JP2006080789A - Network system, its control method and address giving server - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a network for reducing the load of a router for connecting to an external network in the network including both network equipment allowed to communicate with the external network and unallowed network equipment. <P>SOLUTION: An address giving server is used which changes an IP address of network equipment that has made a request from a first subnet address to a second subnet address in setting and changes a default gateway address of the network equipment that has made the request from an IP address of the address giving server to an IP address of a router when the request for external network connection is received from the network equipment of the first subnet. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a network system having a plurality of subnets, a control method therefor, and an address assignment server that improve information protection, unauthorized access, and security.

  The standard network currently in widespread use is based on the technology specified in RFC-791 “INTERNET PROTOCOL”, where data is transmitted and received between multiple network devices. In order to transmit and receive this data with the correct counterpart without fail, a unique IP address is assigned to each network device. Using this IP address, communication between different network devices becomes possible.

  In addition, when communicating between network devices existing in one network having a common transmission path, direct communication is possible, but when communicating with an external network outside the network, a special IP address is assigned. Communicates via the assigned router.

  This router is composed of a network device called a gateway or a switch, and relays data for sending data from the network device included in the network to an external network. Router relay is called routing.

  In this way, if a router is connected to a network, it is possible to freely communicate with an external network from a network device included in the network.

  Incidentally, even network devices included in the same network may include network devices that are permitted to communicate with external networks and network devices that are not permitted. In this case, the router checks the IP address of the source network device, relays data if it is from a network device that is allowed to communicate with the external network, and if it is data from an unauthorized network device. Shut off. As described above, a router having a relay / blocking switching function is known. For example, Japanese Patent Application Laid-Open No. 11-55302 introduces a switching hub having a relay / interrupt switching function.

JP-A-11-55302

  A router with a relay / blocking switching function analyzes communication data when it is sent, identifies the source network device, and that network device is allowed to communicate with an external network. Judge whether or not. This determination is made with reference to a table provided in the router, for example. Since the router performs such analysis and determination, it takes time for the communication data to pass through the router. That is, the amount of information that can be passed per unit time is reduced. As a result, there is a problem that the communication speed of the network becomes slow.

  In addition, a router with a relay / blocking switching function needs to update the table each time a network device that is allowed to communicate is added or deleted, so the router is very expensive. There was a problem that was supposed to be.

  The present invention has been made to solve the above problems, and a network system according to the present invention includes a first subnet including one or more network devices, and a second subnet including one or more network devices. , An address assignment server for assigning addresses to the network devices in the first subnet and the second subnet, and a router connected to the external network. The network device in the second subnet has a router as data transmission or reception destination information. An IP address is set.

  The network system control method according to the present invention includes a step of receiving a request for an external network connection from a network device in the first subnet, and an IP address of the network device that has made the request is an address in the first subnet. And changing the setting to the address of the second subnet, and setting the data transmission or reception destination information of the requested network device to the IP address of the router.

  Furthermore, an address assignment server according to the present invention controls the network system described above, and includes means for receiving a request for external network connection from a network device of the first subnet, and a network device having the request. Means for changing the setting of the IP address from the address of the first subnet to the address of the second subnet, and means for setting the data transmission or reception destination information of the requested network device to the IP address of the router. It is what.

  The network system according to the present invention does not require a router having a relay / blocking switching function, and can use a simple router that relays all transmitted data. Even if such a simple router is used, both a network device that is allowed to communicate with an external network and a network device that is not allowed can be mixed and included in the network.

  In addition, since the data relayed by the router is not analyzed or judged by the router, the communication speed in the router does not decrease.

  Furthermore, even if an existing network uses a simple router, if the address assignment server of the present invention is used, network devices that are permitted to communicate with external networks and network devices that are not permitted. A network including both of these can be easily constructed.

  FIG. 1 shows a basic configuration of a network system according to the present invention. Reference numeral 2 denotes a subnet A composed of network devices A1, A2,... Ai-1 connected to the transmission line 3 (network devices Ai,... Am indicated by dotted lines indicate devices that can be further connected. ) 4 includes network devices B1, B2,... Bj-1 connected to the transmission line 3 (network devices Bj,... Bn indicated by dotted lines indicate devices that can be further connected). Subnets B and 6 are address assignment servers for assigning IP addresses to network devices, including a DHCP (Dynamic Host Configuration Protocol) server 8 and a controller 10, and 12 is a router (layer 3 switch) for an external network. 14 is connected.

  The network system of the present invention uses a subnet. Subnets are stipulated in RFC-917 “INTERNET SUBNETS”. Communication between network devices in the subnet can be performed directly, while communication with external networks outside the subnet is a special IP. This is done via the router to which the address is assigned. Further, the network referred to in the present invention refers to an aggregate composed of a plurality of network devices connected to a common transmission path. In the case of FIG. 1, the network devices included in subnets A and B, the address assignment server 6 and the router 12 are connected by a common transmission path 3, and these aggregates are called a network.

  Since a maximum of m IP addresses can be assigned to the subnet A, m network devices having a maximum of A1 to Am can be connected to the transmission path 3. In the example shown in FIG. 1, (i−1) network devices A1 to Ai−1 are connected to the transmission path 3. The network devices included in the subnet A are set to be communicable only between the network devices included in the subnet A. The network device mentioned here includes not only a personal computer but also other devices that can be connected to a LAN. The symbols A1 to Am are used as reference symbols for the network devices included in the subnet A, and are also used to represent IP addresses assigned to the network devices included in the subnet A.

  FIG. 5 shows the setting contents of the network device Ax (x is an arbitrary number from 1 to m) included in the subnet A. In the network device Ax, Ax is set as the IP address, the subnet mask of the subnet A is set as the subnet mask, and the IP address of the address assignment server 6 is set as the default gateway address (also referred to as default router address). . The default gateway address refers to an address of a device with which the network device Ax sends or receives data, that is, data transmission or reception destination information. Accordingly, the data sent out via the transmission path 3 by the network device Ax included in the subnet A is sent to the address assignment server 6. In other words, data from the network device Ax included in the subnet A is not sent to the router 12 and therefore is not sent to the external network 14.

  The network device Ax included in the subnet A can be used for setting nothing as a default gateway address (also referred to as a default router address).

  On the other hand, since a maximum of n IP addresses can be allocated to the subnet B, n network devices from a maximum of B1 to Bn can be connected to the transmission path 3. In the example shown in FIG. 1, (j−1) network devices from B1 to Bj−1 are connected to the transmission path 3. The network devices included in the subnet B are set to be communicable with the external network 14 through the router 12 as well as between the network devices included in the subnet B.

  FIG. 6 shows the setting contents of the network device By (y is an arbitrary number from 1 to n) included in the subnet B. In the network equipment By, By is set as By, the subnet mask of Subnet B is set as the subnet mask, and the IP address of the router 12 is set as the default gateway address, that is, data transmission / reception destination information. Therefore, data sent out by the network device By included in the subnet B via the transmission path 3 is sent to the router 12 and further sent to the external network 14.

  FIG. 2 shows a state where the network device X is newly connected to the transmission path 3. In this case, the address assignment server 6 performs the operation shown in FIG. That is, in the address assignment server 6, the DHCP 8 performs a predetermined address assignment operation under the control of the controller 10.

  In FIG. 7, it is determined in step S1 whether a new network device X is connected. If the new network device X is connected, the IP address of the subnet A is assigned to the device X in step S2, and the IP address of the address assignment server 6 is set as the default gateway address in step S3. That is, in steps S2 and S3, the settings shown in FIG. 5 are made. Step 3 can be omitted. For example, if the IP address Ai is unused in the subnet A, the DHCP 8 assigns the IP address Ai to the new network device X. This state is shown in FIG. If a new network device is connected in this way, it is first set as a device belonging to subnet A. Further, the DHCP 8 sets a lease time La (a time during which the DHCP 8 permits the use of the IP address Ai) for the new network device X. In the present invention, the lease time of subnet A is set to a time within 5 minutes, for example, 1 minute or 30 seconds.

  Next, when any of the network devices belonging to the subnet A, for example, the device Ai requests communication with the external network 14, the address assignment server 6 performs the operation shown in FIG.

  In FIG. 8, in step S <b> 11, it is determined whether any of the network devices included in the subnet A, for example, the device Ai requests connection with the external network 14. If there is a request, it is determined in step S12 whether the requested network device satisfies a predetermined requirement. As predetermined requirements, for example, it is determined whether or not necessary authentication has been performed and whether or not an ID number and a password are correctly input. More specifically, for example, when a connection request to the external network 14 is sent from the device Ai to the controller 10 of the address assignment server 6, the controller 10 sends a URL for inputting an ID number and a password to the device Ai. If the ID number and password sent from the device Ai are not correct, the process proceeds to step S13, and the settings are continuously used as shown in FIG. 5 without changing the IP address. If the correct ID number and password are sent from the device Ai, the process proceeds to step S14. In step S14, the controller 10 issues a command to the DHCP 8, and changes the IP address of the device Ai from the subnet A address Ai to the subnet B address Bj. In step S15, the default gateway address is set to the IP address of the router 12. That is, in steps S14 and S15, the setting of the device Ai is changed from the setting shown in FIG. 5 to the setting shown in FIG. In addition, the DHCP 8 sets a new lease time Lb (a time during which the DHCP 8 permits use of the IP address Bj) for the network device Ai. In the present invention, the lease time of the subnet B is set to 5 minutes or longer, for example, 1 hour, 1 day, or longer. That is, the lease time for subnet B is set to be greater than the lease time for subnet A. For example, the lease time for subnet A is less than one minute, while the lease time for subnet B is in units of days.

  The changed state is shown in FIG. That is, the network device Ai belonging to the subnet A is changed to the network device Bj belonging to the subnet B if the address assignment server 6 accepts a connection request with the external network. If necessary, step 14 can be omitted.

  FIG. 11 shows a process in which the device Ai belonging to the subnet A is changed to the device Bj belonging to the subnet B. When the lease time expires at time T1, the device Ai issues a request for continuous use of the IP address Ai to the DHCP 8, and the DHCP 8 permits continuous use of the IP address Ai. Similarly, when the next lease time expires at time T2, the device Ai issues a request for continuous use of the IP address Ai to the DHCP 8, and the DHCP 8 permits continuous use of the IP address Ai. At time T3, the device Ai issues a connection request to the external network 14 to the controller 10 via the transmission path 3. This external connection request is sent to the controller 3 because the IP address of the address assignment server 6 is set as the default gateway address of the device Ai. At time T4, the controller 10 asks the device Ai for information necessary for authentication, such as an ID number and a password. At time T5, the device Ai sends information necessary for authentication to the controller 10. If authentication is successful, at time T6, the controller 10 instructs the DHCP 8 to change the setting from the subnet A to the subnet B of the device Ai. At the time T7 when the lease time expires, the DHCP 8 changes the setting of the device Ai from the subnet A to the subnet B. That is, the IP address is changed from Ai to Bj, the IP address of the router 12 is set as the default gateway address, and the lease time is set to a long time such as one day. As described above, for the device in the subnet A, the lease time La is set to be short because the time from when the connection request to the external network 14 from the device Ai is issued until the setting is actually changed is one. This is because La becomes short when the length is long, so that La can be shortened to enable quick setting change.

  In the above description, the case where the connection request from the device Ai to the external network 14 is made from the device Ai to the controller 10 through the transmission line 3 has been described. However, this external connection request is a case where the transmission line 3 is not used. Is also possible. When the IP address of the address assignment server 6 is not set as the default gateway address of the device Ai, the operator of the device Ai specifies the device Ai to the controller 10 using the keyboard of the address assignment server 6 directly. In addition to inputting information, an external connection request is input, and further information necessary for authentication is input. As a result, the controller 10 instructs the DHCP 8 to change the setting from the subnet A to the subnet B of the device Ai.

  Also, information necessary for an external connection request or authentication is recorded on the IC card, and the controller 10 reads the IC card with an IC card reader provided in the controller 10, so that the controller 10 transfers to the DHCP 8 and from the subnet A to the subnet B of the device Ai. It is also possible to issue an instruction to change the setting.

  Further, information necessary for external connection request or authentication is recorded on the IC card, the IC card is read by the IC card reader provided in the device Ai, and this information is sent to the controller 10, whereby the controller 10 sends the information to the DHCP 8 to the device. It is also possible to issue an instruction to change the setting from subnet A to subnet B of Ai.

  In addition to the IC card, authentication can also be performed using a magnetic card, a biometric detection device, or a simple switch device.

  Furthermore, as shown in FIG. 12, when the address assignment server 26 is configured to be included in the subnet A, the device Ai and the address assignment server 26 communicate with each other via the transmission path 3 without setting a default gateway address. can do.

  The predetermined requirement in step S12 may be a requirement such as a prohibition cancellation requirement. There may be no requirement. In this case, step S12 can be omitted.

  The case where the network device is changed from the subnet A to the subnet B has been described using the flowchart of FIG. 8, but the case where the network device is changed from the subnet B to the subnet A will be described next.

  In FIG. 9, it is determined in step S21 whether any one of the network devices included in the subnet B does not satisfy the external connection maintenance condition. The external connection maintenance condition refers to a condition based on, for example, a time limit for connection and the number of connections. Various other conditions can be considered. If it is determined that the external connection maintaining condition is not satisfied, the process proceeds to step S22. In step S22, the IP address of the network device that no longer satisfies the external connection maintenance condition is changed from the subnet B address to the subnet A address. Subsequently, in step S23, the default gateway address is changed from the IP address of the router 12 to the IP address of the address assignment server 6. That is, in steps S22 and S23, the network device setting is changed from the setting shown in FIG. 6 to the setting shown in FIG.

FIG. 10 shows a modification of the network system according to the present invention. Although the network system of FIG. 1 has two subnets A and B, the network system of FIG. 10 has three subnets A, B, and C. Furthermore, it has a second router 17 and a database 18 connected to the router 17. The router 17 is also connected to the external network 14. Here, the external network 14 may be the Internet or a database. The database 18 may also be the Internet. Therefore, in a broad sense, the external network 14 can be a first external network and the database 18 can be a second external network. In this case, the first external network and the second external network are different networks.
Since a maximum of k IP addresses can be assigned to the subnet C indicated by 16, it is possible to connect k network devices from a maximum of C1 to Ck to the transmission path 3. The network device included in the subnet C is set to be capable of communication between the network devices included in the subnet C, communication with the external network 14, and communication with the database 18.

  The network device Cz (z is an arbitrary number from 1 to k) included in the subnet C has Cz set as the IP address, the subnet mask of the subnet C set as the subnet mask, and the router as the default gateway address 17 IP addresses are set. Therefore, the data sent out from the network device Cz included in the subnet C via the transmission path 3 is sent to the router 17 and can be sent to either the external network 14 or the database 18.

  The operation in the case of FIG. 10 is as follows.

  It is determined whether any of the network devices included in the subnet A or B is requesting a connection between the external network 14 and the database 18. If there is a request, it is determined whether the requested network device satisfies a predetermined requirement. If the predetermined requirement is satisfied, the IP address is changed from the subnet A or B address to the subnet C address. Subsequently, the default gateway address is changed from the IP address of the address assignment server 6 or the router 12 to the IP address of the router 17. Needless to say, the determination of whether or not the predetermined requirement is satisfied can be omitted.

  The present invention can be used for a network system and a control method thereof.

1 is a block diagram showing a basic configuration of a network system according to the present invention. Operation explanatory diagram of the network system according to the present invention Operation explanatory diagram of the network system according to the present invention Operation explanatory diagram of the network system according to the present invention Table showing setting contents of subnet A according to the present invention Table showing setting contents of subnet B according to the present invention The flowchart which shows operation | movement when a new network apparatus is connected to the network system which concerns on this invention. The flowchart which shows the operation | movement by which the apparatus of the subnet A which concerns on this invention changes a setting to the apparatus of the subnet B The flowchart which shows the operation | movement by which the apparatus of the subnet B which concerns on this invention changes a setting to the apparatus of the subnet A The block diagram which shows the modification of the network system which concerns on this invention Time chart showing the process of changing the setting of the device in subnet A according to the present invention to the device in subnet B The block diagram which shows the modification of FIG.

Explanation of symbols

2 Subnet A
3 Transmission line 4 Subnet B
6 Address assignment server 8 DHCP
10 Controller 12 Router 14 External network

Claims (11)

A first subnet including one or more network devices;
A second subnet including one or more network devices;
An address assignment server for assigning addresses to the network devices of the first subnet and the second subnet;
A router connected to an external network,
A network system, wherein the network device of the second subnet is set with a router IP address as data transmission or reception destination information.   2. The network system according to claim 1, wherein the network device of the first subnet is set with an IP address of an address assignment server as data transmission or reception destination information.   The network system according to claim 1, wherein the address assignment server includes a DHCP and a controller.   The network system according to claim 1, wherein the network devices of the first subnet and the second subnet are connected by a transmission path. A third subnet including one or more network devices;
A second router connected to a second external network different from the external network,
The network system according to claim 1, wherein the IP address of the second router is set as data transmission or reception destination information in the network device of the third subnet. A network system control method according to claim 1, comprising:
Receiving an external network connection request from the network device of the first subnet;
Changing the IP address of the requested network device from the address of the first subnet to the address of the second subnet;
A method for controlling a network system, comprising: setting data transmission or reception destination information of a network device that has made the request to an IP address of a router. Further, if there is a connection of a new network device, the step of setting the IP address of the new network device as the address of the first subnet;
7. The network system control method according to claim 6, further comprising the step of setting the data transmission or reception destination information of the new network device as the IP address of the address assignment server.   7. The network system control method according to claim 6, further comprising a step of authenticating the requested network device. An address assignment server for controlling the network system according to claim 1,
Means for receiving an external network connection request from the network device of the first subnet;
Means for changing the IP address of the requested network device from the address of the first subnet to the address of the second subnet;
An address assignment server comprising means for setting data transmission or reception destination information of a network device that has made the request to an IP address of a router. Further, if there is a connection of the new network device, means for setting the IP address of the new network device to the address of the first subnet,
10. The address assignment server according to claim 9, further comprising means for setting data transmission or reception destination information of the new network device as an IP address of the address assignment server. 10. The address assignment server according to claim 9, further comprising means for authenticating the requested network device.

Images