol (IPSEC) has been developed. IPSEC includes mechanisms to protect client protocols of IP and operates at the IP layer. IPSEC is a 55 security protocol in the network layer which provides cryptographic security services that flexibly support combinations of authentication, integrity, access control and confidentiality. Work on IPSEC has focused on improvement of the Internet Key Exchange (IKE) and encapsulation protocols. 60
IPSEC uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit. Encryption prevents unauthorized reading of packet contents. These services allow secure tunnels through 65 untrusted networks to be built. Everything passing through the untrusted network is encrypted by an IPSEC gateway and
decrypted by a gateway at the other end. The result is a Virtual Private Network (VPN). This is a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet.
The IPSEC protocols were developed by the IETF (Internet Engineering Task Force), and it is believed that they will be required as part of IP Version Six. They are also being widely implemented for IP Version Four. In particular, nearly all vendors of any type of firewall or security software have IPSEC support either shipping or in development.
In an IPSEC tunnel, the relevant players are the endpoints (hosts) and the gateways. Traffic between hosts and gateways is clear, application data. That between gateways is subject to a series of operations described as the properties of the tunnel (authentication, encryption, encapsulation). In simplistic terms, an IPSEC VPN can be viewed as a combination of a left endpoint, a left gateway, a right gateway and a right endpoint.
Once an IPSEC tunnel has been established, traffic originating from the left endpoint and destined for the right is sent clear to the left gateway where it is processed/encapsulated and forwarded to the right gateway. The right gateway likewise processes and decapsulates it before sending the original clear traffic on to the right endpoint.
DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a first environment for generating processed traffic.
FIG. 2 is a block diagram of a second environment for generating processed traffic.
FIG. 3 is a block diagram of an apparatus for generating processed traffic.
FIG. 4 is a flow chart of a method of generating processed traffic.
FIG. 5 is a data flow diagram of a method of generating processed traffic.
DETAILED DESCRIPTION OF THE INVENTION
Throughout this description, the embodiments and examples shown should be considered as exemplars, rather than limitations on the apparatus and methods of the present invention.
Description of the System
Referring to FIG. 1, there is shown a block diagram of an environment 100 for generating processed traffic. The environment 100 includes a traffic generator 110, a traffic receiver 120, a console 160, a gateway 150 and a network 140 to which the traffic generator 110 and the gateway 150 may be coupled.
The traffic generator 110 may simulate (1) a host or network of hosts and/or (2) a gateway to the network 140. The traffic receiver 120 may simulate a host or network of hosts. The traffic generator 110 generates traffic from one or more simulated hosts to the simulated hosts of the traffic receiver 120. The traffic generator 110 also simulates a gateway which encrypts and encapsulates the traffic. The gateway 150 decapsulates and decrypts the traffic and transmits the traffic to the traffic generator 120. VPN tunnels may be established between the traffic generator 110 and the gateway 150.
The network 140 may be a local area network (LAN), a wide area network (WAN), a storage area network (SAN), or a combination of these. The network 140 may be wired, wireless, or a combination of these. The network 140 may include or be the Internet, and may support Internet Protocol (IP) traffic. The network 140 may be public or private, and may be a segregated test network. The network 140 may be
comprised of numerous nodes providing numerous physical and logical paths for data to travel. The network 140 may be physically insecure.
Communications on the network 140 may take various forms, including frames, cells, datagrams, packets or other 5 units of information, all of which are referred to herein as data units. There may be plural logical communications links between the traffic generator 110 and the traffic receiver 120.
The gateway 150 may be a router, switch, VPN gateway or other communication interface capable of receiving traffic 10 from the network 140 and passing the traffic to the traffic receiver 120. The gateway 150 may be a single device or system of devices. The gateway 150 may have other capabilities. The gateway 150 and the traffic generator 110 may be directly connected. Likewise, the gateway 150 and the traffic 15 receiver 120 may be directly connected. Alternatively, there may be a physically secure network between the gateway 150 and the traffic receiver 120. Other alternatives are possible.
The traffic generator 110 and the traffic receiver 120 may include or be one or more of a traffic generator, a performance 20 analyzer, a conformance validation system, a network analyzer, a network management system, and/or others. The traffic generator 110 and the traffic receiver 120 may include an operating system such as, for example, versions of Linux, Unix and Microsoft Windows. The traffic generator 110 and 25 traffic receiver 120 may include one or more network cards 114,124 and back planes 112,122. The traffic generator 110 and the traffic receiver 120 and/or one or more of the network cards 114,124 may be coupled to the network 140 via one or more connections 118,128. The connections 118,128 may be 30 wired or wireless.
The traffic generator 110 and the traffic receiver 120 may be in the form of a card rack, as shown in FIG. 1, or may be an integrated unit. Alternatively, the traffic generator 110 and the traffic receiver 120 may each comprise a number of separate 35 units cooperating to provide traffic generation, traffic and/or network analysis, network conformance testing, and other tasks.
The console 160 may be connected to the traffic generator 110 to provide application layer control of the traffic genera- 40 tor 110. The console 160 may be a PC, workstation or other device. The console 160 may provide a high level user interface such as a GUI. The console 160, or a like device, may also be coupled to the traffic receiver 120 to provide application layer control of the traffic receiver 120. 45
The console 160 may be used to set up tens of thousands of tunnels with user-variable parameters and then send real Layer 4-7 traffic over the tunnels. By creating these realworld scenarios, users can validate tunnel capacity, tunnel set up rates, as well as validate data performance over the tunnels. 50
The traffic generator 110, the traffic receiver 120 and the network cards 114,124 may support one or more higher level communications standards or protocols such as, for example, the User Datagram Protocol (UDP), Transmission Control Protocol (TCP), Internet Protocol (IP), Internet Control Mes- 55 sage Protocol (ICMP), Hypertext Transfer Protocol (HTTP), address resolution protocol (ARP), reverse address resolution protocol (RARP), file transfer protocol (FTP), Simple Mail Transfer Protocol (SMTP); and may support one or more lower level communications standards or protocols such as, 60 for example, the 10 Gigabit Ethernet standard, the Fibre Channel standards, one or more varieties of the IEEE 802 Ethernet standards, Asynchronous Transfer Mode (ATM), X.25, Integrated Services Digital Network (ISDN), token ring, frame relay, Point to Point Protocol (PPP), Fiber Dis- 65 tributed Data Interface (FDDI), and proprietary and other protocols.
The term network card encompasses line cards, test cards, analysis cards, network line cards, load modules, interface cards, network interface cards, data interface cards, packet engine cards, service cards, smart cards, switch cards, relay access cards, CPU cards, port cards, and others. The network cards may be referred to as blades. The network cards 114, 124 may include one or more computer processors, field programmable gate arrays (FPGA), application specific integrated circuits (ASIC), programmable logic devices (PLD), programmable logic arrays (PLA), processors and other kinds of devices. The network cards may include memory such as, for example, random access memory (RAM). In addition, the network cards 114, 124 may include software and/or firmware.
At least one network card 114, 124 in each of the traffic generator 110 and the traffic receiver 120 may include a circuit, chip or chip set that allows for communication over a network as one or more network capable devices. A network capable device is any device that may communicate over the network 140. The network cards 114,124 may be connected to the network 140 through one or more connections 118,218 which may be wire lines, optical fiber cables, wirelessly and otherwise. Although only one each of the connections 118, 218 are shown, multiple connections with the network 140 may exist from the traffic generator 110, the traffic receiver 120 and the network cards 114,124. Each network card 114, 124 may support a single communications protocol, may support a number of related protocols, or may support a number of unrelated protocols. The network cards 114, 124 may be permanently installed in the traffic generator 110 and the traffic receiver 120, may be removable, or may be a combination thereof. One or more of the network cards 114, 124 may have a resident operating system included thereon, such as, for example, a version of the Linux operating system. The traffic generator 110 and the traffic receiver 120 may include a CPU card that allows the chassis to also serve as a computer workstation.
The back planes 112, 122 may serve as a bus or communications medium for the network cards 114, 124. The back planes 112,122 may also provide power to the network cards 114, 124.
The traffic generator 110 and the traffic receiver 120 as well as one or more of the network cards 114, 124 may include software that executes to achieve the techniques described herein. As used herein, the term software involves any instructions that may be executed on a computer processor of any kind. The software may be implemented in any computer language, and may be executed as object code, may be assembly or machine code, a combination of these, and others. The term application refers to one or more software modules, software routines or software programs and combinations thereof. A suite includes one or more software applications, software modules, software routines or software programs and combinations thereof. The techniques described herein may be implemented as software in the form of one or more applications and suites and may include lower level drivers, object code, and other lower level software.
The software may be stored on and executed from any local or remote machine readable medium such as, for example, without limitation, magnetic media (e.g., hard disks, tape, floppy disks), optical media (e.g., CD, DVD), flash memory products (e.g., memory stick, compact flash and others), and volatile and non-volatile silicon memory products (e.g., random access memory (RAM), programmable read-only memory (PROM), electronically erasable programmable read-only memory (EEPROM), and others). A storage device