JP2010154097A - Communication controller, communication control method and communication control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To relay a packet at a high speed. <P>SOLUTION: A communication controller creates a NAT table, indicating address conversion information for relaying a packet exchanged between communications equipment UA1, where a session is established and communication equipment UA2 to a transmission destination; converts address information about received virtual communication path information, on the basis of the NAT table; relays it to the transmission destination when the virtual communication path information for connecting a VPN exchanged with the UA1 whose session is established or the UA2 is received; and then converts address information regarding the received packet on the basis of the NAT table and relays it to the transmission destination when the packet transmitted by the UA1 or the UA2 connected by the VPN is received. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a communication control device, a communication control method, and a communication control program for establishing a session with each of a first communication device and a second communication device interconnecting different networks.

  Conventionally, with the spread of communications requiring real-time properties such as IP (Internet Protocol) telephone, video conference, and instant messenger, SIP (SIP), which is a session control protocol for establishing a session between two or more clients. Session Initiation Protocol) is used.

  Also, IKEv2 (Internet Key Exchange version 2), which can exchange key information necessary for VPN connection, is used as a protocol for dynamically setting IPsec VPN (Security Architecture for Internet Protocol Virtual Private Network). Yes.

"Internet Key Exchange (IKEv2) Protocol, RFC4306", [online], [searched on September 5, 2008], Internet <http://www.ietf.org/rfc/rfc4306.txt>

  However, the above-described conventional technique has a problem that it is not possible to set a VPN for relaying between two parties by a call by a third party (third party call control). Specifically, as shown in FIG. 11, an example will be described in which the communication control device UA3 connects the communication device UA1 and the communication device UA2 by VPN by third party call control.

  For example, when the administrator terminal outputs a request for VPN connection between UA1 and UA2 to UA3 (step S301), the UA3 that has received this starts IKE communication with UA1 and exchanges key information and the like (step S302). And step S303), a VPN connection is established with UA1 (step S304). Similarly, UA3 starts IKE communication with UA2 and exchanges key information and the like (steps S305 and S306), and establishes a VPN connection with UA2 (step S307).

  As a result, UA3 establishes VPN1 with UA1, and establishes VPN2 with UA2 (step S308 and step S309). The data transmitted from UA1 is decrypted in UA3, re-encrypted with the encryption key of UA2, and then transferred to UA2.

  That is, since UA3 and UA1, and UA3 and UA2 are VPN-connected using different encryption keys, when data is transmitted from UA1 to UA2, in UA3 connected to both UA1 and UA2, After the encryption with the UA1 is once decrypted, it is necessary to transmit the data after performing the encryption suitable for the UA2 again. Therefore, in the above-described conventional technology, it is not possible to relay between the two parties by a call by a third party (third party call control), and it is necessary to perform decryption and re-encryption processing.

  Therefore, the present invention was made to solve the above-described problems of the prior art, and a communication control device capable of setting a VPN for relaying between two parties by a call made by a third party, An object is to provide a communication control method and a communication control program.

  In order to solve the above-described problems and achieve the object, the present invention provides a communication control apparatus that establishes a session with each of a first communication device and a second communication device that interconnect different networks. Based on the session information obtained from each communication device when establishing a packet, the packet exchanged between the first communication device and the second communication device with the session established is relayed to the transmission destination For connecting a virtual communication path exchanged between a table creating means for creating a network address translation table indicating address translation information for the first communication device or the second communication device with which the session is established Based on the network address conversion table created by the table creation means when receiving the virtual communication path information of The communication channel information relay means for converting the address information of the virtual channel information to be relayed to the transmission destination, and the first communication connected by the virtual communication path by the virtual channel information being relayed by the relay means When a packet transmitted from the device or the second communication device is received, the address information of the received packet is converted based on the network address conversion table created by the table creating means and relayed to the destination And a packet relay means.

  According to the present invention, it is possible to set a VPN for relaying between two parties by a call made by a third party. Further, according to the present invention, encrypted packets can be relayed at high speed.

  Exemplary embodiments of a communication control device, a communication control method, and a communication control program according to the present invention will be described below in detail with reference to the accompanying drawings. In the following, the main terms used in the present embodiment, the outline of the communication control device according to the present embodiment, the configuration of the communication control device and the flow of processing will be described in order, and finally various modifications to the present embodiment will be described. explain.

[Explanation of terms]
“VPN (Virtual Private Network)” (corresponding to the “virtual communication path” described in the claims) used in the following embodiments is, for example, as if two LANs connected to the SIP network are dedicated to each other It is a virtual communication path generated in the SIP network for the purpose of connection as if connected by a line. A “communication device (corresponding to the“ first communication device ”recited in the claims)” installed in the LAN has a function of generating a VPN, and a “VPN” that connects the two LANs is generated. .

  The “first communication device” refers to a gateway device or HGW (home gateway) that interconnects different networks by performing address conversion, data exchange, and the like, between the Internet and the LAN. It is provided with a set-top box for functions such as home router, protocol conversion, firewall and broadcast receiving function.

  In addition, when the “first communication device” generates “VPN” using a session established by SIP, the IP (Internet Protocol) address and port number of the “second communication device” that is the communication partner are generated. It is necessary to negotiate with the “second communication device” as a communication partner using the acquired information. For this reason, the “first communication device” accepts a SIP call in which an IP address and a port number are described in a description language called SDP (Session Description Protocol) from the “second communication device” as a communication partner. Get these information. The “first communication device” uses these pieces of information to perform mutual authentication by “IKE (Internet Key Exchange)” with the “second communication device” that is the communication partner, and performs mutual authentication. For example, by encrypting data using the encryption key exchanged in step 1, an IPSec (Security Architecture for Internet Protocol) connection is established with the “second communication device” as the communication partner. Thus, “VPN” is generated between the two “communication devices”. If “VPN” is generated, an IP-based application can be used over two VPNs between two home LANs. For example, content sharing using information home appliances can be realized.

  In mutual authentication by IKE or the like, an IP address can be used to determine whether or not to authorize a communication partner, as described above, but there is a possibility that the authentication strength is inferior depending on the network configuration. Therefore, mutual authentication may be performed by using a telephone number instead of an IP address.

  In this embodiment, an example in which a session between “communication devices” is established by SIP will be described. However, the present invention is not limited to the establishment method by SIP, and any protocol can be used as long as it is a connection establishment type protocol. May be used to establish a session. The LAN described above may be any LAN as long as it is a closed network such as a home LAN or a corporate LAN.

[Outline of communication control device]
Next, the outline of the communication control apparatus according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating an overall configuration of a communication system including a communication control apparatus according to the first embodiment.

  As shown in FIG. 1, this communication system includes a communication control device connected to the SIP network, a communication device (UA1) connected to the LAN (A), and a communication device (UA2) connected to the LAN (B). ). Then, the IP address “IP3” is set in the communication control device, the IP address “IP1” is set in the communication device (UA1), and the IP address “IP2” is set in the communication device (UA2). "Is set.

  In addition, “device A” indicating a PC or information appliance (for example, WebTV, hard disk recorder, etc.) is connected to LAN (A), and “device B” is similarly connected to LAN (B). Has been. It should be noted that the mutual connection between devices in each LAN is performed by protocols such as IP, DLNA (Digital Living Network Alliance), UPnP (Universal Plug and Play).

  In such a state, the communication control apparatus according to the first embodiment establishes a session with each of the communication device (UA1) and the communication device (UA2) interconnecting different networks, and communicates with the communication device (UA1). The outline is to relay a packet exchanged with the device (UA2). In particular, any packet can be relayed at high speed.

  Specifically, the communication control device exchanges SIP “INVITE message” and “200 OK message” with each of UA1 and UA2 when the user or the like is instructed to connect UA1 and UA2. A SIP session is established with each of UA1 and UA2 (see (1) in FIG. 1).

  Then, the communication control apparatus acquires session information (address information) described in SDP included in each of the “INVITE message” and “200 OK message” exchanged when establishing the SIP session, and obtains the network address. A conversion table (NAT table) is created (see (2) in FIG. 1).

  Specifically, the communication control apparatus acquires the IP address “IP1” of UA1 in the exchange with UA1, and acquires the IP address “IP2” of UA2 in the exchange with UA2. Subsequently, the communication control apparatus relays a packet transmitted from UA1 to UA2 by using a separately connected "session with UA1" and "session with UA2" as one session, and a packet transmitted from UA2. Is relayed to UA1, a NAT table in which “in” indicating the address information of the received packet is associated with “out” indicating the address information as the transmission destination is created. For example, the communication control device may use “(src: IP1, dst: IP3)”, (src: IP3, dst: IP2) ”,“ (src: IP2, dst: IP3) ”, (src: IP3) as“ in, out ”. , Dst: IP1) ”and the like are created.

  Subsequently, when the communication control device receives virtual channel information (VPN authentication or key exchange (IKE) packet) to connect the virtual channel (VPN) from the UA1 or UA2 in which the session is established, Based on the created NAT table, the received information is relayed to the transmission destination (see (3) in FIG. 1). To give a specific example, when receiving a packet for authentication and key exchange by IKE from UA1, the communication control device transfers the packet to UA2 according to the created NAT table, and sends a similar packet from UA2. If received, the packet is transferred to UA1 according to the created NAT table. In this way, VPN authentication and key exchange are performed, whereby UA1 and UA2 are connected by VPN.

  After that, when receiving a packet transmitted from the communication device (UA1) or the communication device (UA2) connected by VPN, the communication control device obtains the address information of the received packet based on the created NAT table. The data is converted and relayed to the transmission destination (see (4) in FIG. 1). Specifically, when the communication control apparatus receives a packet from UA1, the communication control apparatus converts the transmission source (src) and transmission destination (dst) of the packet based on the NAT table and transfers the packet to UA2. Similarly, when a packet is received from UA2, the source (src) and destination (dst) of the packet are converted based on the NAT table and transferred to UA1.

  As described above, the communication control apparatus according to the first embodiment allows packets flowing between sessions based on the NAT table created from the session information acquired when establishing a session, even between sessions established separately. As a result of the packet transfer (relay) as if it were one session, it is possible to relay any packet at high speed.

[Configuration of communication control unit]
Next, the configuration of the communication control apparatus shown in FIG. 1 will be described with reference to FIG. FIG. 2 is a block diagram illustrating the configuration of the communication control apparatus according to the first embodiment. As illustrated in FIG. 2, the communication control apparatus 10 includes a communication control I / F unit 11, a wireless communication I / F unit 12, a storage unit 20, and a control unit 30.

  The communication control I / F unit 11 controls communication related to various information exchanged with other apparatuses via the SIP network. Specifically, the communication control I / F unit 11 is connected to the connection request receiving unit 31 of the control unit 30 and communicates with a communication device (such as a SIP message for establishing a session, VPN authentication, IKE negotiation packet). Various packets exchanged between the UA 1) and the communication device (UA 2) are received.

  The wireless communication I / F unit 12 controls various information exchanged with other apparatuses using wireless communication. Specifically, the wireless communication I / F unit 12 is connected to the connection request receiving unit 31 of the control unit 30, has an electronic mail function and a messenger function, and controls various information exchanged with a mobile phone or the like. To do.

  The storage unit 20 stores data and programs necessary for various processes performed by the control unit 30 and routing information, and has a NAT table 21.

  The NAT table 21 stores address conversion information for relaying a packet exchanged between UA1 and UA2 with which a session is established to a transmission destination. Specifically, the NAT table 21 stores network address conversion information in which “in” indicating address information of a received packet is associated with “out” indicating address information as a transmission destination. For example, in the NAT table 21, as shown in FIG. 3, “(src: IP1, dst: IP3)”, (src: IP3, dst: IP2) ”and“ (src: IP2, dst: IP3), (src: IP3, dst: IP1) "and the like. FIG. 3 is a diagram illustrating an example of information stored in the NAT table.

  The control unit 30 has an internal memory for storing a control program such as an OS (Operating System), a program defining various processing procedures, and necessary data, and a connection request receiving unit 31, a session establishing unit 32, The table creation unit 33, the VPN information relay unit 34, and the packet relay unit 35 are used to execute various processes.

  The connection request receiving unit 31 receives a session establishment request in which a device for establishing a session is designated. Specifically, the connection request receiving unit 31 receives a session establishment request received from an administrator terminal of the communication control device 10 via the communication control I / F unit 11 or the wireless communication I / F unit 12. In response to a session establishment request received by wireless communication (for example, e-mail or the like) of a cellular phone, a session establishment instruction and establishment destination apparatus information are output to a session establishment unit 32 described later.

  Here, the accepted session establishment request is information for specifying an instruction to establish a session and a destination device. For example, “UA1, IP1” or “UA2” as “device name (host name), IP address”. , IP2 ”and the like. Therefore, the connection request reception unit 31 outputs “UA1, IP1” and “UA2, IP2” to the session establishment unit 32 as the session establishment instruction and the establishment destination device information. In this case, it is not always necessary to use “device name (host name), IP address”. For example, “device name (host name), telephone number” is information that can identify and communicate with a device. Any information may be used.

  The session establishment unit 32 establishes a session based on the establishment destination device information received from the connection request reception unit 31. Specifically, the session establishment unit 32 transmits a SIP “INVITE message” to the establishment destination device received from the connection request reception unit 31, receives the “200 OK message”, and responds with “ACK”. Thus, a SIP session is established.

  For example, when the session establishment unit 32 receives “UA1, IP1”, “UA2, IP2” as the establishment destination device information, the IP address “IP3” of the own device is described in SDP with respect to the IP address “IP1”. "INVITE message" including the transmitted information is transmitted. When the session establishment unit 32 receives a “200 OK message” including information in which the IP address “IP1” of UA1 is described in SDP from UA1, it responds with “ACK” to UA1. In this way, the session establishing unit 32 can establish a session with “UA1”, which is the session establishment destination accepted by the connection request receiving unit 31.

  Similarly, the session establishing unit 32 transmits an “INVITE message” including the IP address “IP3” of its own device to the IP address “IP2” for “UA2”, and the IP address “UA2” “200 OK message” including “IP2” is received from UA2, and “ACK” is returned to UA2. By doing so, the session establishing unit 32 can establish a session with “UA2”.

  The table creation unit 33 creates the NAT table 21 based on the session information obtained from each communication device when establishing a session. Specifically, the table creation unit 33 acquires the “IP address” described in SDP included in the “INVITE message” or “200 OK message” transmitted / received by the session establishment unit 32, and the acquired “IP address” Is used to convert the address information of the received packet and create a NAT table 21 (see FIG. 3) for output.

  For example, the table creation unit 33 acquires the IP address “IP3” from the “INVITE message” transmitted to the UA1 by the session establishment unit 32 and the IP address “IP1” from the “200 OK message” received from the UA1. Similarly, the table creation unit 33 acquires the IP address “IP3” from the “INVITE message” transmitted to the UA2 by the session establishment unit 32 and the IP address “IP2” from the “200 OK message” received from the UA2.

  Then, the table creating unit 33 relays (out) the packet transmitted (in) from the UA1 of “IP1” to the communication control apparatus 10 of “IP3” to the UA2 of “IP2” (FIG. 3). Similarly, the table creation unit 33 creates a NAT table 21 that relays a packet transmitted from the UA2 of “IP2” to the communication control apparatus 10 of “IP3” to the UA1 of “IP1”.

  The VPN information relay unit 34 is created by the table creation unit 33 when communication path information indicating information for connecting a VPN is received from the first communication device or the second communication device with which a session is established. Based on the NAT table 21, the received communication path information is relayed to the transmission destination. Specifically, the VPN information relay unit 34 is transmitted from the communication device (UA1) in which the session is established by the session establishment unit 32 and the NAT table 21 is created by the table creation unit 33 to the communication device (UA2). The VPN authentication packet and the IKE negotiation packet are received, and the IP header of the received packet is converted based on the NAT table 21 and relayed to the UA 2. Similarly, the VPN information relay unit 34 receives a VPN authentication packet or an IKE negotiation packet transmitted from the communication device (UA2) to the communication device (UA1), and receives the IP header of the received packet in the NAT table 21. Based on the above and relay to UA1.

  As described above, the IP header of the packet received by the communication control device 10 is converted even in a session connected separately, such as between the communication control device 10 and UA1, and between the communication control device 10 and UA2. By relaying, VPN authentication and IKE negotiation can be performed between UA1 and US2. As a result, a VPN connection can be established between the communication control device 10-UA1 and between the communication control device 10-UA2.

  When the packet relay unit 35 receives a packet transmitted from a communication device connected by VPN, the packet relay unit 35 converts the address information of the received packet based on the NAT table 21 created by the table creation unit 33, Relay to the destination.

  For example, in the IP header of a packet transmitted from UA1, the transmission source is “IP1” and the transmission destination is “IP3”. Therefore, the packet relay unit 35 sets the transmission source of the IP header in the packet received from the UA 1 from “IP1” to “IP3” and the transmission destination from “IP3” to “IP2” based on the NAT table 21 shown in FIG. Respectively, and then transferred to UA2. Similarly, in the packet transmitted from UA2, the transmission source is “IP2” and the transmission destination is “IP3”. Therefore, the packet relay unit 35 sets the transmission source of the IP header in the packet received from the UA 2 from “IP2” to “IP3” and the transmission destination from “IP3” to “IP1” based on the NAT table 21 shown in FIG. Respectively, and transfer to UA1.

[Processing by communication control device]
Next, processing by the communication control device will be described with reference to FIG. FIG. 4 is a sequence diagram illustrating the flow of processing in the communication control apparatus according to the first embodiment.

  As shown in FIG. 4, when receiving a connection request (UA1, UA2) indicating a session connection destination from a terminal such as an administrator (step S101), the communication control device 10 receives “INVITE” in which “IP3” is described in SDP. (SDP c = IP3) message ”is transmitted to UA1 (step S102), and“ 200 OK (SDP c = IP1) message ”in which“ IP1 ”is described in SDP is received from UA1 as a response to the message. (Step S103).

  Note that “c =” included in the above “INVITE” and “200 OK” indicates an IP address to be used. For example, in the “INVITE (SDP c = IP3) message” in step S102, the IP address The use of “IP3” is defined.

  Subsequently, the communication control apparatus 10 transmits an “INVITE (SDP c = IP3) message” in which “IP3” is described in SDP to UA2 (step S104), and “IP2” in SDP as a response to the message. "200 OK (SDP c = IP2) message" is described from UA2 (step S105).

  In this way, when the communication control device 10 exchanges “INVITE message” and “200 OK message” with each of “UA1” and “UA2” indicated in the connection request, it transmits “ACK” to each. (Step S106 and Step S107). As a result, a session is established between the communication control device 10 and UA1, and between the communication control device 10 and UA2.

  Thereafter, the communication control device 10 acquires “SDP, c = IP address” included in the “INVITE message when establishing a session with UA1 and UA2” and “200 OK message”, and uses the acquired information as the acquired information. Based on this, the NAT table 21 is created (step S108).

  Subsequently, when the communication control apparatus 10 receives a VPN authentication or key exchange (IKE) packet indicating information for connecting the VPN between the UA1 and the UA2 with which the session is established, the communication control apparatus 10 creates the communication control apparatus 10 in step S108. Based on the NAT table 21, the IP header of the received packet is rewritten and relayed to the transmission destination (step S109).

  As a result, UA1 and UA2 can establish a VPN connection between the communication control device 10 and UA1 and between the communication control device 10 and UA2 by generating a VPN connection with the communication control device 10. Yes (step S110 and step S111).

  Thereafter, when receiving a packet transmitted from UA1 or UA2 connected by VPN, the communication control device 10 converts the address information of the received packet based on the NAT table 21 created in step S108, Relay to the destination (step S112). In this way, communication by IP between devices in each LAN becomes possible.

  Here, the state of the packet after VPN connection will be specifically described with reference to FIG. FIG. 5 is a diagram showing state transition of the IP header in the packet after VPN connection.

  As shown in (1) of FIG. 5, the device (A) in the LAN (A) having the IP address “IPa” is compared with the device (B) in the LAN (B) having the IP address “IPb”. , A packet with the IP header “From = IPa, to = IPb” added thereto is transmitted. Note that “From” in the IP header indicates the IP address of the transmission source, and “to” indicates the IP address of the transmission destination (destination).

  Then, the UA 1 located at the boundary between the LAN (A) and the external network receives this packet and encapsulates the received packet to generate a VPN packet as shown in (2) of FIG. A new IP header of “From = IP1, to = IP3” is added to the VPN packet and transmitted to the communication control apparatus 10.

  Subsequently, the communication control apparatus 10 changes the new IP header “From = IP1, to = IP3” added to the received VPN packet to “From = IP3, to = IP2” based on the NAT table 21. Convert and send to UA2.

  Then, as shown in (4) of FIG. 5, UA2 releases the received packet (VPN packet + IP header) and recognizes that the data destination is “IPb”. The data is output to the device (B) of the LAN (B). By doing so, the device (B) receives the data transmitted from the device (A) as shown in (5) of FIG.

[Effects of Example 1]
As described above, according to the first embodiment, based on the session information obtained from each communication device when a session is established, a packet exchanged between UA1 and UA2 with which the session is established is transmitted to the destination. Created a NAT table indicating address translation information for relaying to the network, and received virtual channel information (VPN authentication, IKE) for connecting a VPN exchanged with UA1 or UA2 with which a session was established In this case, the address information of the received virtual channel information is converted based on the NAT table, relayed to the transmission destination, and the virtual channel information is relayed and transmitted from UA1 or UA2 connected by VPN. When a packet is received, the address information of the received packet can be converted based on the NAT table and relayed to the destination. Since, it is possible to relay packets IPsec at the OS level. As a result, any packet can be relayed at high speed.

  Moreover, as a result of performing packet relay only with the NAT function, there is no need to perform decryption or re-encryption of the VPN packet, the processing load can be reduced, and packet relay can be performed at higher speed. . In addition, it is only necessary to set the NAT in the application, and processing such as packet decryption and re-encryption is unnecessary, so that it can be easily implemented as a communication control device.

  Further, even when the communication device for establishing the session is not known in advance, that is, when the session between unspecified communication devices is established, the session information is obtained from the SIP message exchanged at the session establishment stage. And a NAT table can be created.

  Incidentally, in the first embodiment, an example in which a NAT table in which IP addresses are associated with each other based on session information obtained from each communication device when establishing a session has been described, but the present invention is not limited thereto. Instead, a NAPT (Network Address Port Translation) table associated with the port numbers to be used may be created.

  Therefore, in the second embodiment, a NAPT table in which an IP address and a port number are associated is created based on session information obtained from each communication device when a session is established using FIGS. An example will be described.

  FIG. 6 is a sequence diagram illustrating the flow of processing in the communication control apparatus according to the second embodiment. As shown in FIG. 6, when receiving a connection request (UA1, UA2) indicating a session connection destination from a terminal such as an administrator (step S201), the communication control device 10 describes an IP address and a used port number in SDP. The transmitted “INVITE (SDP c = IP3, m = p3-1) message” is transmitted to UA1 (step S202).

  Subsequently, as a response to the transmitted “INVITE message”, the communication control apparatus 10 receives a “200 OK (SDP c = IP1, m = p1) message” in which the IP address and the used port are described in SDP from the UA1. (Step S203).

  Similarly, for the UA2, the communication control apparatus 10 transmits an “INVITE (SDP c = IP3, m = p3-2) message” in which the IP address and the used port number are described in SDP to the UA2 (Step S1). S204) As a response to the transmitted “INVITE message”, a “200 OK (SDP c = IP2, m = p2) message” in which the IP address and the used port are described in SDP is received from UA2 (step S205).

  In this way, when the communication control device 10 exchanges “INVITE message” and “200 OK message” with each of “UA1” and “UA2” indicated in the connection request, it transmits “ACK” to each. (Step S206 and Step S207). As a result, a session is established between the communication control apparatus 10 and UA1, and between the communication control apparatus 10 and US2.

  Note that “c =” included in the above “INVITE” and “200 OK” indicates an IP address to be used, “m =” indicates a port number to be used, and UA1, UA2 The communication control device 10 automatically selects and uses an available port. For example, in the “INVITE (SDP c = IP3, m = p3-1) message” in step S201, “IP address = IP3” and “port number = p3-1” are used for communication from the communication control apparatus 10 to UA1. To be defined. Similarly, in the “200 OK (SDP c = IP1, m = p1) message” in step S203, “IP address = IP1” and “port number = p1” are used for communication from the UA1 to the communication control apparatus 10. Is defined.

  Returning to FIG. 6, the communication control device 10 creates a NAPT table in which the IP address and the port number are associated with each other based on the session information obtained from each communication device when the session is established (step S208). .

  Specifically, the communication control apparatus 10 acquires the “IP address” and “port number” described in SDP included in the “INVITE message” and “200 OK message” exchanged in steps S202 to S205. In order to convert the address information of the received packet, a NAPT table in which “in” indicating the address information of the received packet is associated with “out” indicating the address information as the transmission destination create. For example, as illustrated in FIG. 7, the communication control device 10 sets “in, out” as “(src: IP1 port = p1, dst: IP3 port = p3-1), (src: IP3 port = p3-2, dst: IP2 port = p2) ”,“ (src: IP2 port = p2, dst: IP3 port = p3-2), (src: IP3 port = p3-1, dst: IP1 port = p1) ”, etc. . FIG. 7 is a diagram illustrating an example of information stored in the NAPT table.

  Subsequently, when the communication control apparatus 10 receives a VPN authentication or key exchange (IKE) packet indicating information for connecting the VPN between the UA1 and the UA2 with which the session is established, the communication control apparatus 10 creates the communication control apparatus 10 in step S108. Based on the NAPT table, the port to be used is specified, and the IP header of the received packet is rewritten and relayed to the transmission destination (step S209).

  As a result, the UA1 and the UA2 generate a VPN connection with the communication control device 10, and further set a port to be used for the VPN, whereby the communication control device 10-UA1 and the communication control device 10-UA2 respectively. VPN connection can be established (step S210 and step S211).

  After that, when receiving a packet transmitted from UA1 or UA2 connected by VPN, the communication control device 10 converts the address information of the received packet based on the NAPT table created in step S208 to specify It relays to the transmission destination using the port number to be set (step S212). In this way, communication by IP between devices in each LAN becomes possible.

  Here, the state of the packet after the VPN connection will be specifically described with reference to FIG. FIG. 8 is a diagram illustrating the state transition of the IP header in the packet after VPN connection in the second embodiment.

  As shown in (1) of FIG. 8, the device (A) in the LAN (A) having the IP address “IPa” is compared with the device (B) in the LAN (B) having the IP address “IPb”. , A packet with the IP header “From = IPa, to = IPb” added thereto is transmitted. Note that “From” in the IP header indicates the IP address of the transmission source, and “to” indicates the IP address of the transmission destination (destination).

  Then, as shown in (2) of FIG. 8, the UA 1 located at the boundary between the LAN (A) and the external network receives this packet, encapsulates the received packet, generates a VPN packet, and uses it. A UDP header that specifies a port number “From = p1, to = p3-1” and a new IP header that is “From = IP1, to = IP3” are added to the VPN packet, and the communication control device 10 Send. In the UDP header, “From” indicates the port number of the transmission source, and “to” indicates the port number of the transmission destination (destination).

  Subsequently, as shown in (3) of FIG. 8, the communication control device 10 uses the NAPT table to indicate the UDP header “From = p1, to = p3-1” added to the received VPN packet based on the NAPT table. A new IP header “From = IP1, to = IP3” added to the received VPN packet is converted into “From = p3-2, to = p1” based on the NAPT table. , To = IP2 ”and transmit to UA2.

  Then, as shown in (4) of FIG. 8, UA2 releases the received packet (VPN packet + IP header) and recognizes that the data destination is “IPb”. The data is output to the device (B) of the LAN (B). By doing so, the device (B) receives the data transmitted from the device (A) as shown in (5) of FIG.

  As described above, according to the second embodiment, the NAPT table is created based on the session information and the port number obtained from each communication device when the session is established, and when the virtual communication path information is received, Based on the NAPT table, the address information of the received virtual communication path information is converted, relayed to the destination using the specified port number, and the packet transmitted from the UA1 or UA2 connected by the VPN is received. In this case, the address information of the received packet can be converted based on the NAPT table and relayed to the transmission destination using the specified port number. As a result, one communication device can use a plurality of ports, and a plurality of sessions can be connected simultaneously, so that one-to-many or many-to-many connection is possible.

  By the way, the communication control device disclosed in the present application can be applied not only as a gateway device but also in various service forms. Therefore, in the third embodiment, a service example to which the communication control device disclosed in the first and second embodiments is applied will be described.

(SaaS portal system)
First, an example in which the communication control device disclosed in the present application is applied to a SaaS (Software as a Service) portal will be described with reference to FIG. FIG. 9 is a diagram showing an example applied to the SaaS portal system.

  As shown in FIG. 9, this SaaS portal system connects a user terminal that uses software, a plurality of SaaS providers that provide software via the Internet, and a user terminal and a SaaS provider. The SaaS portal is connected to each other via the SIP network. The communication control device disclosed in the present application is applied to the SaaS portal.

  In such a configuration, the user connects to the SaaS portal using the user terminal and searches for desired software (see (1) in FIG. 9). After that, the user who has found the desired software sends a connection request to the SaaS provider that provides the desired software to the SaaS portal, and the SaaS portal uses the designated SaaS provider. A connection request (session establishment request) by SIP is transmitted to the user terminal (see (2) in FIG. 9).

  Then, the SaaS portal exchanges “INVITE” and “200 OK” described in the first embodiment and the like between the designated SaaS provider and the user terminal, and the IP of the user terminal. The address and the IP address of the SaaS provider are acquired, and a NAT table (or NAPT table) is created (see (3) in FIG. 9). However, the NAPT table can be created by using the same method as in the second embodiment instead of the NAT table.

  Subsequently, when the SaaS portal receives a packet relating to VPN authentication or IKE negotiation performed by the user terminal or the SaaS provider, it performs packet relay based on the created NAT table, thereby enabling the user terminal And the SaaS provider are connected via VPN via the SaaS portal (see (4) in FIG. 9).

  Thereafter, the SaaS portal receives a packet exchanged between the user terminal and the SaaS provider via the VPN, performs address conversion based on the NAT table, and transmits the packet to the destination (see (5) in FIG. 9). . By doing in this way, the user can download software or receive provision of software functions from a SaaS provider using a secure line.

(Telework system using on-demand VPN)
Next, the example which applied the communication control apparatus which this application discloses to a telework system is demonstrated using FIG. FIG. 10 is a diagram showing an example applied to a telework system.

  As shown in FIG. 10, this telework system includes a business requester who performs a business request to a temporary staffing company and entrusts the business, a home worker who registers with the temporary staffing company and performs business according to the introduction, And a temporary staffing company that introduces a home worker who has registered a business consignment from a business client.

  In such a configuration, the business requester makes a business request to the temporary staffing company (see (1) in FIG. 10), and the temporary staffing company makes a request to the home worker suitable for the requested business. Notification is performed (see (2) in FIG. 10).

  After that, when the work requested by the home worker is entrusted, the server of the temporary staffing company has explained the terminal of the work requester and the terminal of the home worker in the first embodiment or the like by the operation of the administrator or the like. A session is established by exchanging “INVITE”, “200 OK”, etc., and the IP address of the business client terminal and the IP address of the home worker terminal are acquired, and a NAT table (or NAPT table) is created ( (See (3) in FIG. 10).

  Subsequently, the server of the temporary staffing company performs packet relaying based on the created NAT table when receiving a packet related to VPN authentication or IKE negotiation performed by a business client terminal or a home worker terminal. The business requester terminal and the home worker terminal are connected by a VPN via a temporary staffing company (see (4) in FIG. 10).

  After that, the server of the temporary staffing company receives the packet exchanged between the business client terminal and the home worker terminal via the VPN, performs address conversion based on the NAT table, and transmits the packet to the destination. Can remotely access the business client using a secure line (see (5) in FIG. 10).

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above. Therefore, as shown below, (1) the number of connected devices, (2) a static table, (3) a system configuration, etc., (4) different examples will be described by being divided into programs.

(1) Number of Connected Devices For example, in the above-described embodiment, the example in which the communication device (UA1) and the communication device (UA2) are VPN-connected in a one-to-one manner has been described, but the present invention is not limited to this. Instead, for example, as in the second embodiment, VPN connection can be performed in a one-to-many or many-to-many manner by properly using port numbers.

(2) Static Table In the first embodiment, an example in which a NAT table is dynamically created from session information acquired at the time of session establishment has been described. However, the present invention is not limited to this, and for example, connection If the previous communication device is known in advance, the address information of the communication device is known, so a NAT table can be created in advance. Similarly, the NAPT table of the second embodiment can be created in advance.

(3) System Configuration etc. Further, among the processes described in the present embodiment, all or part of the processes described as being automatically performed (for example, IKE negotiation) can be manually performed. In addition, the processing procedures, control procedures, specific names, and information including various data and parameters (for example, FIG. 3 and FIG. 7) shown in the above documents and drawings are optional unless otherwise specified. Can be changed.

  Each component of each illustrated device is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. It can be configured by integrating (for example, integrating the VPN information relay unit and the packet relay unit). Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

(4) Program The communication control method described in the present embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the communication control device, the communication control method, and the communication control program according to the present invention establish a session with each of the first communication device and the second communication device that interconnect different networks. And is particularly suitable for relaying packets at high speed.

1 is a diagram illustrating an overall configuration of a communication system including a communication control apparatus according to a first embodiment. 1 is a block diagram illustrating a configuration of a communication control apparatus according to a first embodiment. It is a figure which shows the example of the information memorize | stored in a NAT table. FIG. 6 is a sequence diagram illustrating a process flow in the communication control apparatus according to the first embodiment. It is a figure which shows the state transition of the IP header in the packet after VPN connection. FIG. 10 is a sequence diagram illustrating a process flow in a communication control apparatus according to the second embodiment. It is a figure which shows the example of the information memorize | stored in a NAPT table. It is a figure which shows the state transition of the IP header in the packet after the VPN connection in Example 2. FIG. It is a figure which shows the example applied to the SaaS portal system. It is a figure which shows the example applied to the telework system. It is a figure for demonstrating a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Communication control apparatus 11 Communication control I / F part 12 Wireless communication I / F part 20 Storage part 21 NAT table 30 Control part 31 Connection request receiving part 32 Session establishment part 33 Table preparation part 34 VPN information relay part 35 Packet relay part

Claims (4)

A communication control device for establishing a session with each of a first communication device and a second communication device interconnecting different networks,
Based on session information obtained from each communication device at the time of establishing the session, a packet exchanged between the first communication device and the second communication device with the session established is set as a transmission destination. Table creation means for creating a network address translation table indicating address translation information for relay;
When the virtual communication path information for connecting the virtual communication path exchanged with the first communication device or the second communication device with which the session is established is received, the table creation unit creates the session. Based on the network address conversion table, the address information of the received virtual channel information is converted, and the channel information relay means for relaying to the destination,
When the virtual communication path information is relayed by the relay means and a packet transmitted from the first communication device or the second communication device connected through the virtual communication path is received, the table creation means creates A packet relay means for converting the address information of the received packet based on the network address conversion table and relaying it to the destination;
A communication control apparatus comprising: The table creation means creates a network address conversion table in which port numbers to be used are further associated with the address information,
When the communication path information relay means receives the virtual communication path information, the communication path information relay means converts the address information of the received virtual communication path information based on the network address conversion table created by the table creation means, and specifies Relay to the destination using the specified port number,
When the packet relay means receives a packet transmitted from the first communication device or the second communication device connected via the virtual communication path, the packet relay means is based on the network address conversion table created in the table creation means. The communication control apparatus according to claim 1, wherein the address information of the received packet is converted and relayed to the transmission destination using the specified port number. A communication control method suitable for a communication control apparatus for establishing a session with each of a first communication device and a second communication device that interconnect different networks,
Based on the session information obtained from each communication device when establishing the session, a packet exchanged between the first communication device and the second communication device with which the session is established is set as a transmission destination. A table creation step for creating a network address translation table indicating address translation information for relay;
When the virtual communication path information for connecting the virtual communication path exchanged with the first communication device or the second communication device with which the session is established is received, the table is created in the table creation step. Based on the network address conversion table, the address information of the received virtual channel information is converted, and the channel information relay step for relaying to the destination,
Created in the table creation step when virtual communication path information is relayed by the relay means and a packet transmitted from the first communication device or the second communication device connected through the virtual communication path is received. A packet relay step of converting the address information of the received packet based on the network address conversion table and relaying it to the destination;
The communication control method characterized by including. A communication control program that causes a computer to execute a communication control device that establishes a session with each of a first communication device and a second communication device that interconnect different networks,
Based on the session information obtained from each communication device when establishing the session, a packet exchanged between the first communication device and the second communication device with which the session is established is set as a transmission destination. A table creation procedure for creating a network address translation table indicating address translation information for relaying;
When the virtual communication path information for connecting the virtual communication path exchanged with the first communication apparatus or the second communication apparatus with which the session is established is received, it is created by the table creation procedure. Based on the network address conversion table, the address information of the received virtual channel information is converted, and the channel information relay procedure for relaying to the destination,
Created in the table creation procedure when virtual communication path information is relayed by the relay means and a packet transmitted from the first communication device or the second communication device connected through the virtual communication path is received. A packet relay procedure for converting the address information of the received packet based on the network address conversion table and relaying it to the destination;
A communication control program for causing a computer to execute.

Images