JP2011139299A - Dns (domain name system) registration device, connection management system between vpns (virtual private networks), wide area dns device, dns registration program, wide area dns program, dns registration method, and connection management method between vpns - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To relieve loads of a user regarding registration of a DNS. <P>SOLUTION: In this connection system between the VPNs, a connection request between bases for performing connection between bases between a plurality of bases is accepted on demand, and communication partner identification address is paid out on demand for each base. The registration information generation section 11 of a DNS registration device 10 determines, when the communication partner identification address is paid out for each base, the name of the terminal so as to be unique in the base, and generates a set of the determined name of the terminal and the communication partner identification address for each base as registration information to be registered in a DNS 1. A DNS registration section 12 registers the registration information generated by the registration information generation section 11 in the DNS 1 for each base belonging to connection between bases. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a DNS registration apparatus, an inter-VPN connection management system, a wide area DNS apparatus, a DNS registration program, a wide area DNS program, a DNS registration method, and an inter-VPN connection management method.

  In recent years, services have emerged that provide a collaborative space by connecting multiple locations. In particular, there is a high demand for an on-demand service, that is, a service for connecting between bases in a timely manner upon request. Here, the “base” is an isolated network domain whose reachability is limited by VPN (Virtual Private Network) or geographical conditions. In addition, “inter-base connection” means that information for transferring a packet transmitted from a terminal at a base to a terminal at a base is set in each device existing on the path between the bases. It is interconnecting the bases so that they can communicate with each other. The “collaborative space” is a network domain generated by inter-base connection, and is a network domain having the interconnected range as a new reachable range.

  By the way, when connecting a plurality of bases between bases, if the addresses used in the bases are used as they are for the base-to-base connection, there is a risk of duplication of addresses. For this reason, in the above service, an address (hereinafter referred to as “communication partner identification address”) for identifying a terminal under another base serving as a communication partner within the base is separately issued, and address conversion by NAT (Network Address Translation) Is done. Also, DNS registration information indicating the correspondence between the communication partner identification address and the name of the terminal is registered in the DNS.

  Here, when the service is provided on demand, the communication partner identification address is paid out each time, and the combination of the communication partner identification address and the name of the terminal is also changed each time. For this reason, a user or the like who manages the inter-base connection service generates a combination of the communication partner identification address and the terminal name as registration information each time, and registers the generated registration information in the DNS.

Yuichi Ishikawa, Norito Fujita, “Site Multiple Attribution Method in Layer 2 Authentication”, IEICE Technical Report NS 2004-12 (2004-4), p. 13-16 Takaaki Koyama, Shuichi Karasawa, Kazuhiro Kishi, Shintaro Mizuno, Soetsu Iwamura, “Proposal of VPN Connection Management System”, IEICE Technical Report IN 2009-48 (2009-09), P.A. 53-58

  However, in the above prior art, registration information must be frequently registered in the DNS, and there is a problem that the load on the user is high.

  The disclosed technology has been made in view of the above, and is a DNS registration device, a VPN connection management system, a wide area DNS device, a DNS registration program, a wide area DNS program, and a DNS that can reduce the load on the user. It is an object to provide a registration method and an inter-VPN connection management method.

  The DNS registration device, inter-VPN connection management system, wide-area DNS device, DNS registration program, wide-area DNS program, DNS registration method, and inter-VPN connection management method disclosed in the present application can In response to a connection request between bases, when a communication partner identification address for identifying a terminal under another base serving as a communication partner within the base is issued for each base belonging to the connection between the bases, it is unique within the base. Generating means for determining the name of the terminal so as to be, and generating a set of the determined name of the terminal and the communication partner identification address for each base belonging to the connection between the bases as registration information to be registered in DNS; And registration means for registering the registration information generated by the generating means in the DNS for each base belonging to the inter-base connection.

  According to one aspect of the DNS registration device, inter-VPN connection management system, wide-area DNS device, DNS registration program, wide-area DNS program, DNS registration method, and inter-VPN connection management method disclosed in the present application, the load on the user is reduced. There is an effect that it becomes possible to do.

FIG. 1 is a diagram for explaining a network configuration according to the first embodiment. FIG. 2 is a block diagram illustrating the configuration of the DNS registration apparatus 10 according to the first embodiment. FIG. 3 is a flowchart of a process procedure performed by the DNS registration apparatus 10 according to the first embodiment. FIG. 4A is a diagram for explaining the bases belonging to the VPN service. FIG. 4B is a diagram for explaining the bases belonging to the VPN service. FIG. 4C is a diagram for explaining the bases belonging to the VPN service. FIG. 5 is a diagram for explaining a network configuration according to the second embodiment. FIG. 6 is a diagram for explaining an address determination method using Single-NAT. FIG. 7 is a diagram for explaining an address determination method using Twice-NAT. FIG. 8 is a flowchart illustrating the processing procedure of the address determination method according to the second embodiment. FIG. 9 is a diagram for explaining a specific example of the address determination method. FIG. 10 is a diagram for explaining a specific example of the address determination method. FIG. 11 is a diagram for explaining the concept of address determination. FIG. 12 is a diagram for explaining an example of setting address translation information and routing information in the second embodiment. FIG. 13 is a diagram for explaining an example of setting address translation information and routing information in the second embodiment. FIG. 14 is a diagram for explaining an example of setting address translation information and routing information in the second embodiment. FIG. 15 is a diagram for explaining an example of setting address translation information and routing information in the second embodiment. FIG. 16 is a diagram for explaining addresses assigned to interfaces of devices in the second embodiment. FIG. 17 is a block diagram illustrating the configuration of the inter-VPN connection management system 100 according to the second embodiment. FIG. 18 is a diagram for explaining the inter-VPN connection information storage unit 121. FIG. 19 is a diagram illustrating an example of a setting pattern of the collective virtual router. FIG. 20 is a diagram illustrating an example of a setting pattern of the VPN termination device. FIG. 21 is a diagram for explaining the inter-VPN connection request storage unit 123. FIG. 22 is a diagram for explaining the address conversion information storage unit 124. FIG. 23 is a diagram for explaining the routing information storage unit 125. FIG. 24 is a diagram for explaining the routing information storage unit 125. FIG. 25 is a diagram for explaining the DNS registration information storage unit 126. FIG. 26 is a diagram for explaining the attachment storage unit 127. FIG. 27 is a diagram for explaining the pre-configuration information of the collective virtual router. FIG. 28 is a diagram for explaining the pre-setting information of the VPN terminating device. FIG. 29 is a diagram for explaining an example of an input screen for an inter-VPN connection request. FIG. 30 is a flowchart of a process procedure performed by the inter-VPN connection management system 100 according to the second embodiment. FIG. 31 is a flowchart showing a DNS registration processing procedure. FIG. 32 is a diagram for explaining the arrangement of DNS in the second embodiment. FIG. 33 is a diagram for explaining user level control. FIG. 34 is a diagram for explaining user level control. FIG. 35 is a diagram for explaining the arrangement of DNS in the third embodiment. FIG. 36 is a diagram for explaining determination of a terminal name in multiple attribution. FIG. 37 is a block diagram illustrating the configuration of the address determination apparatus 200 according to the fifth embodiment.

  In the following, embodiments of the DNS registration apparatus, inter-VPN connection management system, wide-area DNS apparatus, DNS registration program, wide-area DNS program, DNS registration method, and inter-VPN connection management method disclosed in the present application will be described. In addition, this invention is not limited by the following examples.

  A DNS registration apparatus according to the first embodiment will be described. FIG. 1 is a diagram for explaining a network configuration according to the first embodiment. As illustrated in FIG. 1, the DNS registration apparatus according to the first embodiment is configured such that when a communication partner identification address is paid out for each site in an inter-VPN connection system that connects a plurality of sites between sites via a wide area network. A set of a terminal name and a communication partner identification address is generated for each site belonging to the connection between sites as registration information to be registered in the DNS, and the generated registration information is registered in the DNS for each site. Note that the communication partner identification address is an address for identifying a terminal under another base serving as a communication partner within the base. The inter-VPN connection system includes a transfer control device, an address translation device, and a VPN termination device.

  Here, the VPN termination device accommodates the base via the access network and terminates the VPN between the accommodated base and the wide area network. The address translation device translates the address of the packet received from the VPN termination device and transmits the packet after the address translation to the transfer control device. The address translation device translates the address of the packet received from the transfer control device, and transmits the packet after the address translation to the VPN termination device. The transfer control device controls packet transfer within the wide area network.

  A DNS registration apparatus 10 according to the first embodiment will be described. FIG. 2 is a block diagram illustrating the configuration of the DNS registration apparatus 10 according to the first embodiment. As illustrated in FIG. 2, the DNS registration device 10 according to the first embodiment includes a registration information generation unit 11 and a DNS registration unit 12.

  For example, in an inter-VPN connection system, an inter-base connection request for connecting a plurality of bases between bases is received on demand, and a communication partner identification address is paid out on demand for each base. Here, since the communication partner identification address is an address for identifying a terminal under another base serving as a communication partner within a “base”, even if it is an address for identifying the same terminal, it is different for each base. Address.

  For example, when the terminal α at the base A, the terminal β at the base B, and the terminal γ at the base C are connected between the bases, the communication partner identification address for identifying the terminal β in the base A and the terminal β in the base C It can be a different address from the communication partner identification address for identifying. For example, it is assumed that the communication partner identification address “address B1” for identifying the terminal β and the communication partner identification address “address C1” for identifying the terminal γ are issued for the base A. Further, it is assumed that the communication partner identification address “address A1” for identifying the terminal α and the communication partner identification address “address C2” for identifying the terminal γ are issued for the base B. Further, it is assumed that the communication partner identification address “address A2” for identifying the terminal α and the communication partner identification address “address B2” for identifying the terminal β are paid out for the site C.

  Then, the registration information generation unit 11 of the DNS registration device 10 determines the name of the terminal so as to be unique within the base, and registration information for registering the set of the determined terminal name and the communication partner identification address in the DNS. Is generated for each site belonging to the connection between sites. For example, the registration information generation unit 11 determines the “name of terminal β” for the base A so as to be unique within the base A, and registers the set of the determined “name of terminal β” and “address B1”. Generate as information. Also, the registration information generation unit 11 determines “name of terminal γ” so as to be unique within the base A, and registers the set of the determined “name of terminal γ” and “address C1”. Generate as information.

  In addition, the registration information generation unit 11 determines the “name of the terminal α” for the base B so as to be unique within the base B, and registers the set of the determined “name of the terminal α” and “address A1”. Generate as information. The registration information generation unit 11 determines “name of terminal γ” so as to be unique within the base B for the base B, and sets the combination of the determined “name of terminal γ” and “address C2” as registration information. Generate.

  In addition, the registration information generation unit 11 determines the “name of the terminal α” for the base C so as to be unique within the base C, and registers the set of the determined “name of the terminal α” and “address A2”. Generate as information. The registration information generation unit 11 determines “name of terminal β” for the base C so as to be unique within the base C, and sets the combination of the determined “name of terminal β” and “address B2” as registration information. Generate.

  Then, the DNS registration unit 12 of the DNS registration device 10 registers the registration information generated by the registration information generation unit 11 in the DNS 1 for each site belonging to the connection between sites. For example, the DNS registration unit 12 registers a pair of “address B1” and “name of terminal β” and a pair of “address C1” and “name of terminal γ” as DNS registration information of the base A. . Also, the DNS registration unit 12 registers, as the DNS registration information of the base B, a set of “address A1” and “name of terminal α” and a set of “address C2” and “name of terminal γ”. . In addition, the DNS registration unit 12 registers a set of “address A2” and “name of terminal α” and a set of “address B2” and “name of terminal β” as DNS registration information of the base C. .

  In this way, for example, “address B1” and “address B2” are associated with “name of terminal β”, but at base A, the address of “name of terminal β” is “address B1”. In the base C, the address of “terminal β name” is unique as “address B2”. For this reason, the DNS registration device 10 distinguishes the DNS registration information of the base A and the DNS registration information of the base C and registers them in the DNS 1. On the other hand, on the DNS1 side, it is necessary to manage DNS registration information for each site.

  FIG. 3 is a flowchart of a process procedure performed by the DNS registration apparatus 10 according to the first embodiment. As illustrated in FIG. 3, the DNS registration device 10 according to the first embodiment, when the communication partner identification address is paid out for each site belonging to the connection between sites (Yes in step S <b> 1), makes the terminal unique within the site. Is determined (step S2).

  Next, the DNS registration device 10 generates a set of the name of the terminal determined in step S2 and the communication partner identification address for each site belonging to the connection between sites as registration information registered in the DNS (step S3). Then, the DNS registration device 10 registers the registration information generated in step S3 in the DNS for each site belonging to the connection between sites (step S4).

  As described above, when the communication partner identification address is paid out on demand in response to the inter-site connection request, the DNS registration device 10 according to the first embodiment registers information indicating the correspondence between the communication partner identification address and the name of the terminal. Is automatically registered in DNS1. For this reason, it is possible to reduce the load on the user. Moreover, since the DNS registration apparatus 10 according to the first embodiment determines registration information to be registered in the DNS 1 for each base and registers the registration information in the DNS 1 for each base, the DNS 1 side manages the registration information for each base. Become. Then, even if the communication partner identification address issued by the inter-VPN connection system for identifying a certain terminal differs depending on the base, the DNS 1 determines from which base the inquiry is made. This makes it possible to perform correct name resolution according to the base of the inquiry source.

  1 illustrates a configuration in which a plurality of VPN termination devices, multiple address conversion devices, and a single transfer control device are installed. The invention is not limited to this. For example, the present invention is similarly applied to a configuration in which a plurality of combinations of VPN termination devices of a plurality of housings, address conversion devices of a plurality of housings, and transfer control devices of one housing are further installed. Can be applied. Further, for example, the present invention is similarly applied to a configuration in which a plurality of housing VPN termination devices, a plurality of housing address conversion devices, and a plurality of housing transfer control devices are installed in combination. Can be applied.

  In addition, for example, a function (a function for accommodating a base and terminating a VPN between the accommodated base and a wide area network) and a function (a function for converting an address) included in the address conversion apparatus are included in the VPN termination apparatus. The present invention can be similarly applied to a configuration in which a device in which the functions of the transfer control device (the function of controlling packet transfer in the wide area network) are accommodated in one housing is installed.

  In FIG. 1, for convenience of explanation, the VPN termination device of one housing accommodates one base, but the present invention is not limited to this, and generally the VPN of one housing is used. A termination device accommodates multiple sites. Here, “accommodates a base” means, for example, a physical connection between a VPN terminal installed in a wide area network and a network device such as a router installed in an access network, and also in the access network. A physical connection between a network device such as an installed router and a network device such as a router installed at a base.

  Here, the aspect of “base” will be described. A “base” may be a terminal rather than a so-called network. For example, the case where the router installed in the base is realized by software in the terminal instead of a physical router is included. In addition, the “base” may be an in-house network of a plurality of local area networks connected by a VPN service provided by a telecommunications carrier or the like.

  4A to 4C are diagrams for explaining the bases belonging to the VPN service. In FIGS. 4A to 4C, two types of dotted lines are used. One is a normal dotted line, and the other is a broken line (a combination of a short line and a long line). The broken lines indicate that a plurality of bases belonging to the same VPN service and a VPN is formed between bases in the same company (for example, C company). On the other hand, the dotted line indicates that the VPNs are connected. For example, connection between a plurality of bases belonging to different VPN services, or connection between VPNs of different companies, even between a plurality of bases belonging to the same VPN service.

  As shown in FIG. 4A, for example, Company C has a base group belonging to the VPN service 1 and a base belonging to the VPN service 3. Since the VPN service 1 and the VPN service 3 are different VPN services, as a result of prior address design in each VPN service, for example, a terminal of a company C base belonging to the VPN service 1 and a C belonging to the VPN service 3 The same private address may be given to the terminal at the company base. On the other hand, Company D has a base belonging to the VPN service 2 and a base belonging to the VPN service 4. Since the VPN service 2 and the VPN service 4 are different VPN services, as a result of prior address design in each VPN service, for example, the terminal of the company D base belonging to the VPN service 2 and the D belonging to the VPN service 4 The same private address may be given to the terminal at the company base.

  In the DNS registration apparatus according to the present invention, for the inter-base connection between the base group of the company C and the base group of the company D belonging to different VPN services, the terminals under the other bases that are communication partners are connected within the base. When the communication partner identification address for identification is paid out for each of the C company bases and for each of the D company bases, DNS registration information is generated from the pair of the sent communication partner identification address and the terminal name, and the C company It is possible to automatically register the DNS registration information of each site and the DNS registration information of each site of Company D. That is, a base between a group of companies belonging to the VPN service 1, a company D belonging to the VPN service 2, a company C belonging to the VPN service 3, and a company D belonging to the VPN service 4 For inter-connection, DNS registration information used for inter-base connection can be automatically registered.

  As shown in FIG. 4B, for example, Company C has a group of bases grouped by the VPN service 3. On the other hand, Company D has a group of bases grouped by the VPN service 4. The DNS registration apparatus according to the present invention automatically sets DNS registration information used for inter-base connection for such inter-base connection between the base group of company C and the base group of company D belonging to different VPN services. You can register.

  As shown in FIG. 4C, for example, Company C and Company D both have base groups grouped by the VPN service 2. The DNS registration device according to the present invention is such a connection between the base group of the company C belonging to the same VPN service and the base group of the company D, in other words, between a plurality of base groups belonging to the same VPN termination apparatus. With regard to inter-base connection, DNS registration information used for inter-base connection can be automatically registered.

  Although FIG. 1 illustrates the configuration in which the DNS registration device is installed in the wide area network, the present invention is not limited to this. For example, the present invention can be similarly applied to a configuration in which a DNS registration device is connected to a VPN termination device, an address translation device, and a transfer control device via a monitoring network.

  1 illustrates the configuration in which the DNS registration device of one housing is installed, the present invention is not limited to this. For example, the present invention is similarly applied to a configuration in which a DNS registration device having a plurality of housings is installed, or a configuration in which a part of the DNS registration device such as a storage unit is installed in another housing. be able to.

[Network Configuration of Example 2]
Next, in the second embodiment, a case where the base is a network and belongs to a VPN service provided by a telecommunications carrier or the like will be described as an example. That is, the inter-base connection in the second embodiment is an “inter-VPN connection” that connects bases belonging to the VPN service. FIG. 5 is a diagram for explaining a network configuration according to the second embodiment. As illustrated in FIG. 5, the inter-VPN connection management system according to the second embodiment includes a DNS registration device, and the DNS registration device is an inter-VPN connection system that connects a plurality of bases between VPNs via a wide area network. On the other hand, DNS registration information used for connection between VPNs is automatically registered.

  Here, the VPN termination device accommodates the base via the access network and terminates the VPN between the accommodated base and the wide area network. The NAT device (not shown in FIG. 5) converts the address of the packet received from the VPN termination device, and transmits the address-converted packet to the collective virtual router. Further, the NAT device converts the address of the packet received from the collective virtual router, and transmits the packet after the address conversion to the VPN termination device. The collective virtual router controls packet transfer in the wide area network.

  Further, as illustrated in FIG. 5, a virtual router for connection between VPNs is set in the aggregate virtual router in a time-limited manner according to a connection request between VPNs. That is, the virtual router is routing information set for each connection between VPNs (for each collaborative space), and implements a collaborative space by routing according to the routing information set for a limited time. In the second embodiment, a configuration is also assumed in which one base is assigned to a plurality of cooperating spaces in the same time zone.

  5 illustrates a configuration in which a plurality of VPN termination devices, a plurality of NAT devices, and a collective virtual router in one housing are installed. Is not limited to this. For example, the present invention is similarly applied to a configuration in which a plurality of combinations of VPN termination devices of a plurality of cases, NAT devices of a plurality of cases, and a collective virtual router of one case are further installed. can do. In addition, for example, the present invention is similarly applied to a configuration in which a plurality of casing VPN termination devices, a plurality of casing NAT devices, and a collective virtual router of a plurality of casings are installed in combination. can do.

  Further, for example, a function (a function for accommodating a base and terminating a VPN between the accommodated base and a wide area network), a function (a function for converting an address), and a set of a NAT apparatus The present invention can be similarly applied to a configuration in which an apparatus in which the function of the virtual router (the function of controlling packet transfer in the wide area network) is accommodated in one housing is installed.

  Further, in FIG. 5, for convenience of explanation, the VPN termination device of one casing accommodates one base, but the present invention is not limited to this, and generally the VPN of one casing is used. A termination device accommodates multiple sites. Here, “accommodating a base” means, for example, a physical connection between a VPN termination device installed in a wide area network and a network device such as a router installed in an access network, and also in the access network. A physical connection between a network device such as an installed router and a network device such as a router installed at a base. Note that the base may be one terminal instead of a so-called network. For example, there is a case where a router installed at a base is realized by software in a terminal instead of a physical router.

  5 illustrates the configuration in which the inter-VPN connection management system including the DNS registration device is installed in the wide area network, but the present invention is not limited to this. For example, the present invention can be similarly applied to a configuration in which an inter-VPN connection management system is connected to a VPN termination device, a NAT device, and a collective virtual router through a monitoring network.

  5 illustrates a configuration in which the inter-VPN connection management system of one housing is installed, but the present invention is not limited to this. For example, the present invention can be applied to a configuration in which an inter-VPN connection management system having a plurality of casings is installed, or a configuration in which a part of the inter-VPN connection management system such as a storage unit is installed in another casing. The same can be applied.

  Here, as illustrated in FIG. 5, the VPN terminating device, the NAT device, and the collective virtual router are physically connected, and the interface setting in the data link layer of OSI (Open Systems Interconnection) is performed in advance. ing. In the second embodiment, a star configuration is assumed as a network configuration for connection between VPNs.

[Address Determination Method in Embodiment 2]
As described above, the inter-VPN connection management system according to the second embodiment includes the DNS registration device, and the DNS registration device automatically registers the DNS registration information using the address determined in the inter-VPN connection management system. To do. Therefore, before describing the DNS registration apparatus, first, an address determination method in the second embodiment will be described. In the second embodiment, an RFC (Request for Comments) 2663 technique (hereinafter “Twice-NAT”) published by the Internet Engineering Task Force (IETF) is used as an address translation technique. In the following, from the viewpoint of comparison, first, the technology of RFC1631 (hereinafter, “Single-NAT”) will be described, and then, Twice-NAT will be described.

[Address determination method using Single-NAT]
FIG. 6 is a diagram for explaining an address determination method using Single-NAT. The variables used in the following description are defined with reference to FIG. Hereinafter, a base connected between VPNs is referred to as “VPN”. “VPN _i ” is the VPN name, i = 1, 2, 3,. “A _i ” is an address used inside VPN _i (hereinafter “in-site address”). “VRF _m ” is a virtual router name set in the collective virtual router, and m = 1, 2, 3,. VRF is an abbreviation for Virtual Routing and Forwarding. Expression (1-1) is an operator representing address conversion from VPN _i to VRF _m .

Then, the base address a _i of VPN _i is converted to the equation (1-2) when the address is converted for VRF _m . On the other hand, the base address a _j of VPN _j is expressed by equation (1-3) when the address is translated for VRF _m . That is, as illustrated in FIG. 6, in VRF _m , an address for identifying VPN _i is an expression (1-2), and an address for identifying VPN _j is an expression (1-3). Further, in VPN _i , an address for identifying VPN _j as a connection destination is represented by equation (1-3). On the other hand, in VPN _j , an address for identifying VPN _i as a connection destination is represented by equation (1-2).

For example, when the packet to the VPN _j from VPN _i shown in FIG. 6 is transmitted, packets, via the VRF _m, is transmitted as _{VPN i → VRF m → VPN j} . Here, when Single-NAT is used for address conversion, the NAT device converts only the source address and does not convert the destination address, or converts only the destination address and does not convert the source address. . For this reason, the combination of {source address, destination address} is expressed by equation (1-4) in each region in VPN _i , VRF _m , and VPN _j by address conversion. Note that i ≠ j.

  The address must be determined so as to satisfy two conditions of “(1) routing is possible from the VPN side” and “(2) routing is possible from the VPN side”.

Considering "(1) that routing is possible from the VPN side", the condition of (1) is that "the route to the VRF regarding the connection destination that may be accessed simultaneously from VPN _i is different". It becomes the condition. In other words, “a terminal that can be used as a communication partner in the VPN in a time zone that overlaps with a time zone in which the connection between VPNs is used for identifying a terminal under the other VPN as a communication partner in the VPN. It must be determined so as to be unique among the above.

When expressed using the above variables, equation (1-5) is obtained. That is, for example, the destination that may be accessed simultaneously by VPN _i is a VPN _j and VPN _k, via VRF _m and VPN _j, also the connection between the VPN via VRFn the VPN _k ( m ≠ n). Then, in VPN _i , since the address of the connection destination VPN _j is the expression (1-6) and the address of the connection destination VPN _k is the expression (1-7), the above expression (1-5) Indicates that it must be determined to be unique.

Further, considering “(2) that routing is possible from the VPN side”, the condition of (2) is that “the route to the VPN that may simultaneously access VRF _m is different”. It becomes a condition. In other words, “the address for identifying the terminals under each VPN belonging to the connection between VPNs within the wide area network is controlled as the connection between VPNs in a time zone overlapping with the time zone in which the connection between VPNs is used. It must be determined to be unique among terminals that can be performed.

When expressed using the above variables, equation (1-8) is obtained. That is, for example, it is assumed that VPNs that may simultaneously access VRF _m are VPN _i and VPN _j (i ≠ j). Then, in VRF _m , the address for identifying VPN _i is the expression (1-9), and the address for identifying VPN _j is the expression (1-10). Therefore, the above expression (1-8) Indicates that they must be determined to be unique.

  Here, it should be noted that the expression (1-5) uniquely determines an address between different VRFs, while the expression (1-8) uniquely addresses within each VRF. It is a point that represents the determination. Eventually, in order to satisfy the expressions (1-5) and (1-8), it is necessary to satisfy “there is no duplication of addresses among all VRFs that may be accessed simultaneously” (1 ) And (2) are not independent conditions.

For example, if the VRF (group) that VPN ₁ may access at the same time and the VRF (group) that VPN ₂ may access at the same time overlap, VPN ₁ and VPN ₂ will access simultaneously In the VRF (s) that may be, the conditions of (1) and (2) cannot be considered completely independent.

  In addition, in the on-demand inter-VPN connection service, the VRF repeatedly generates and disappears in a timely manner. For this reason, for example, when there are a plurality of VRFs that may be accessed at the same time, or when a new VPN must be accommodated retroactively with respect to a VRF to which an address has already been assigned, etc. Addresses must be managed on the time axis, including the generation and disappearance of VRFs, making it difficult to manage addresses. Furthermore, if the number of VRFs that can be accessed at the same time becomes enormous, addresses may be depleted, and addresses may not be assigned.

[Address determination method using Twice-NAT]
Next, Twice-NAT used in the second embodiment will be described. FIG. 7 is a diagram for explaining an address determination method using Twice-NAT. With reference to FIG. 7, variables used in the following description are defined. “VPN _i ” is the VPN name, i = 1, 2, 3,. “A _i ” is an in-base address used inside VPN _i . “VRF _m ” is a virtual router name, and m = 1, 2, 3,. Expression (2-1) is an operator representing address conversion from VPN _i to VRF _m . Expression (2-2) is an operator representing address conversion from VRF _m to VPN _j . Further, from the definition, equation (2-3) is established, and therefore equation (2-4) is established.

Then, the base address a _i of VPN _i is converted to the expression (2-5) when the address is converted for VRF _m . On the other hand, the site in the address a _j of VPN _j becomes When address translation for VRF _m and (2-6) below. That is, as illustrated in FIG. 7, in VRF _m , an address for identifying VPN _i is an expression (2-5), and an address for identifying VPN _j is an expression (2-6). Further, in VPN _i , an address for identifying VPN _j as a connection destination is represented by equation (2-7) obtained by further performing address conversion from VRF _m to VPN _{i in} equation (2-6). On the other hand, in VPN _j , an address for identifying VPN _i as a connection destination is represented by equation (2-8) obtained by further performing address conversion from VRF _m to VPN _{j in the} equation (2-5).

For example, when the packet to the VPN _j from VPN _i shown in FIG. 7 is transmitted, packets, via the VRF _m, is transmitted as _{VPN i → VRF m → VPN j} . Here, when using Twice-NAT for address conversion, the NAT device converts the source address and the destination address. For this reason, the combination of {source address, destination address} is expressed by equation (2-9) in each area in VPN _i , VRF _m , and VPN _j by address conversion. Note that i ≠ j.

  As with the conditions when using Single-NAT, the addresses are two types: “(1 ′) routing is possible from the VPN side” and “(2 ′) routing is possible from the VRF side”. Must be determined to meet the conditions.

Examining “(1 ′) that routing is possible from the VPN side”, the condition of (1 ′) is the same as the condition when using Single-NAT, that is, “the possibility of simultaneous access from VPN _i. The condition is that the route to the VRF for a certain connection destination is different. In other words, “a terminal that can be used as a communication partner in the VPN in a time zone that overlaps with a time zone in which the connection between VPNs is used for identifying a terminal under the other VPN as a communication partner in the VPN. It must be determined so as to be unique among the above.

When expressed using the above variables, equation (2-10) is obtained. That is, for example, the destination that may be accessed simultaneously by VPN _i is a VPN _j and VPN _k, via VRF _m and VPN _j, also the connection between the VPN via VRFn the VPN _k ( m ≠ n). Then, in VPN _i , the address for identifying the connection destination VPN _j is the equation (2-11), and the address for identifying the connection destination VPN _k is the equation (2-12). The expression −10) represents that these must be determined to be unique.

Also, considering “(2 ′) that routing is possible from the VRF side”, the condition of (2 ′) is the same as the condition when using Single-NAT, that is, “VRF _m can be accessed simultaneously. It is a condition that the route to the VPN having a characteristic is different. In other words, “the address for identifying the terminals under each VPN belonging to the connection between VPNs within the wide area network is controlled as the connection between VPNs in a time zone overlapping with the time zone in which the connection between VPNs is used. It must be determined to be unique among terminals that can be performed.

When expressed using the above variables, the expression (2-13) is obtained as in the case of using Single-NAT. That is, for example, it is assumed that VPNs that may simultaneously access VRF _m are VPN _i and VPN _j (i ≠ j). Then, in VRF _m , the address for identifying VPN _i is the expression (2-14) and the address for identifying VPN _j is the expression (2-15). Therefore, the above expression (2-13) Indicates that they must be determined to be unique.

  Here, it should be noted that the expression (2-10) uniquely determines an address in each VPN, and the expression (2-13) uniquely specifies an address in each VRF. This represents that the condition of the expression (2-10) and the condition of the expression (2-13) are independent conditions. That is, when using Twice-NAT for address translation, the NAT device translates the source address and the destination address, so the NAT side is the boundary and the address system on the base side and the address system on the wide area network side are separated. Can be independent. As a result, the condition (1 ′) and the condition (2 ′) are independent conditions. Therefore, for example, the address system on the base side can be set to IP (Internet Protocol) v4, and the address system on the wide area network side can be set to IPv6.

For this reason, for example, if the VRF (group) that VPN ₁ may access simultaneously and the VRF (group) that VPN ₂ may access simultaneously partially overlap, VPN ₁ and In the VRF (s) that VPN ₂ may access at the same time, the condition (1 ′) and the condition (2 ′) can be considered completely independently. In addition, when a set of VPNs simultaneously accesses different VRFs (multiple belongings), from one of the VPNs, one VPN is connected to one terminal under the other VPN that is the connection target. Different addresses are associated with each other depending on the difference in VRF.

  In addition, in an on-demand inter-VPN connection service, VRFs are repeatedly generated and extinguished in a timely manner, but it is not necessary to consider consistency between VRFs that may access a plurality at the same time, making it difficult to manage addresses. It also eliminates the possibility of running out of addresses.

[Flow chart of address determination method]
Next, a flowchart of the address determination method described above will be described with reference to FIG. FIG. 8 is a flowchart illustrating the processing procedure of the address determination method according to the second embodiment. Between the times t1 to t2, it will be described using an example for accommodating the VPN _j to VRF _m.

  As described above, the condition (2 ′) is a condition determined by each VRF. For this reason, when a new VRF is constructed, it is always possible to pay out an address. On the other hand, when a VPN is newly accommodated in a VRF that has already been constructed, the address can be paid out only when there is an empty address. For this reason, as illustrated in FIG. 8, the address determination device first determines whether or not a new VRF is to be constructed (step S11).

When constructing a new VRF (Yes at Step S11), the address determination device determines an address (3-1) expression for identifying the connection destination VPN _j using VRF _m (Step S12).

Subsequently, the address determination apparatus has an expression (3-3) that satisfies the expression (3-2) in another VPN _i (i ≠ j) accommodated in the VRF _m between the times t1 and t2. It is determined whether to do (step S13).

  If it is determined that it exists (Yes at Step S13), it can be paid out (Step S14), and therefore the address determination device determines Expression (3-3) (Step S15). On the other hand, when it is determined that it does not exist (No at Step S13), since the payout is impossible (Step S16), the address determination device makes an error response (Step S17).

On the other hand, when a new VPN is accommodated in the already constructed VRF in step S11 (No in step S11), the address determination device performs (3-4) in the VRF _m between times t1 and t2. It is determined whether there is an expression (3-5) that satisfies the expression (step S18).

If it is determined that it exists (Yes at Step S18), the address determination device then (3−3) inside another VPN _i (i ≠ j) accommodated in the VRF _m during the time t1 to t2. 6) It is determined whether there is an expression (3-7) that satisfies the expression (step S19).

Then, if it is determined that it exists (Yes at Step S19), it can be paid out (Step S20), so the address determination device determines Expressions (3-8) and (3-9) (Step S21). . On the other hand, if it is determined in step S18 that it does not exist (No in step S18) and if it is determined in step S19 that it does not exist (No in step S19), the payout is impossible (step S22). Then, an error response is made (step S23).

  As described above, the condition (1 ′) and the condition (2 ′) can be examined independently, independently and independently, so that the algorithm for determining the address is simplified.

[Specific example of address determination method]
Next, a specific example of the address determination method will be described with reference to FIGS. 9 and 10 are diagrams for explaining a specific example of the address determination method, and FIG. 11 is a diagram for explaining the concept of address determination. First, as illustrated in FIG. 9, “Company A” is a base belonging to “VPN1”, and already uses the inter-VPN connection service. Further, “Company A” has already registered the in-base address in the inter-VPN connection management system when contracting for the inter-VPN connection service. This is because the inter-VPN connection management system allocates addresses that are not used in “Company A” among the addresses that can be used by “Company A” for connection between VPNs. That is, the in-site address is a private address used by “Company A” and is already used by “Company A” or managed as a private address that may be used in the future. Is. Since the in-site address is a private address arbitrarily used in each base, there is a possibility of overlapping between the bases.

  “VPN1” is connected to virtual routers “VRF1” and “VRF2”. In the virtual router “VRF1”, two VPNs are connected in addition to “VPN1”, and in the virtual router “VRF2”, three VPNs are connected in addition to “VPN1”.

  “Company A” is connected to “VRF1” and “VRF2” via “VPN1”. At this time, the routing table of “VPN terminating device 1” describes the routing information of 2 routes for “VRF1” and 3 routes for “VRF2”. In addition, private addresses that “Company A” does not use in-house are used. Since the private address used by “Company A” is registered in advance, the inter-VPN connection management system can obtain an unused private address using this registered content. In order for the “VPN termination device 1” to perform routing to each VRF, these five routes need to be independent.

  “Company A” adds a new virtual router (“VRF3”). In addition to “VPN1”, one VPN is connected to “VRF3”. Therefore, one route is added from “VPN terminating device 1” of “Company A” to “VRF3”. One route to be added must be assigned an address that satisfies both of the following conditions.

  That is, (1) a private address that is not used in “Company A”, and (2) a private address that is not used as a route for the VRF. This time, other than the two routes for “VRF1” and the three routes for “VRF2” are targeted. Here, a in FIG. 10 shows the entire address that can be used by “Company A”. Further, b in FIG. 10 shows a private address used in “Company A”, and is a private address used in “Company A” regardless of the use of the inter-VPN connection system. Further, c in FIG. 10 shows a private address used as a route for the VRF, which is a private address that has already been issued (or reserved) to the “Company A” by the VPN connection management system for the VPN connection system. . If there is no address that can satisfy the above two conditions (d (= a− (b + c) in FIG. 10), a new address cannot be assigned, and the inter-VPN connection management system returns an error response indicating that it cannot be issued. Etc.

  The inter-VPN connection management system searches for and determines an address that has not yet been reserved for using the inter-VPN connection service and that is not in use. That is, the address space is a one-dimensional quantity. Accordingly, as illustrated in FIG. 11, the inter-VPN connection management system searches for an address that has not yet been reserved in the reservation time zone, and uses the searched address for the inter-VPN connection service in the reservation time zone. Determine as the address.

  For example, referring to FIG. 11, when a reservation for an inter-VPN connection service is accepted, one VPN has a 24-bit address mask with a subnet mask of t1 to t1 ′ (one route is connected). It is assumed that one other VPN is reserved). Further, it is assumed that two 24-bit subnet mask address bands (two other VPNs as connection destinations for two routes) are reserved in the time period from t2 to t2 ′. Further, it is assumed that one subnet mask 24-bit address band (one route and one other VPN as a connection destination is reserved) is reserved in the time period from t3 to t3 ′. In FIG. 11, the already reserved address band is indicated by a solid line.

  Here, it is assumed that for the new reservation, it is necessary to pay out address bands for three routes in the time period from t4 to t4 ′. Then, as shown in FIG. 11, the inter-VPN connection management system uses three subnet mask 24-bit address bands that have not been reserved for the time period t4 to t4 ′ as the VPN in the time period t4 to t4 ′. It is determined as an address for using the inter-connection service. In FIG. 11, an address band for a new reservation is indicated by a dotted line.

  As described below, the inter-VPN connection management system 100 according to the second embodiment manages the entire private address as an address that can be used for the inter-VPN connection service. The inter-VPN connection management system 100 searches for an already reserved address on the time axis, and is an address other than the address searched as an already reserved address out of all private addresses, Addresses other than the private addresses used in the above and addresses assigned for the interface of each device are determined as new payout addresses.

  For example, the inter-VPN connection management system 100 stores the information for identifying the inter-VPN connection, the information for identifying the VPN belonging to the inter-VPN connection, and the already reserved address in the storage unit, and stores them in the storage unit. The entire address, the private address used in the base, and the address assigned for the interface of each device may be stored in the storage unit. When the inter-VPN connection management system 100 receives an inter-VPN connection request for requesting an inter-VPN connection, the inter-VPN connection management system 100 searches this storage unit to determine a new payout address. Further, at this time, the inter-VPN connection management system 100 determines, from among the private addresses, for example, an empty address in ascending order of addresses, or an empty address in descending order, or randomly determined. Can do. Further, the address is not limited to the subnet mask of 24 bits, and for example, an address of the subnet mask of 32 bits may be issued. That is, there is no restriction on the subnet mask.

[Setting example of address translation information and routing information in the second embodiment]
Next, an example of setting address translation information and routing information in the second embodiment will be described with reference to FIGS. 12 to 15 are diagrams for explaining an example of setting address translation information and routing information in the second embodiment. Note that the following description is specific to the address determined by the inter-VPN connection management system 100 by examining which device and how the address of a packet sent from a certain terminal to a certain terminal is converted. This will be explained using various values. Therefore, the following description does not necessarily indicate the order of processing or the order of setting.

  First, an assumed network configuration will be described with reference to FIG. As illustrated in FIG. 12, by providing a service for connecting the terminal α of the base “Company A” and the terminal β of the base “B” with the VPN, the bases “Company A” and “Company B” A case where a collaborative space is provided is assumed. As illustrated in FIG. 12, the connection destination ID of the site “Company A” is “UserA-Office”, and the in-site address of the terminal α is “192.168.1.10/24”. Further, the connection destination ID of the site “Company B” is “UserB-Office”, and the in-site address of the terminal β is “192.168.1.10/24”.

  Here, since the in-base address is a private address arbitrarily used in each base, there is a possibility that the base addresses overlap. For example, as illustrated in FIG. 12, the base address “192.168.1.10/24” of the terminal α and the base address “192.168.1.10/24” of the terminal β Are duplicated, and addresses within the site are duplicated. As will be described below, the inter-VPN connection management system determines and pays out an address so that the in-base address is used as it is at the base.

  As illustrated in FIG. 12, the base “Company A” is accommodated in “VPN terminating device 1”, and the base “Company B” is accommodated in “VPN terminating device 2”. Further, as illustrated in FIG. 12, “VPN termination device 1” and “VPN termination device 2” are accommodated in “aggregate virtual router 1”. Further, as illustrated in FIG. 12, the NAT device installed between “VPN termination device 1” and “aggregation virtual router 1” is “NAT device 1”, and “VPN termination device 2” and “aggregation”. The NAT device installed between “virtual router 1” is “NAT device 2”. Further, as illustrated in FIG. 13, the “aggregate virtual router 1” includes a virtual router (““ Company A ”) and a terminal“ B ”at the base“ Company B ”in order to connect between the VPNs. vrf1)) is constructed.

  Here, in the NAT device, address conversion by Twice-NAT is performed. Specifically, the NAT device converts both the source address and the destination address. For this reason, the addresses of the base “Company A”, the base “B company”, and the virtual router (“vrf1”) are not notified to other areas and are used only in each area, and are unique in each area. Addresses can be assigned. In order to satisfy the routing condition, an address other than the in-base address is used as a conversion address. The address conversion can be performed in units of addresses or in units of subnets. However, in the following, description will be made assuming address unit conversion.

  Note that since the address set in the virtual router is not notified to the user base such as the base “Company A” or “Company B” or other virtual routers, a unique address system can be used. For this reason, an IPv6 address may be used.

  The processing outline of the inter-VPN connection management system 100 according to the second embodiment will be described. The inter-VPN connection management system 100 includes: (1) a terminal α at the base “Company A” and a terminal β at the base “Company B”. (2) A virtual router for connecting the terminal α and the terminal β between the VPNs is constructed in the “aggregate virtual router 1”, and (3) the terminal α and the terminal are connected to each other. Address conversion information for address conversion performed in communication with β is generated. (4) Based on the generated address conversion information, each device (“aggregate virtual router 1”, “VPN termination device 1”, “ Routing information to be set in the VPN termination device 2 ”,“ NAT device 1 ”,“ NAT device 2 ”), and (5) setting for each device by the time when the inter-VPN connection service is started (“ collective virtual router 1 ”). 』、 Routing information setting for VPN termination device 1 ”,“ VPN termination device 2 ”,“ NAT device 1 ”,“ NAT device 2 ”, and address conversion information setting for“ NAT device 1 ”and“ NAT device 2 ”) (6) When the time for ending the inter-VPN connection service is reached, the settings made for each device are deleted. Note that not all the processes (1) to (6) must be executed, and (1) to (6) do not necessarily define the order of the processes.

  The generation of the address translation information (3) will be further described. The inter-VPN connection management system 100 (particularly, the address determination device) uses an address for identifying a terminal under another base serving as a communication partner at the base, and a terminal under each base belonging to the inter-VPN connection as a collective virtual router. Address for identification is determined, and address translation information is generated.

  For example, when focusing on the site “Company A” in FIG. 12, “the address for identifying the terminal under the other site as the communication partner at the site” is an address for identifying the terminal β. Therefore, the inter-VPN connection management system 100 determines an address (hereinafter, “first address of the terminal β”) for identifying the terminal β.

  For example, when focusing on the base “Company B” in FIG. 12, “an address for identifying a terminal under another base serving as a communication partner at the base” is an address for identifying the terminal α. . Therefore, the inter-VPN connection management system 100 determines an address for identifying the terminal α (hereinafter, “first address of the terminal α”).

On the other hand, “the address for identifying the terminal under each base belonging to the connection between VPNs by the collective virtual router” is an address for identifying the terminal α and an address for identifying the terminal β. Accordingly, the inter-VPN connection management system 100 has an address for identifying the terminal α (hereinafter “second address of the terminal α”) and an address for identifying the terminal β (hereinafter “second address of the terminal β”). decide. Subsequently, the inter-VPN connection management system 100 generates address translation information. When addressing the “NAT device 1”, the address conversion information includes conversion between the in-base address of the terminal α and the second address of the terminal α, and the first address of the terminal β and the second address of the terminal β. Specifies the conversion between. When attention is paid to “NAT device 2”, conversion between the in-base address of the terminal β and the second address of the terminal β, and between the first address of the terminal α and the second address of the terminal α Specify conversion.

  Such address translation information is generated, the generated address translation information is set in each NAT device, each NAT device performs address translation according to the set address translation information, and each VPN termination device or virtual router Communication between the terminal α and the terminal β is realized by transferring the packet according to the set routing information. Hereinafter, description will be made while paying attention to how packet address translation is performed in the NAT device.

  As illustrated in FIG. 13, the inter-VPN connection management system 100 collects a virtual router “vrf1” for connecting the terminal α of the base “company A” and the terminal β of the base “company B” between the VPNs. Assume that the virtual router 1 is constructed.

  With reference to FIG. 13, the communication from “terminal α” to “terminal β” is considered as an example. The packet transmitted by “terminal α” is “VPN terminating device 1” → “NAT device 1” → “virtual router (vrf1)” → “NAT device 2” → “VPN terminating device 2” → “terminal β”. Address conversion is performed in each of “NAT device 1” and “NAT device 2”. For this reason, the address of “terminal α” seen from “terminal β” is the address after performing address conversion twice. Similarly, the address of “terminal β” seen from “terminal α” is also the address after performing address conversion twice. On the other hand, in the virtual router, since it has just passed either “NAT device 1” or “NAT device 2”, the address is converted once.

  Considering communication to “NAT device 1”, “terminal α” (192.168.1.10/24) transmits a packet to “terminal β”. Here, a private address that is not used in “Company A” needs to be assigned to the first address of “terminal β”. This is because “VPN termination device 1” needs to route to the virtual router “vrf1” side. Therefore, here, the first address of “terminal β” (the address of “terminal β” as seen from “terminal α”) is “172.16.2.10/24”.

  The “NAT device 1” converts the address on the user “Company A” side into the address on the virtual router “vrf1” side. Since Twice-NAT is used, the address on the virtual router side is not notified to the user side as it is. The address on the virtual router side only needs to be in a state where routing is possible in each virtual router. Note that addresses cannot be duplicated within the same virtual router. Therefore, here, as the address on the virtual router “vrf1” side, the second address of “terminal α” is “10.0.10 / 24”, and the second address of “terminal β” is “10.0. 2.10 / 24 ". That is, the in-base address “192.168.1.10/24” of “terminal α” as the transmission source is converted to the second address “10.0.10.10/24” of “terminal α”, The first address “172.16.2.10/24” of the destination “terminal β” is converted to the second address “10.2.10 / 24” of “terminal β”.

  Next, the packet converted to the address (second address) on the virtual router “vrf1” side is routed in the virtual router “vrf1”. Then, the packet addressed to “terminal β” is transferred to “NAT device 2”. The packet addressed to “terminal β” that has arrived at “NAT device 2” undergoes second address translation. That is, the second address “10.2.10 / 24” of the destination “terminal β” is converted into the base address “192.168.1.10/24” of “terminal β”.

  On the other hand, the transmission source address (second address of “terminal α”) is converted to the address of “terminal α” as viewed from “terminal β” (first address of “terminal α” at the base “company B”). . The first address of this “terminal α” is determined based on the same concept as that assigned to “terminal β” in “Company A”. For example, the first address of “terminal α” is “172.16.1.10/24”. Then, the second address “10.0.10.10/24” of “terminal α” as the transmission source is converted to the first address “172.16.1.10/24” of “terminal α”, As a result of such address conversion, the packet transmitted by “terminal α” is transmitted to “terminal β”. When “terminal β” sends a packet addressed to “172.16.1.10/24”, the packet is transmitted to “terminal α”.

  The inter-VPN connection management system manages the address conversion tables of all NAT devices belonging to itself, but transmits only the corresponding address conversion table to each NAT device. The inter-VPN connection management system provides only necessary information to the virtual router. That is, the inter-VPN connection management system transmits only the address of the terminal used in the virtual router “vrf1” to the collective virtual router (for example, “terminal α” = 10.0.10.10, “ Information that terminal β ”= 10.0.2.10.

  Next, an example of additionally accommodating a VPN in an existing virtual router will be described with reference to FIGS. 14 and 15. Assume that “Company C” is added to the virtual router “vrf1” as illustrated in FIG. Note that “Company C” already has “terminal δ” (192.168.1.20/24) connected to the virtual router “vrf2” using “VPN3”. This time, “terminal γ” (192.168.1.10/24) is additionally connected to the virtual router “vrf1”.

  Similarly, the processing outline of the inter-VPN connection management system 100 according to the second embodiment will be described. The inter-VPN connection management system 100 includes: (1) the terminal “γ” of the site “Company C” and the terminal α of the site “Company A”. And an inter-VPN connection request requesting to be added to the inter-VPN connection with the terminal β of the site “Company B”, and (2) an address for address conversion performed in the communication between the terminal α and the terminal γ Generate translation information and address translation information for address translation performed in communication between the terminal β and the terminal γ. (3) Based on the generated address translation information, each device (“collective virtual router 1”) , “VPN termination device 3”, “NAT device 3”) are generated, and (4) the settings (“aggregate virtual router 1”, “VP” are set for each device by the time when the inter-VPN connection service is started. Routing information setting for "Termination device 1", "VPN termination device 2", "VPN termination device 3", "NAT device 1", "NAT device 2", "NAT device 3", "NAT device 1", "NAT Device 2 ”and“ NAT device 3 ”), and (5) the settings made for each device are deleted when it is time to terminate the inter-VPN connection service. Note that not all the processes (1) to (5) must be executed, and (1) to (5) do not necessarily define the order of the processes.

  The generation of the address translation information (2) will be further described. The inter-VPN connection management system 100 (particularly, the address determination device) uses an address for identifying a terminal under another base serving as a communication partner at the base, and a terminal under each base belonging to the inter-VPN connection as a collective virtual router. The address to be identified is determined, and address conversion information is generated.

  For example, when focusing on the site “Company C” in FIG. 14, the “address for identifying the terminal under the other site as the communication partner at the site” is an address for identifying the terminal α and the terminal β. is there. Accordingly, the inter-VPN connection management system 100 has an address for identifying the terminal α (“first address of the terminal α at company C”) and an address for identifying the terminal β (hereinafter referred to as “the terminal β of the terminal β at company C”). One address ").

  Further, for example, when focusing on the site “Company A” in FIG. 14, the address to be newly added as the “address for identifying the terminal under the other site as the communication partner” identifies the terminal γ. It is an address to do. Accordingly, the inter-VPN connection management system 100 determines an address (“first address of the terminal γ at Company A”) for identifying the terminal γ at the base “Company A”.

  Further, for example, when focusing on the base “Company B” in FIG. 14, the address to be newly added as the “address for identifying the terminal under the other base as the communication partner” identifies the terminal γ. It is an address to do. Therefore, the inter-VPN connection management system 100 determines an address (“first address of the terminal γ at company B”) for identifying the terminal γ at the base “company B”.

  On the other hand, an address for identifying the terminal γ (second address of the terminal γ) is newly added as “an address for identifying the terminal under each base belonging to the connection between VPNs by the collective virtual router”. Since “terminal γ” is not yet managed in the virtual router “vrf1”, an address is newly assigned. As an address condition to be allocated, any address that is not used in the virtual router “vrf1” may be used. The base “Company C” is connected to a plurality of virtual routers, but the address in each virtual router is not notified to the base and other virtual routers, so there is no problem unless they are duplicated in the same virtual router. Because. Therefore, here, the second address of “terminal γ” is assumed to be “10.3.10 / 24”.

  Subsequently, the inter-VPN connection management system 100 generates address translation information. When addressing the “NAT device 3”, the address conversion information is the conversion between the base address of the terminal γ and the second address of the terminal γ, the first address of the terminal α and the second address of the terminal α in C And the conversion between the first address of terminal β and the second address of terminal β in C. When attention is paid to “NAT device 1”, the conversion between the first address of terminal γ and the second address of terminal γ in company A is further defined. When attention is paid to “NAT device 2”, the conversion between the first address of terminal γ and the second address of terminal γ in company B is further defined.

  Such address translation information is generated, the generated address translation information is set in each NAT device, each NAT device performs address translation according to the set address translation information, and each VPN termination device or virtual router By transferring the packet according to the set routing information, communication between the terminal α and the terminal γ and communication between the terminal β and the terminal γ are realized. Hereinafter, description will be made while paying attention to how packet address translation is performed in the NAT device.

  Using FIG. 15, the communication from “terminal γ” to “terminal α” will be considered as an example. The packet transmitted by “terminal γ” is “VPN terminating device 3” → “NAT device 3” → “virtual router (vrf1)” → “NAT device 1” → “VPN terminating device 1” → “terminal α”. The address conversion is performed in each of “NAT device 3” and “NAT device 1”. For this reason, the address of “terminal γ” seen from “terminal α” is the address after the address conversion is performed twice. Note that the address of “terminal α” seen from “terminal γ” is also the address after performing address conversion twice. On the other hand, in the virtual router, since it has just passed either “NAT device 3” or “NAT device 1”, the address is converted once.

  Considering communication to “NAT device 3”, “terminal γ” (192.168.1.10/24) sends a packet to “terminal α”. Here, it is necessary to assign a private address not used in “Company C” to the first address of “terminal α”. In “Company C”, “Terminal δ” is already communicating with “Company D” via the virtual router “vrf2”, and is not used in “Company C” for communication with “Company D”. You are using a private address. Therefore, as the first address assigned to “terminal α”, an address that is not used in “C company” and is not assigned for communication with “D company” is selected. This is because the “VPN termination device 3” needs to route to the virtual router “vrf1” side, and to distinguish which virtual router to route. Therefore, here, the first address of “terminal α” (the address of “terminal α” as seen from “terminal γ”) is “172.16.1.10/24” (for communication with “Company D”). The assigned address is “172.16.4.10/24”).

  The “NAT device 3” converts the address on the user “Company C” side into the address on the virtual router “vrf1” side. That is, the in-base address “192.168.1.10/24” of “terminal γ” as the transmission source is converted into the second address “10.3.10 / 24” of “terminal γ”, The first address “172.16.1.10/24” of the destination “terminal α” is converted to the second address “10.1.10.10/24” of “terminal α”.

  Next, the packet converted to the address (second address) on the virtual router “vrf1” side is routed in the virtual router “vrf1”. Then, the packet addressed to “terminal α” is transferred to “NAT device 1”. The packet addressed to “terminal α” that has arrived at “NAT device 1” undergoes second address translation. That is, the second address “10.1.10 / 24” of the destination “terminal α” is converted to the in-base address “192.168.1.10/24” of “terminal α”.

  On the other hand, the transmission source address (second address of “terminal γ”) is converted to the address of “terminal γ” as viewed from “terminal α” (the first address of “terminal γ” at the base “Company A”). . For example, the first address of “terminal γ” is “172.16.3.10/24”. Then, the second address “10.3.10 / 24” of “terminal γ” as the transmission source is converted to the first address “172.16.3.10/24” of “terminal γ”, As a result of such address conversion, the packet transmitted by “terminal γ” is transmitted to “terminal α”. When “terminal α” sends a packet addressed to “172.16.3.10/24”, the packet is transmitted to “terminal γ”.

[Configuration of a VPN management system according to the second embodiment]
Next, the configuration of the inter-VPN connection management system 100 according to the second embodiment will be described. Note that the inter-VPN connection management system 100 according to the second embodiment reserves in advance a certain amount of addresses to be allocated to the interfaces of the respective devices, and each device is determined when the conversion address is determined. The address set for the interface is also specifically determined. Therefore, in the second embodiment, the conversion address is determined so as not to overlap with an address reserved in advance as an address to be assigned to the interface of each device. Note that the present invention is not limited to this method, and if the address set in the interface of each device is not reserved in advance and is dynamically selected and determined each time, the inter-VPN connection management system 100 When determining the conversion address, make sure that it does not overlap with the address reserved for the interface of each device, or the address set for each device interface (the address in use). do it. First, an address assigned to the interface of each device in the second embodiment will be described with reference to FIG. FIG. 16 is a diagram for explaining addresses assigned to interfaces of devices in the second embodiment.

  First, as the interface address of the virtual router “vrf1”, “10.0.10.97” (“NAT device 1” side) and “10.0.20.97” (“NAT device 2” side) Is used. As the interface address of “NAT device 1”, “10.0.10.98” (virtual router “vrf1” side) and “192.168.3.2” (“VPN termination device 1” side) ) Is used. As the interface address of “VPN terminating device 1”, “192.168.3.1” (“NAT device 1” side) and “192.168.2.1” (“Company A” side) Is used.

  On the other hand, as the interface address of “NAT device 2”, “10.0.20.98” (virtual router “vrf1” side) and “192.168.3.2” (“VPN termination device 2” side) ) Is used. As the interface address of “VPN terminating device 2”, “192.168.3.1” (“NAT device 1” side) and “192.168.2.1” (“Company B” side) Is used.

  Next, the configuration of the inter-VPN connection management system 100 according to the second embodiment will be described. FIG. 17 is a block diagram illustrating the configuration of the inter-VPN connection management system 100 according to the second embodiment. As illustrated in FIG. 17, the inter-VPN connection management system 100 according to the second embodiment includes a communication unit 110, an input unit 111, an output unit 112, an input / output control I / F unit 113, and a storage unit 120. And a control unit 130. The DNS registration device illustrated in FIG. 5 corresponds to an inter-VPN connection information storage unit 121, a DNS registration information storage unit 126, a DNS registration information generation unit 137, and a DNS registration unit 138, which will be described later.

  The communication unit 110 is, for example, a general interface for IP communication, and performs communication between a VPN termination device, a NAT device, and a collective virtual router that are targets for setting address translation information and routing information. Further, the communication unit 110 performs communication with a wide area network DNS device that is a setting target of DNS registration information. Note that the inter-VPN connection management system 100 can also communicate with other management terminals, user Web servers, and the like via the communication unit 110, and from other management terminals, user Web servers, and the like. An inter-VPN connection request can also be received.

  The input unit 111 is, for example, a keyboard or a mouse, and receives input of various operations. In the second embodiment, for example, the input unit 111 receives an input of a connection request between VPNs using a keyboard or a mouse. The output unit 112 is a display, for example, and outputs information for various operations. In the second embodiment, the output unit 112 outputs, for example, an input screen for an inter-VPN connection request. The input / output control I / F (Interface) unit 113 controls input / output among the input unit 111, the output unit 112, the storage unit 120, and the control unit 130. Note that the inter-VPN connection management system 100 does not necessarily include the input unit 111 and the output unit 112. For example, the inter-VPN connection management system 100 communicates with other management terminals and user Web servers via the communication unit 110 for input / output. Such information may be transmitted and received.

  The storage unit 120 is, for example, a semiconductor memory device such as a random access memory (RAM), a read only memory (ROM), or a flash memory, a hard disk, an optical disk, and the like, and stores various types of information. Specifically, as illustrated in FIG. 17, the storage unit 120 includes an inter-VPN connection information storage unit 121, a setting pattern storage unit 122, an inter-VPN connection request storage unit 123, and an address conversion information storage unit 124. A routing information storage unit 125, a DNS registration information storage unit 126, an attachment storage unit 127, and a device information storage unit 128.

  The inter-VPN connection information storage unit 121 stores inter-VPN connection information. Here, the inter-VPN connection information includes information for identifying a base, and information for identifying a VPN terminating device, a NAT device, and a collective virtual router that accommodate the base. The VPN connection information also includes address translation information, routing information, and other information used for creating DNS registration information. The inter-VPN connection information storage unit 121 stores the inter-VPN connection information in advance, for example, by being input to the user of the inter-VPN connection management system 100. Further, the inter-VPN connection information stored in the inter-VPN connection information storage unit 121 is used for processing by a virtual router construction unit 132, a translation address determination unit 133, a routing information generation unit 135, and a DNS registration information generation unit 137, which will be described later. Is done. Note that the “users” of the inter-VPN connection management system 100 include operators such as telecommunications carriers and managers such as information system departments in the company. That is, in the following, “operator” means a person in charge of the operation of the inter-VPN connection service, and “manager” means a network administrator who manages the internal network of the base on the company side, for example. Used as

  FIG. 18 is a diagram for explaining the inter-VPN connection information storage unit 121. As illustrated in FIG. 18, for example, the inter-VPN connection information storage unit 121 stores the identification information of the collective virtual router and the identification information of the setting pattern of the collective virtual router in association with each other as inter-VPN connection information. For example, the collective virtual router identification information “collective virtual router 1” and the collective virtual router setting pattern identification information “VR-P1” are stored in association with each other. The setting pattern of the collective virtual router identified by “aggregate virtual router 1” indicates that the setting pattern is identified by “VR-P1”.

  Further, in the second embodiment, the VPN termination device and the collective virtual router are associated in advance, and when the VPN termination device is uniquely determined, the collective virtual router is also uniquely determined. In other words, in the second embodiment, one aggregate virtual router physically and a VPN terminating device in which one or a plurality of virtual routers are set in this aggregate virtual router have a predetermined relationship (note that The present invention is not limited to this. For example, a certain VPN termination device can set a virtual router in each of a plurality of aggregate virtual routers). For this reason, for example, the inter-VPN connection information storage unit 121, as illustrated in FIG. 18, identifies identification information (connection destination ID (IDentifier)), terminal for each identification information of the collective virtual router. Name (terminal name)), the VPN type used by the site, the identification information of the VPN termination device in which the site is accommodated, the identification information of the setting pattern of the VPN termination device, the identification information of the NAT device, A list of associations with the in-base address assigned to the terminal as an address to be used is stored.

  The “connection destination ID” is identification information for identifying the base, and is issued by the operator of the inter-VPN connection management system 100 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 121. The The “terminal name” is identification information for identifying the terminal under each base in the inter-VPN connection management system 100. In the second embodiment, this “terminal name” is registered in the DNS as it is. Used for information. The “terminal name” is interviewed by the user at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 121.

  The “VPN type” is heard from the user, for example, when contracting the connection service between VPNs and stored in the connection information storage unit 121 between VPNs. The “VPN termination device” is determined by the operator of the inter-VPN connection management system 100 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 121. The “VPN termination device setting pattern” is determined by the operator of the inter-VPN connection management system 100 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 121. The “NAT device” is determined by the operator of the inter-VPN connection management system 100 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 121. The “intra-base address” is an address given to the terminal as an address used in the base.

  For example, the connection destination ID “UserA-Office” and the terminal name “α1 @ vpn1. example. co. jp ”, VPN type“ OpenVPN ”, VPN termination device“ VPN termination device 1 ”, VPN termination device setting pattern“ VPN-P1 ”, NAT device“ NAT device 1 ”, in-site address“ 192.168.1.10 ” / 24 ”will be described. First, the base identified by “UserA-Office” (the terminal name of the terminal used for connection between VPNs is “α1@vpn1.example.co.jp”) indicates that “OpenVPN” is used. In addition, the base identified by “UserA-Office” is accommodated in “VPN terminating device 1”, and “VPN-P1” is used for the setting pattern of the VPN terminating device.

  Further, the base identified by “UserA-Office” is accommodated in “NAT device 1”, and the intra-base address “192.168.1.10/24” is used. In the second embodiment, it is assumed that the in-site addresses (private addresses) used in each base overlap each other.

  Returning to FIG. 17, the setting pattern storage unit 122 stores setting patterns of the VPN termination device, the NAT device, the transfer control device, and the wide area network DNS device. Specifically, the setting pattern storage unit 122 stores the setting pattern of the VPN termination device in which the setting information to be set in the VPN termination device is standardized according to the type of connection between VPNs. The setting pattern storage unit 122 stores a setting pattern of the collective virtual router in which setting information to be set in the collective virtual router is standardized according to the type of connection between VPNs. In addition, the setting pattern storage unit 122 stores a setting pattern of the NAT device. The setting pattern storage unit 122 stores a setting pattern of the wide area network DNS device.

  The setting pattern storage unit 122 stores the setting pattern in advance, for example, by being input to the operator of the inter-VPN connection management system 100. The setting pattern stored in the setting pattern storage unit 122 is used for processing by a conversion address determination unit 133, a routing information generation unit 135, and a DNS registration information generation unit 137, which will be described later.

  FIG. 19 is an example of a setting pattern of the collective virtual router. As illustrated in FIG. 19, for example, the setting pattern storage unit 122 divides the item number for managing each item of the setting pattern as the setting pattern of the collective virtual router and the setting information according to the setting contents. The setting contents, the setting information registration timing, the deletion timing, and the setting contents specifications are stored in association with each other. Of the setting patterns illustrated in FIG. 19, item numbers 1 to 3 are setting information setting patterns, and item number 4 is an option setting information setting pattern. In the second embodiment, when setting information related to an option request is used separately from general setting information, it is referred to as “option setting information”. Although not shown in FIG. 19, the setting pattern storage unit 122 also stores a predetermined command sentence as the setting pattern of the collective virtual router. The setting pattern is identified by setting pattern identification information.

  For example, the line of item number 1 will be described. The setting pattern of the category “virtual router definition” is a setting pattern for defining a “virtual router” that controls packet transfer in a transmission path (VPN) that is virtually constructed based on a connection request between VPNs. The setting content “virtual router name” is the name of the “virtual router” to be set, and it is specified as a specification that it should be set with “half-width alphanumeric characters”. The setting content “virtual router ID” is the ID of the “virtual router” to be set, and should be set in a format in which “16-bit numeric value” and “32-bit numeric value” are connected by “: (colon)”. Is specified as a specification. The specification is defined by, for example, the manufacturer of the corresponding device and is provided to the user of the device. The above is an example, and the present invention is not limited to this. The registration timing “immediately before starting the service” indicates that the information of item number 1 should be reflected in the VPN terminating device immediately before starting the service. Further, the deletion timing “immediately after the end of service” indicates that the information of item number 1 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 2 will be described. The setting pattern of the classification “I / F setting” is an interface setting pattern set in the “virtual router”. The setting content “IP address” is the IP address to be set for the interface. Number. Number. The specification stipulates that numbers should be set in a format in which numbers are separated by periods, such as “numbers”, and that numbers 0 to 255 should be set. In addition, the specification “I / F designation” specifies that the interface designation should be set in the format of “I / F type number / number / number”. In addition, it is specified as a specification that the setting content “belonging virtual router” should specify a virtual router name for setting an interface. The registration timing “immediately before starting the service” indicates that the information of item number 2 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 2 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 3 will be described. The setting pattern of the classification “virtual router unit routing setting” is a setting pattern of routing information set in “virtual router”. The setting contents “routing setting” should specify the name of the virtual router that sets the routing information, and the IP address of the routing information is “numeric. Number. Number. The specification stipulates that numbers should be set in a format in which numbers are separated by periods, such as “numbers”, and that numbers 0 to 255 should be set. The registration timing “immediately before starting the service” indicates that the information of item number 3 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 3 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 4 will be described. The setting pattern of the category “access control” is an access control setting pattern set in the “virtual router”. The setting contents “Filtering (ACL (Access Control List) etc.)”, the IP address is “Number. Number. Number. “Number” should be set in a format in which numbers are separated by periods, numbers should be set to a value of “0-255”, port numbers should be set by numbers, and numbers should be “1 to 65535” The specification stipulates that the value of " The registration timing “immediately before starting the service” indicates that the information of item number 4 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 4 should be deleted from the VPN terminating device immediately after the service ends.

  FIG. 20 is an example of a setting pattern of the VPN termination device. As illustrated in FIG. 20, for example, the setting pattern storage unit 122 includes, as a setting pattern of the VPN termination device, an item number for managing each item of the setting pattern, a classification for classifying the setting information, and setting contents. The setting information registration timing, the deletion timing, and the setting content specification are stored in association with each other. Of the setting patterns illustrated in FIG. 20, item number 1 is a setting information setting pattern, and item number 2 is a setting pattern of option setting information. Although not shown in FIG. 20, the setting pattern storage unit 122 also stores a predetermined command sentence as the setting pattern of the VPN termination device. The setting pattern is identified by setting pattern identification information.

  For example, the line of item number 1 will be described. The setting pattern of the classification “VPN user setting” is a setting pattern related to a user at a base accommodated in the VPN terminating device based on the connection request between VPNs. The setting content “Authentication ID / Password” is the authentication ID and password issued to the user at the site. The specification stipulates that the authentication ID and password should be set using “single-byte alphanumeric characters” of “128 characters or less”. Has been. Other “authentication information” may be used instead of “authentication ID / password”. The registration timing “immediately before starting the service” indicates that the information of item number 1 should be reflected in the VPN terminating device immediately before starting the service. Further, the deletion timing “immediately after the end of service” indicates that the information of item number 1 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 2 will be described. The setting pattern of the category “access control” is an access control setting pattern set in the “VPN termination device”. The setting content “Filtering (ACL, etc.)” indicates that the IP address is “Number. Number. Number. “Number” should be set in a format in which numbers are separated by periods, numbers should be set to a value of “0-255”, port numbers should be set by numbers, and numbers should be “1 to 65535” The specification stipulates that the value of " The registration timing “immediately before starting the service” indicates that the information of item number 2 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 2 should be deleted from the VPN terminating device immediately after the service ends.

  Although not shown, the setting pattern storage unit 122 similarly stores setting patterns of the NAT device and the wide area network DNS device. For example, the setting pattern storage unit 122 stores setting information registration timing, deletion timing, and setting content specifications in association with each other. For example, the IP address is “Number. Number. Number. The specification defines that numbers should be set in the form of numbers separated by periods, such as “numbers”, and that numbers should be set to values “0 to 255”. In addition, for example, what should be reflected in the NAT device or wide area network DNS device “just before the start of service” and what should be deleted from the NAT device or wide area network DNS device immediately after “service end” is specified as a specification. The The setting pattern storage unit 122 also stores a predetermined command sentence as a setting pattern for the NAT device or the wide area network DNS device.

  The above setting patterns are merely examples, and it is considered that the setting contents, the setting information registration timing, the deletion timing, the setting contents specifications, and the like differ depending on the type of connection between VPNs. That is, for example, if the type of connection between VPNs is “L3VPN”, a set of IP addresses of the connection destination between VPNs and the connection source between VPNs, IPsec operation setting information (authentication method and encryption algorithm), pre-secret Items such as shared keys can also be standardized into setting patterns. For example, if the type of connection between VPNs is “L2VPN”, items such as IDs such as L2 between the connection destination between VPNs and the connection source between VPNs may be standardized in the setting pattern. Thus, the setting pattern is appropriately standardized according to the type of connection between VPNs.

  Returning to FIG. 17, the inter-VPN connection request storage unit 123 stores inter-VPN connection request information. The inter-VPN connection request storage unit 123 stores the inter-VPN connection request information by being stored by the inter-VPN connection request receiving unit 131 described later. The inter-VPN connection request information stored in the inter-VPN connection request storage unit 123 is used for processing by the virtual router construction unit 132, the translation address determination unit 133, and the routing information generation unit 135, which will be described later.

  FIG. 21 is a diagram for explaining the inter-VPN connection request storage unit 123. As illustrated in FIG. 21, for example, the inter-VPN connection request storage unit 123 uses the service start time to start the inter-VPN connection service and the service end time to end the inter-VPN connection service as the inter-VPN connection request information. And the virtual router name in which the inter-VPN connection is set and the identification information (terminal name) identifying the base (or the user of the base) accommodated in the inter-VPN connection are stored in association with each other.

  For example, service start time “t1”, service end time “t3”, virtual router name “vrf1”, and terminal name “α1 @ vpn1. example. co. jp "and" β1 @ vpn2. example. co. jp ”in association with each other. From time “t1” to “t3”, “α1 @ vpn1. example. co. jp "and" β1 @ vpn2. example. co. jp ”is connected to the VPN, and the virtual router name to which the connection between the VPNs is set is“ vrf1 ”. For convenience of explanation, the service start time and service end time are described as “t1”, “t3”, etc., for example, “2009/8/21 13:00” indicates a specific date and time. .

  Returning to FIG. 17, the address translation information storage unit 124 stores reservation information and address translation information. Here, the address translation information refers to the user side address and the virtual router so that the user side address and the virtual router side address determined by the translation address determination unit 133 (to be described later) are mutually converted with the NAT device as a boundary. This is conversion information for converting the side address. Note that the user-side address is an “intra-site address” used at a base and a “communication partner identification address” for identifying a terminal under another base serving as a communication partner at the base. The virtual router side address is an address for identifying a terminal under each base belonging to the connection between VPNs in the wide area network.

  The address conversion information storage unit 124 stores reservation information and address conversion information by being stored by a conversion address determination unit 133 described later. The reservation information and address conversion information stored in the address conversion information storage unit 124 are used for processing by the address conversion information setting unit 134.

  FIG. 22 is a diagram for explaining the address conversion information storage unit 124. As illustrated in FIG. 22, for example, the address translation information storage unit 124 stores, as reservation information, a service start time at which an inter-VPN connection service should be started and a service end time at which an inter-VPN connection service should be ended. . The address translation information storage unit 124 stores address translation information in association with the reservation information. For example, the address translation information storage unit 124 stores, as address translation information, a virtual router name that identifies the connection between VPNs and an address translation table set in the NAT device in association with each other.

  For example, the address translation information stored in association with the service start time “t1” and the service end time “t3” is address translation information related to the virtual router identified by the virtual router name “vrf1”.

  In the NAT device 1, the user side address “192.168.1.10” and the virtual router side address “10.0.10.10” are mutually converted, and the user side address “172.16. 2.10 ”and the virtual router side address“ 10.2.10 ”are mutually converted. Here, the user-side address “192.168.1.10” is the intra-site address used at the site, and the user-side address “172.16.2.10” is the communication partner at the site. This is a communication partner identification address for identifying terminals under other bases.

  In the NAT device 2, the user side address (communication partner identification address) “172.16.1.10” and the virtual router side address “10.1.10.” Are mutually converted, and the user side This indicates that the address (in-site address) “192.168.1.10” and the virtual router side address “10.2.10” are mutually converted.

  In FIG. 22, only the address translation information related to the virtual router identified by the virtual router name “vrf1” is illustrated, but the address translation information storage unit 124 is another virtual machine constructed by the inter-VPN connection management system 100. Address translation information about the router is also stored.

  Although not shown in FIG. 22, the address conversion information storage unit 124 also stores the value of the entire private address and an address reserved in advance as an address assigned to the interface of each device.

  That is, as will be described later, the conversion address determination unit 133 according to the second embodiment uses a base address, an already reserved address, and an address other than the currently used address as a new payout address among all private addresses. decide. Therefore, the address conversion information storage unit 124 stores the value of the entire private address as an initial value, so that the conversion address determination unit 133 refers to the address conversion information storage unit 124 and determines the address for conversion. can do.

  As will be described later, the routing information generation unit 135 in the second embodiment assigns an address to be set to the interface of the collective virtual router, an address to be set to the interface of the VPN terminating device, and an address to be set to the interface of the NAT device. The conversion address determination unit 133 must determine a conversion address so as not to overlap with these addresses assigned to the interface of each device. For this reason, the address conversion information storage unit 124 stores an address reserved in advance as an address assigned to the interface of each device, so that the conversion address determination unit 133 refers to the address conversion information storage unit 124. The address for conversion can be determined so as not to overlap with these addresses assigned (or assigned) to the interface of each device.

  Returning to FIG. 17, the routing information storage unit 125 stores reservation information and routing information. The routing information storage unit 125 stores reservation information and routing information by being stored by a virtual router construction unit 132 and a routing information generation unit 135 described later. The reservation information and routing information stored in the routing information storage unit 125 are used for processing by the routing information setting unit 136.

  23 and 24 are diagrams for explaining the routing information storage unit 125. As illustrated in FIG. 23, for example, the routing information storage unit 125 stores, as reservation information, a service start time at which an inter-VPN connection service should be started and a service end time at which an inter-VPN connection service should be ended. Further, the routing information storage unit 125 stores the routing information in association with the reservation information. For example, the routing information storage unit 125 stores setting information (including routing information) set in the collective virtual router in the form of a setting file, and stores setting information set in the VPN termination device in the form of a setting file. , The setting information set in the NAT device is stored in the form of a setting file.

  For example, FIG. 24A illustrates a part of the setting information set in the collective virtual router. For example, FIG. 24B illustrates a part of the setting information set in the VPN termination device. For example, FIG. 24C illustrates a part of setting information set in the NAT device.

  Returning to FIG. 17, the DNS registration information storage unit 126 stores DNS registration information. The DNS registration information storage unit 126 stores DNS registration information by being stored by a DNS registration information generation unit 137 described later. Also, the DNS registration information stored in the DNS registration information storage unit 126 is used for processing by the DNS registration unit 138 described later.

  FIG. 25 is a diagram for explaining the DNS registration information storage unit 126. As illustrated in FIG. 25, for example, the DNS registration information storage unit 126 includes DNS registration information indicating a pair of a communication partner identification address for identifying a terminal under another base serving as a communication partner and the name of the terminal. A record “β1 IN A 172.16.2.10.” And “α1 IN A 172.16.1.10.” Are stored. Here, “β1” and “α1” are names of terminals, and “172.16.2.10” and “172.16.1.10” are communication partner identification addresses.

  Here, since the communication partner identification address is an address for identifying a terminal under another base serving as a communication partner within a “base”, even if it is an address for identifying the same terminal, it is different for each base. It can be an address. For this reason, the DNS registration information storage unit 126 stores DNS registration information for each base belonging to the connection between VPNs.

  For example, as illustrated in FIG. 25, the DNS registration information storage unit 126 stores DNS registration information for each connection destination ID that identifies a base in association with a virtual router name that identifies an inter-VPN connection. In the case of the DNS registration information illustrated in FIG. 25, the connection between VPNs identified by the virtual router name “vrf1” is determined by the base identified by the connection destination ID “UserA-Office” and the connection destination ID “UserB-Office”. Indicates that the identified site belongs. In addition, in the base identified by the connection destination ID “UserA-Office”, a communication partner identification address “172.16.2.10” is used to identify a terminal under “UserB-Office” as a communication partner. Is used. The terminal name of this terminal is “β1”. Accordingly, the DNS registration information for the base identified by the connection destination ID “UserA-Office” indicates the correspondence between “β1” and “172.16.2.10”, that is, the A record “β1 IN”. A 172.16.2.10 ".

  Returning to FIG. 17, the attachment storage unit 126 stores the attachment for each aggregate virtual router, for each VPN termination device, and for each NAT device. The attachment storage unit 126 also stores attachments for the wide area network DNS device. Here, the attachment is a program for reflecting address translation information to the NAT device, a program for reflecting routing information to the VPN terminal device and the collective virtual router, and DNS registration information to the wide area network DNS device. Program for reflecting, program for deleting address translation information reflected on NAT device, program for deleting routing information reflected on VPN terminating device and aggregate virtual router, wide area network This is a program for deleting DNS registration information reflected on a DNS device.

  The attachment includes a communication protocol used between the VPN connection management system 100 and the NAT device, a communication protocol used between the VPN connection management system 100 and the VPN termination device, and an VPN connection management system 100. Communication protocol used between the VPN and the collective virtual router, or a communication protocol used between the VPN connection management system 100 and the wide area network DNS device. In general, the communication protocol is a NAT communication device vendor, a VPN termination device vendor, a collective virtual router vendor, or a proprietary communication protocol defined by a wide area network DNS device. The attachment storage unit 126 stores the attachment in advance, for example, by being input to the operator of the inter-VPN connection management system 100. Further, the attachment stored in the attachment storage unit 126 is used for processing by an address conversion information setting unit 134, a routing information setting unit 136, a DNS registration unit 138, and a deletion unit 139, which will be described later.

  FIG. 26 is a diagram for explaining the attachment storage unit 126. As illustrated in FIG. 26, for example, the attachment storage unit 126 stores the device identification information and the attachment of the collective virtual router, the VPN terminal device, the NAT device, or the wide area network DNS device in association with each other. For example, the reflection attachment includes an ID / password for logging in to a NAT device, a VPN termination device, a collective virtual router or a wide area network DNS device, a path for storing address translation information, routing information, and DNS registration information. A command for specifying and storing address translation information, routing information, and DNS registration information in the specified path, a NAT device, a VPN termination device, a collective virtual router, a command for restarting the wide area network DNS device, and the like are described. The address translation information, routing information, and DNS registration information may be reflected by storing and restarting, or reflected by storing. The reflection attachment includes a communication protocol used between the VPN connection management system 100 and the NAT device, a communication protocol used between the VPN connection management system 100 and the VPN termination device, and an VPN connection. A communication protocol used between the management system 100 and the collective virtual router and a communication protocol used between the VPN connection management system 100 and the wide area network DNS device are defined.

  In addition, for example, an attachment for deletion stores an ID / password for logging in to a NAT device, a VPN termination device, a collective virtual router, and a wide area network DNS device, address translation information, routing information, and DNS registration information. A command for deleting address translation information, routing information, DNS registration information from the existing path, a NAT device, a VPN termination device, a collective virtual router, a command for restarting the wide area network DNS device, and the like are described. The attachment for deletion includes a communication protocol used between the VPN connection management system 100 and the NAT device, a communication protocol used between the VPN connection management system 100 and the VPN termination device, and an inter-VPN connection. A communication protocol used between the management system 100 and the collective virtual router and a communication protocol used between the VPN connection management system 100 and the wide area network DNS device are defined.

  Returning to FIG. 17, the device information storage unit 127 stores the VPN terminal device preset information preset in the VPN terminal device and the aggregate virtual router preset information preset in the aggregate virtual router. The device information storage unit 127 stores, in advance, for example, the setting information of the VPN terminating device and the setting information of the collective virtual router in advance by being input to the operator of the inter-VPN connection management system 100. Further, the preset information stored in the device information storage unit 127 is used for processing by the routing information generation unit 135 described later.

  FIG. 27 is a diagram for explaining the pre-configuration information of the collective virtual router. As illustrated in FIG. 27, for example, the device information storage unit 127 stores a host name (or router name) and a password as pre-configuration information of the collective virtual router. “Host name” is the name of the collective virtual router, for example, “jpn100”. The “password” is a password for logging in to the collective virtual router, and is a password such as “root”, for example.

  FIG. 28 is a diagram for explaining the pre-setting information of the VPN terminating device. As illustrated in FIG. 28, for example, the device information storage unit 127 includes, as pre-configuration information of a VPN termination device, a host name (or router name), a password, a VPN termination device ID, a VPN type, and an IP address for the collective virtual router. The server mode is stored. Although not shown in FIG. 28, the device information storage unit 127 also stores, for example, a server-side standby IP address, a protocol, a port number, and the like as the preset information.

  “Host name” is the name of the VPN termination device, for example, “jpn1”. The “password” is a password for logging in to the VPN terminal device, and is a password such as “root”, for example. The “VPN termination device ID” is an ID for identifying the VPN termination device, for example, “VPN termination device 1”. The “VPN type” is a VPN type, for example, “OpenVPN”.

  The “IP address for the collective virtual router” is an IP address to be transferred when a packet sent from the base is sent to the collective virtual router. A virtual router is constructed in the collective virtual router, and the interface of the collective virtual router It is determined only after an IP address is assigned. For this reason, in FIG. 28, it is left blank in the sense that it has not been assigned yet. The server mode is a routing method selected by the VPN terminating device. For example, when OpenVPN is used, the routing method includes “routing” and “bridge”.

  Returning to FIG. 17, the control unit 130 controls various processes executed in the inter-VPN connection management system 100. Specifically, as illustrated in FIG. 17, the control unit 130 includes an inter-VPN connection request reception unit 131, a virtual router construction unit 132, a translation address determination unit 133, an address translation information setting unit 134, A routing information generation unit 135, a routing information setting unit 136, a DNS registration information generation unit 137, a DNS registration unit 138, and a deletion unit 139 are included.

  The inter-VPN connection request accepting unit 131 accepts an inter-VPN connection request. Specifically, for example, a Web server for users is installed on a network such as the Internet, and the inter-VPN connection request receiving unit 131 distributes an input screen for users to the Web server. Here, the user input screen is provided by a telecommunications carrier or the like that provides an inter-VPN connection service in order to receive an inter-VPN connection request from a VPN administrator who performs an inter-VPN connection. . Then, for example, an administrator at each site accesses the Web server and inputs an inter-VPN connection request on the user input screen, so that the inter-VPN connection request accepting unit 131 accepts the input of the inter-VPN connection request. The received inter-VPN connection request is stored in the inter-VPN connection request storage unit 123.

  FIG. 29 is a diagram for explaining an example of an input screen for an inter-VPN connection request. For example, the inter-VPN connection request accepting unit 131 first outputs an input screen illustrated in FIG. The input screen is provided with a frame for receiving an input of a virtual router name and a frame for receiving an input of a password. Note that the virtual router name and password are determined off-line between “Company A” and “Company B” scheduled to belong to the same collaborative space, for example. Thus, for example, as illustrated in FIG. 29A, when the administrator of “Company A” inputs the virtual router name “vrf1” and the password, the inter-VPN connection request accepting unit 131 sets the virtual router name as “virtual router name”. vrf1 ”is received, and then information regarding“ Company A ”is received. In the second embodiment, an example in which an input of a virtual router name is accepted as an inter-VPN connection request will be described. However, the present invention is not limited to this, for example, the virtual router name on the inter-VPN connection management system 100 side. May be automatically assigned.

  Further, as illustrated in FIG. 29B, a frame for receiving input of a connection destination ID and a terminal name is provided on the next input screen following the input screen illustrated in FIG. For example, an administrator of “Company A” inputs “UserA-Office” as a connection destination ID and “α1 @ vpn1. example. co. jp ”, the inter-VPN connection request accepting unit 131 uses“ α1@vpn1.jp ”as a terminal on the“ Company A ”side that is connected between VPNs by the virtual router name“ vrf1 ”. example. co. jp ". For example, when the “More” button is pressed by the administrator, the inter-VPN connection request receiving unit 131 further provides a frame for receiving an input of the terminal name on the input screen.

  In addition, the input screen is provided with a frame for receiving input of the date and time of the reservation time. For example, as illustrated in FIG. 29B, when the administrator inputs a reservation time “2009.8.21 13:00” to “2009.8.21 15:00”, an inter-VPN connection request is accepted. The unit 131 accepts “2009.8.21 13:00” as the inter-VPN connection service start time and “2009.8.21 15:00” as the inter-VPN connection service end time.

  Now, on the input screen illustrated in FIG. 29B, for example, when an “OK” button is pressed by the administrator, the inter-VPN connection request accepting unit 131 ends accepting the inter-VPN connection request. After this, the administrator of “Company B” is similarly designated as “β1 @ vpn2 ..” as a terminal connected between VPNs by the virtual router name “vrf1”. example. co. jp ".

  For example, when the administrator of “Company B” inputs the virtual router name “vrf1” and the password on the input screen, the inter-VPN connection request accepting unit 131 accepts “vrf1” as the virtual router name. Here, for the connection between VPNs identified by the virtual router name “vrf1”, the administrator of “Company A” has already entered the date and time of the reservation time. The reception unit 131 may output an input screen in a state where the date and time of the reservation time are input from the input screen illustrated in FIG. Then, for example, an administrator of “Company B” inputs “UserB-Office” as a connection destination ID and “β1 @ vpn2. example. co. jp ”is entered, the inter-VPN connection request accepting unit 131 uses“ β1 @ vpn2... as a terminal on the “Company B” side connected between the VPNs by the virtual router name “vrf1”. example. co. jp ". Thus, an inter-VPN connection request identified by the virtual router name “vrf1” is accepted as an inter-VPN connection request for connecting “terminal α” and “terminal β”.

  In the second embodiment, the method of inputting the inter-VPN connection request on the user input screen has been described. However, the present invention is not limited to this. For example, an operator such as a telecommunications carrier providing an inter-VPN connection service may directly input an inter-VPN connection request on the input screen output to the output unit 112 of the inter-VPN connection management system 100.

  The virtual router construction unit 132 constructs a virtual router in the collective virtual router based on the inter-VPN connection request. Specifically, the virtual router construction unit 132 determines a virtual router name to be constructed in the collective virtual router based on the inter-VPN connection request accepted by the inter-VPN connection request acceptance unit 131. Further, the virtual router construction unit 132 generates virtual router construction information among the setting information set in the collective virtual router, and stores the generated virtual router construction information in the routing information storage unit 125 together with reservation information. Further, the virtual router construction unit 132 notifies the translation address determination unit 133 that address translation information should be generated.

  For example, the virtual router construction unit 132 periodically refers to the VPN connection request storage unit 123 (illustrated in FIG. 21), compares the current time with the service start time, and constructs a virtual router. It is determined whether or not. For example, the virtual router construction unit 132 compares the current time with the service start time “t1” and determines whether it is time to construct a virtual router.

  Next, when the virtual router construction unit 132 determines that it is time to construct a virtual router, it refers to the inter-VPN connection request storage unit 123 and stores the virtual router name and terminal stored in association with the service start time. Get the name. For example, the virtual router construction unit 132 includes the virtual router name “vrf1” stored in association with the service start time “t1” and the terminal name “α1 @ vpn1. example. co. jp "and" β1 @ vpn2. example. co. jp ”.

  Then, the virtual router construction unit 132 refers to the inter-VPN connection information storage unit 121 (illustrated in FIG. 18) using the acquired terminal name, and determines a collective virtual router that accommodates the base identified by the terminal name. The identification information of the setting pattern is acquired. For example, the virtual router construction unit 132 determines the collective virtual router “aggregate virtual router 1” and acquires the setting pattern identification information “VR-P1”.

  Subsequently, the virtual router construction unit 132 refers to the setting pattern storage unit 122 (illustrated in FIG. 19) using the acquired setting pattern identification information, and stores the specification stored in association with the category “virtual router definition”. To get. Here, although not illustrated in FIG. 19, the setting pattern storage unit 122 also stores, as one of the setting patterns, a predetermined command statement for reflecting the setting information in the collective virtual router for each collective virtual router. . For this reason, the virtual router construction unit 132 also acquires a corresponding predetermined command sentence.

  Then, the virtual router construction unit 132 refers to the VPN connection request storage unit 123 (illustrated in FIG. 21), acquires the service start time and service end time, and stores the acquired service start time and service end time in the routing information. The data is stored in the unit 125 (illustrated in FIG. 23). For example, the virtual router construction unit 132 stores the service start time “t1” and the service end time “t3” in the routing information storage unit 125.

  Next, the virtual router construction unit 132 describes the construction information of the virtual router in a file using the acquired specifications and command statements, and stores the information in the routing information storage unit 125 in association with the service start time and service end time. For example, the virtual router construction unit 132 creates a file in which the virtual router name “vrf1” is described as “ip vrf vrf1” using the acquired predetermined command statement. Further, the virtual router construction unit 132 describes the virtual router ID “100: 10” determined according to the specification illustrated in FIG. 19 as “rd 100: 10” using a predetermined command sentence in the created file. Then, the virtual router construction unit 132 stores the created file in the routing information storage unit 125 in association with the service start time “t1” and the service end time “t3” (see FIG. 24A).

  The conversion address determination unit 133 determines an address used for the connection between VPNs based on the connection request between VPNs. Specifically, the conversion address determination unit 133 determines an address used for the connection between VPNs based on the connection request between VPNs received by the connection request reception unit 131 between VPNs, and generates address conversion information.

  Here, the conversion address determination unit 133 uses a communication partner identification address (hereinafter referred to as “first address” as appropriate) for identifying a terminal under another base serving as a communication partner at the base, using the connection between VPNs. The terminal is determined to be unique among terminals that can be communication partners in the base corresponding to the time zone overlapping with the time zone. In addition, the conversion address determination unit 133 overlaps an address (hereinafter referred to as “second address”) for identifying a terminal under each base belonging to the inter-VPN connection by the collective virtual router with a time zone in which the inter-VPN connection is used. It is determined to be unique among terminals that can be controlled as connection between VPNs corresponding to the time zone. Also, the translation address determination unit 133 generates address translation information so that the determined two addresses are mutually translated with the NAT device as a boundary.

  Here, it is assumed that the inter-VPN connection management system 100 according to the second embodiment manages the entire private address as an address that can be used for the inter-VPN connection service. That is, in the inter-VPN connection management system 100, as described above, the address conversion information storage unit 124 also stores the value of the entire private address and the address reserved in advance as the address assigned to the interface of each device. Further, the inter-VPN connection management system 100 receives a private address used at each base (“intra-base address in the inter-VPN connection information storage unit 121) for each base by receiving an application from the user in advance. )).

  Therefore, the conversion address determination unit 133 refers to the address conversion information storage unit 124 and searches for a reserved address on the time axis. Then, when determining the first address (communication partner identification address), the conversion address determination unit 133 searches for the in-base address and the address already reserved in the same time zone out of the entire private address. In addition, an address other than an address reserved in advance as an address assigned to the interface of each device may be determined as a new payout address. In addition, when determining the second address, the conversion address determination unit 133 is assigned to the address searched as an already reserved address for the same connection between VPNs and the interface of each device when determining the second address. An address other than the previously reserved address may be determined as a new payout address.

  The present invention is not limited to this method. For example, it is assumed that the inter-VPN connection management system 100 manages a private address that can be used at each base by receiving an application from a user in advance. In this case, the conversion address determination unit 133 searches for a reserved address on the time axis, and among the private addresses managed as private addresses that can be used at the base, An address other than the address searched as an already reserved address may be determined as a new payout address. In this case, the inter-VPN connection management system 100 separately stores a private address value that can be used at each site. For example, the inter-VPN connection management system 100 stores the value of the private address that can be used at the base in the inter-VPN connection information storage unit 121.

  Also, the conversion address determination unit 133 stores the generated address conversion information in the address conversion information storage unit 124 together with the reservation information. Also, the conversion address determination unit 133 notifies the routing information generation unit 135 that setting information including routing information should be generated. Also, the conversion address determination unit 133 notifies the DNS registration information generation unit 137 that DNS registration information should be generated.

  For example, when receiving the notification that the address translation information should be generated from the virtual router construction unit 132, the translation address determination unit 133 refers to the address translation information storage unit 124 (illustrated in FIG. 22) and becomes a communication partner. A first address (communication partner identification address) for identifying a terminal under another base at the base is determined.

  For example, the conversion address determination unit 133 refers to the inter-VPN connection information storage unit 121 (illustrated in FIG. 18) using the terminal name acquired as the VPN connection request, and connects the connection destination ID “UserA- Get Office. Then, the conversion address determination unit 133 searches the address conversion information storage unit 124 using the terminal name belonging to the connection destination ID “UserA-Office”, the service start time “t1”, and the service end time “t3”. If there is address conversion information related to the connection destination ID “UserA-Office” in the overlapping time zone, all of them are acquired. The conversion address determination unit 133 also acquires the value of the entire private address and an address reserved in advance as an address assigned to the interface of each device. At this time, the translation address determination unit 133 searches for address translation information stored in association with all virtual routers.

  Next, the conversion address determination unit 133 analyzes the acquired address conversion information and identifies a terminal under another base serving as a communication partner at the base identified by the connection destination ID “UserA-Office”. All user-side addresses (communication partner identification addresses) used as addresses are extracted. Then, the conversion address determination unit 133 does not overlap with the extracted user side address (communication partner identification address) and does not overlap with the base address (see FIG. 18). The terminal name “β1 @ vpn2. example. co. The first address for identifying “jp” is determined. For example, the conversion address determination unit 133 determines “172.16.2.10”.

  Subsequently, the conversion address determination unit 133 determines the connection destination ID “UserA-Office” and the terminal name “α1 @ vpn1. example. co. jp ”is used to refer to the inter-VPN connection information storage unit 121 (illustrated in FIG. 18), and“ NAT device 1 ”and the base address“ 192.168.1.10 ”are acquired. Then, as illustrated in the first line of FIG. 22, the conversion address determination unit 133 associates “NAT device 1” with “192.168.1.10” and “172.16.2.10”. As the user address. Note that the conversion address determination unit 133 similarly determines the first address (communication partner identification address) for the connection destination ID “UserB-Office” and, as illustrated in the first line of FIG. “172.16.1.10” and “192.168.1.10” are stored as user-side addresses in association with “2”.

  In addition, for example, the translation address determination unit 133 refers to the address translation information storage unit 124 (illustrated in FIG. 22), and uses a collective virtual router to identify the terminals under each base belonging to the connection between VPNs. Determine the address.

  For example, the translation address determination unit 133 searches the address translation information storage unit 124 using the virtual router name “vrf1” for identifying the connection between VPNs, the service start time “t1”, and the service end time “t3”. If there is address conversion information related to the virtual router name “vrf1” in the overlapping time zone, all of them are acquired. That is, the translation address determination unit 133 searches for the address translation information stored in association with the virtual router name “vrf1”.

  Next, the translation address determination unit 133 analyzes the acquired address translation information, and extracts all the virtual router side addresses used as address translation information related to the virtual router name “vrf1”. Then, the conversion address determination unit 133 uses the terminal name “α1 @ vpn1” so that it does not overlap with the extracted virtual router side address and also does not overlap with an address reserved in advance as an address assigned to the interface of each device. . example. co. jp "and" β1 @ vpn2. example. co. The second address for identifying the terminal identified by “jp” in the collective virtual router is determined. For example, the conversion address determination unit 133 determines “10.1.10.” And “10.2.10”.

  Subsequently, as illustrated in the first line of FIG. 22, the conversion address determination unit 133 associates “10.0.10” and “NAT device 2” with “NAT device 1” and “NAT device 2”. 10.0.2.10 ”is stored as the virtual router side address.

  Then, the conversion address determination unit 133 generates address conversion information so that the determined two addresses are converted into each other with the NAT device as a boundary. For example, the conversion address determination unit 133 refers to the setting pattern storage unit 122 and acquires a specification of address conversion information and a predetermined command statement for reflecting the address conversion information on the NAT device. Then, the conversion address determination unit 133 generates address conversion information from the address conversion table illustrated in the first line of FIG. 22 using the acquired specification and command statement. In Example 2, since the post-use address can be used again, it is treated as unused.

  The address translation information setting unit 134 sets address translation information in the NAT device. Specifically, the address conversion information setting unit 134 converts the address conversion information so that the first address and the second address determined by the conversion address determination unit 133 are converted to each other with the NAT device as a boundary. Set to NAT device.

  For example, the address translation information setting unit 134 periodically refers to the address translation information storage unit 124 (illustrated in FIG. 22), compares the current time with the service start time, and sets the address translation information at a timing. It is determined whether or not there is. For example, the address conversion information setting unit 134 compares the current time with the service start time “t1” and determines whether it is time to set the address conversion information.

  Next, when the address conversion information setting unit 134 determines that it is time to set the address conversion information, the address conversion information setting unit 134 refers to the address conversion information storage unit 124 and sets the address conversion information stored in association with the service start time. get. For example, the address conversion information setting unit 134 acquires an address conversion table stored in association with “NAT device 1” and “NAT device 2”.

  Then, the address conversion information setting unit 134 refers to the attachment storage unit 127 (illustrated in FIG. 26), acquires the corresponding attachment, and transmits the address conversion information to the corresponding NAT device using the acquired attachment. For example, the address conversion information setting unit 134 refers to the attachment storage unit 127 using “NAT device 1” and “NAT device 2”, and attaches the attachment “NAT1. exe "and" NAT2. exe ”. Subsequently, the address conversion information setting unit 134 acquires the acquired attachment “NAT1. exe ”, the address translation information stored in association with“ NAT device 1 ”in the address translation information storage unit 124 is transmitted to“ NAT device 1 ”. The address conversion information setting unit 134 also acquires the acquired attachment “NAT2. exe ”, the address conversion information stored in association with“ NAT device 2 ”in the address conversion information storage unit 124 is transmitted to“ NAT device 2 ”.

  In the second embodiment, the address translation information setting unit 134 is described as starting the address translation information setting at the time of starting the inter-VPN connection service, but the present invention is not limited to this. For example, the time required to set the address translation information is predicted in advance so that the connection between the VPNs is immediately realized at the time when the reservation is accepted as the time for starting the connection service between VPNs. The time obtained by subtracting the predicted time may be used as the time for starting the reflection of the address translation information. For example, when the conversion address determination unit 133 stores the reservation time and the address conversion information in the address conversion information storage unit 124, the conversion address determination unit 133 also stores the time obtained by subtracting the time required to set the address conversion information, The information setting unit 134 may determine whether it is the time and start setting address conversion information.

  The routing information generation unit 135 generates routing information based on the inter-VPN connection request and the address conversion information. Specifically, the routing information generation unit 135 assigns addresses to be set to the interfaces of the respective devices (the collective virtual router, the VPN termination device, and the NAT device) from among the reserved addresses. In addition, the routing information generation unit 135 generates routing information based on the address conversion information determined by the conversion address determination unit 133. Further, the routing information generation unit 135 stores the generated routing information in the routing information storage unit 125 together with the reservation information. In the second embodiment, since the virtual router construction unit 132 has already written the construction information of the virtual router in a file and stored in the routing information storage unit 125, the routing information generation unit 135 includes Routing information (routing information to the VPN terminating device (Next Hop)) is added. Further, the routing information generation unit 135 describes the routing information to the collective virtual router (Next Hop) in the file of the VPN terminating device and the packet transfer information in the file of the NAT device.

  First, generation of the setting information of the collective virtual router will be described. For example, when receiving the notification that the setting information including the routing information should be generated from the translation address determination unit 133, the routing information generation unit 135 refers to the address translation information storage unit 124 (illustrated in FIG. 22), and performs NAT. The address to be set in the device side I / F is determined. For example, the routing information generation unit 135 determines “10.0.10.97” as the I / F on the NAT device 1 side, and “10.0.20.97” as the I / F on the NAT device 2 side. decide.

  In addition, the routing information generation unit 135 refers to the setting pattern storage unit 122 (illustrated in FIG. 19), and stores specifications associated with the categories “I / F setting” and “routing setting for each virtual router”. To get. Here, although not illustrated in FIG. 19, the setting pattern storage unit 122 also stores, as one of the setting patterns, a predetermined command statement for reflecting the setting information in the collective virtual router for each collective virtual router. . For this reason, the routing information generation unit 135 also acquires a corresponding predetermined command sentence.

  Then, the routing information generation unit 135 reads “Number. Number. Number. The “IP address” is determined in accordance with the “number” specification. Also, for example, the routing information generation unit 135 refers to the setting pattern illustrated in FIG. 19 and determines “I / F designation” according to the specification of “I / F type number / number / number”.

  For example, the routing information generation unit 135 determines “10.0.10.97 255.255.255.0” as the IP address to be set for the interface connected to the NAT device 1, and “GigbitEthernet1” as the I / F designation. / 0/0 "is determined. Further, for example, the routing information generation unit 135 determines “10.0.20.97 255.255.255.0” as the IP address to be set for the interface connected to the NAT device 2, and designates the I / F as the IP address. “Gigabit Ethernet 2/0/0” is determined.

  Next, the routing information generation unit 135 refers to the address translation information storage unit 124 and acquires the virtual router side address stored in association with the NAT device. For example, the routing information generation unit 135 acquires the virtual router side addresses “10.0.10” and “10.2.10” stored in association with the NAT device “NAT device 1”. .

  Then, for example, as shown in FIG. 24A, the routing information generation unit 135 determines “10.0.10.97 255.255.255” determined as the IP address to be set to the interface connected to the NAT device 1. .0 ”is described as“ ip address 10.0.10.97 255.255.255.0 ”using a predetermined command sentence. Further, for example, the routing information generation unit 135 describes “GigabitEthernet1 / 0/0” determined as the I / F designation as “interface GigabitEthernet1 / 0/0” using a predetermined command sentence. In addition, the routing information generation unit 135 describes “ip vrf forwarding vrf1” as a command to make the interface belong to the virtual router “vrf1”. Note that the routing information generation unit 135 also describes the interface connected to the NAT device 2 in the same manner.

  Further, the routing information generating unit 135 describes a routing setting command which is so-called routing information. Here, NextHop is a NAT device. For example, the routing information generation unit 135 uses the virtual router name “vrf1”, “10.0.1.0 255.255.255.0”, and the IP address “10.0.10.98”. , “Ip route vrf vrf 1 10.0.1.0 255.255.255.0 10.0.10.98” is described using a predetermined command sentence in accordance with the specification illustrated in FIG. Note that the routing information generation unit 135 also describes the interface connected to the NAT device 2 in the same manner.

  Next, generation of setting information of the VPN termination device will be described. The routing information generation unit 135 refers to the inter-VPN connection information storage unit 121 using the connection destination ID received by the inter-VPN connection request reception unit 131, and stores the VPN termination device in association with each connection destination ID. Get the identification information of the setting pattern. Then, the routing information generation unit 135 refers to the setting pattern storage unit 122 using each of the identification information of the setting pattern of the VPN termination device, and sets the setting from the setting patterns of the VPN termination device stored in the setting pattern storage unit 122. A setting pattern of a VPN termination device to be used for generating information is selected. Then, the routing information generation unit 135 generates setting information using the selected setting pattern.

  For example, the routing information generation unit 135 determines an address to be set in the I / F (base side and aggregate virtual router side) of the VPN termination device, and generates routing information using the determined address. For example, the routing information generation unit 135 generates the routing information of “VPN termination device 1” as shown in FIG. The first four lines in FIG. 24B are commands for setting an address in the interface of “VPN termination device 1”. The fifth line in FIG. 24B is a routing setting command for setting NextHop to “NAT device 1”.

  Next, generation of setting information of the NAT device will be described. Although not shown in FIGS. 19 and 20, the setting pattern storage unit 122 also stores the setting pattern of the NAT device. For this reason, for example, the routing information generation unit 135 refers to the inter-VPN connection information storage unit 121 using the connection destination ID received by the inter-VPN connection request reception unit 131 and stores it in association with each connection destination ID. The identification information of the NAT device is acquired. Then, the routing information generation unit 135 refers to the setting pattern storage unit 122 using each of the NAT device setting pattern identification information, and sets the setting information from the NAT device setting patterns stored in the setting pattern storage unit 122. A setting pattern of the NAT device to be used for generation is selected. Then, the routing information generation unit 135 generates setting information using the selected setting pattern.

  For example, the routing information generation unit 135 determines an address to be set in the I / F (base side and aggregate virtual router side) of the NAT device, and generates routing information using the determined address. For example, the routing information generation unit 135 generates the routing information of “NAT device 1” as shown in FIG. The first four lines in FIG. 24C are commands for setting addresses in the interface of “NAT device 1”. The fifth line of FIG. 24C is a routing setting command to the “VPN terminating device 1” side, and sets an address before address conversion. The sixth line in FIG. 24C is a routing setting command to the virtual router “vrf1”, and sets an address after address conversion.

  As described above, in the second embodiment, each piece of setting information is stored in the routing information storage unit 125 in the form of a setting file, for example, as illustrated in FIG. That is, the routing information generation unit 135 stores each of the generated setting information in the routing information storage unit 125 in the form of a setting file. However, the present invention is not limited to this, and a method of storing the generated setting information in a database may be used. Alternatively, the generated setting information may be stored in a file format and stored in a database. According to these methods, since the setting information is stored in a database suitable for search and reference, for example, the routing information generation unit 135 refers to the already generated setting information when generating the setting information. However, it is not necessary to execute the file open process each time, and the process becomes efficient.

  The routing information setting unit 136 sets the routing information in the NAT device, the VPN termination device, and the collective virtual router. For example, the routing information setting unit 136 periodically refers to the routing information storage unit 125 (illustrated in FIG. 23), compares the current time with the service start time, and determines whether the setting information should be set. Determine whether. For example, the routing information setting unit 136 compares the current time with the service start time “t1” and determines whether or not it is time to set the setting information.

  Next, when the routing information setting unit 136 determines that it is time to set the setting information, the routing information setting unit 136 refers to the routing information storage unit 125 and acquires the setting information stored in association with the service start time. For example, the routing information setting unit 136 acquires the setting information stored in association with the service start time “t1”.

  Then, the routing information setting unit 136 refers to the attachment storage unit 127 (illustrated in FIG. 26), acquires the corresponding attachment, and uses the acquired attachment to connect to the corresponding collective virtual router, the VPN termination device, and the NAT device. Send configuration information. For example, the routing information setting unit 136 uses the “aggregate virtual router 1”, “VPN termination device 1”, “VPN termination device 2”, “NAT device 1”, and “NAT device 2” to store the attachment storage unit 126. Refer to the attachment “VR1. exe "," VPN1. exe "," VPN2. exe "," NAT1. exe "and" NAT2. exe ”. Subsequently, the routing information setting unit 136 acquires the acquired attachment “VR1. exe ”is used to transmit the setting information to“ aggregate virtual router 1 ”. Similarly, the routing information setting unit 136 also transmits setting information to “VPN termination device 1”, “VPN termination device 2”, “NAT device 1”, and “NAT device 2”.

  The attachment may include, for example, a method of setting setting information by remotely operating each device from the inter-VPN connection management system 100 using telnet, SSH (Secure SHell), or the like. .

  In the second embodiment, the routing information setting unit 136 is described as starting the setting information setting at the time of starting the inter-VPN connection service, but the present invention is not limited to this. For example, the time required for setting the setting information is predicted in advance so that the connection between the VPNs is immediately realized at the time when the reservation is accepted as the time for starting the inter-VPN connection service. The time obtained by subtracting the time may be set as the time for starting the setting information setting. For example, when the virtual router construction unit 132 stores the reservation time and the setting information in the routing information storage unit 125, the virtual router construction unit 132 also stores the time obtained by subtracting the time required for setting the setting information, and the routing information setting unit 136 Then, it may be determined whether it is the time, and setting of setting information may be started.

  The DNS registration information generation unit 137 determines the name of the terminal so as to be unique within the base, and sets the determined terminal name and communication partner identification address as DNS registration information for each base belonging to the connection between VPNs. Generate. Specifically, when receiving the notification that the registration information should be generated from the conversion address determination unit 133, the DNS registration information generation unit 137 refers to the address conversion information storage unit 124 (illustrated in FIG. 22), The address conversion information newly determined by the conversion address determination unit 133 is acquired.

  For example, as illustrated in FIG. 22, the terminal name “α1 @ vpn1. example. co. The user-side address “192.168.1.10” stored in association with “jp” is “α1 @ vpn1. example. co. jp ”is the in-base address of the terminal. In addition, “α1 @ vpn1. example. co. “α1@vpn1.jp” at another base with the terminal of “jp” as the communication partner. example. co. The communication partner identification address issued to identify the terminal of “jp” is the terminal name “α1 @ vpn1. example. co. jp ”is the user side address“ 172.16.1.10 ”stored in association with it.

  Similarly, for “NAT device 2”, the terminal name “β1 @ vpn2. example. co. The user side address “192.168.1.10” stored in association with “jp” is “β1 @ vpn2. example. co. jp ”is the in-base address of the terminal. In addition, “β1 @ vpn2. example. co. “β1 @ vpn2. example. co. The communication partner identification address issued to identify the terminal of “jp” is the terminal name “β1 @ vpn2. example. co. user side address “172.16.2.10” stored in association with “jp”.

  Here, the base belonging to the connection between VPNs identified by the virtual router name “vrf1” is the terminal name “α1 @ vpn1. example. co. jp ”and the terminal name“ β1 @ vpn2. example. co. jp ”is the base to which it belongs. These bases are the bases identified by the connection destination ID “UserA-Office” and the bases identified by the connection destination ID “UserB-Office”. 8).

  Then, for example, the DNS registration information generation unit 137 first generates DNS registration information for the base identified by the connection destination ID “UserA-Office” as one of the bases belonging to the connection between VPNs. The terminal name “α1 @ vpn1... Belonging to the base identified by the connection ID“ UserA-Office ”. example. co. The terminal under the other base that becomes the communication partner for the terminal of “jp” is the terminal name “β1 @ vpn2. example. co. jp ". Therefore, the DNS registration information generation unit 137 uses the terminal name “β1 @ vpn2. example. co. jp ”and the terminal name“ β1 @ vpn2. example. co. A record “β1 IN A 172.16.2.10”, which is DNS registration information, is generated from the set of “jp” and the communication partner identification address “172.16.2.10”.

  For example, the DNS registration information generation unit 137 generates DNS registration information for a site identified by a connection destination ID “UserB-Office” as one of the sites belonging to the connection between VPNs. The terminal name “β1 @ vpn2. example. co. The terminal under the other base that is the communication partner for the terminal of “jp” is the terminal name “α1 @ vpn1. example. co. jp ". Therefore, the DNS registration information generation unit 137 uses the terminal name “α1 @ vpn1. example. co. jp ”and the terminal name“ α1 @ vpn1. example. co. A record “α1 IN A 172.16.1.10”, which is DNS registration information, is generated from the set of “jp” and the communication partner identification address “172.6.1.1.10”.

  Then, the DNS registration information generation unit 137 stores the DNS registration information generated for each site in the DNS registration information storage unit 126 for each site. For example, as illustrated in FIG. 25, the DNS registration information storage unit 126 stores an A record for each connection destination ID.

  The DNS registration unit 138 registers DNS registration information indicating the correspondence relationship between the communication partner identification address and the terminal name in the DNS for each site belonging to the connection between VPNs. Specifically, the DNS registration unit 138 registers the DNS registration information generated by the DNS registration information generation unit 137 in the wide area network DNS device.

  For example, the DNS registration unit 138 periodically refers to the address conversion information storage unit 124 (illustrated in FIG. 22), compares the current time with the service start time, and is the timing for setting the DNS registration information? Determine whether or not. This is because the DNS registration information should be set at the timing when the address translation information should be set. For example, the DNS registration unit 138 compares the current time with the service start time “t1” to determine whether it is time to set the DNS registration information.

  Next, when the DNS registration unit 138 determines that it is time to set the DNS registration information, the DNS registration unit 138 refers to the DNS registration information storage unit 126 and acquires the DNS registration information. For example, the DNS registration unit 138 acquires DNS registration information (A record) illustrated in FIG.

  Then, the DNS registration unit 138 registers the DNS registration information in the zone file stored in the wide area network DNS device using, for example, a protocol such as DDNS (Dynamic DNS). The protocol is not limited to DDNS (Dynamic DNS) or the like, and for example, an sql command, Telnet login, or the like may be used by creating a DNS software database. In this case, however, it is necessary to re-read the file or restart the DNS process in the wide area network DNS device. Therefore, a program including a command for instructing re-reading and a command for instructing restart is stored in the attachment storage unit 127 in advance, and the DNS registration unit 138 uses the attachment stored in the attachment storage unit 127 for a wide area. Registration information may be registered in the network DNS device. Of course, it is possible for an operator or the like to register directly by logging in and rewriting the file.

  The deletion unit 139 deletes the address translation information, routing information, or DNS registration information set in the VPN termination device, NAT device, collective virtual router, and wide area network DNS device. Specifically, the deletion unit 139 refers to the address translation information storage unit 124 and the routing information storage unit 125 periodically by a timer, polling, etc., and determines whether it is time to end the inter-VPN connection service. . If it is determined that the service end time is reached, the attachment storage unit 127 is referred to, and an attachment (for deletion) of the corresponding VPN termination device, collective virtual router, or wide area network DNS device is acquired. Then, the deletion unit 139 deletes the setting information and the DNS registration information from the corresponding VPN termination device, the collective virtual router, or the wide area network DNS device using the corresponding attachment. Note that the deletion unit 139 according to the second embodiment also deletes reservation information stored in the address translation information storage unit 124 and the routing information storage unit 125.

[Processing Procedure by VPN Connection Management System According to Second Embodiment]
Subsequently, a processing procedure performed by the inter-VPN connection management system 100 according to the second embodiment will be described. FIG. 30 is a flowchart illustrating a processing procedure performed by the inter-VPN connection management system 100 according to the second embodiment, and FIG. 31 is a flowchart illustrating a DNS registration processing procedure.

  As illustrated in FIG. 30, when the inter-VPN connection management system 100 according to the second embodiment determines that it is time to construct a virtual router (Yes in step S101), the virtual router is constructed (step S102). Specifically, the virtual router construction unit 132 constructs a virtual router.

  Subsequently, the inter-VPN connection management system 100 determines a conversion address (step S103) and generates routing information (step S104). Specifically, the conversion address determination unit 133 determines a conversion address, and the routing information generation unit 135 generates routing information.

  Then, the VPN connection management system 100 sets address translation information and routing information (step S105). Specifically, the address translation information setting unit 134 sets address translation information for the corresponding NAT device, and the routing information setting unit 136 sets routing information for the corresponding aggregate virtual router and VPN termination device.

  By the way, as illustrated in FIG. 31, the inter-VPN connection management system 100 determines whether or not a conversion address (communication partner identification address (first address) and second address) has been determined (step). S201). Specifically, the DNS registration information generation unit 137 determines whether or not a conversion address has been determined (whether a notification has been received from the conversion address determination unit 133).

  When the DNS registration information generation unit 137 determines that the conversion address has been determined (Yes at Step S201), the DNS registration information generation unit 137 refers to the address conversion information storage unit 124 (Step S202) and acquires the corresponding address conversion information (Step S203). ).

  Subsequently, the DNS registration information generation unit 137 determines the name of the terminal so as to be unique within the site, and the set of the determined terminal name and communication partner identification address belongs to the connection between VPNs as DNS registration information. It is generated for each site (step S204).

  Next, the inter-VPN connection management system 100 sets the DNS registration information generated for each site in the wide area network DNS device (step S205).

  As described above, according to the second embodiment, when the communication partner identification address is paid out on demand in response to the inter-VPN connection request, DNS registration information indicating the correspondence between the communication partner identification address and the terminal name is automatically displayed. Registered in DNS1. For this reason, it is possible to reduce the load on the user. Further, according to the second embodiment, the DNS registration information to be registered in the wide area network DNS apparatus is determined for each base, and is registered in the wide area network DNS apparatus for each base. Therefore, the wide area network DNS apparatus side stores the DNS registration information. It will be managed for each site. Then, even if the communication partner identification address issued by the inter-VPN connection system 100 for identifying a certain terminal varies from one base to another, the wide area network DNS device determines from which base the inquiry is made. This makes it possible to perform correct name resolution according to the inquiry source base.

[Location of DNS]
By the way, in the inter-VPN connection system, how to arrange DNS and how to process a DNS query is also a problem. In the inter-VPN connection system according to the second embodiment, as illustrated in FIG. 5, a DNS device is installed at each base, and a wide area network DNS apparatus is installed in a wide area network. The DNS arrangement in the second embodiment will be described in more detail with reference to FIG. FIG. 32 is a diagram for explaining the arrangement of DNS in the second embodiment.

  As illustrated in FIG. 32, in the second embodiment, a DNS device is installed at each site. For example, the DNS device 1 installed at the site 1 performs name resolution within the site 1 or on the Internet (not shown). A wide area network DNS device is installed in the wide area network. Then, a “shared resource virtual router” is set in the collective virtual router, and all bases and the wide area network DNS device are connected between VPNs. As illustrated in FIG. 32, a firewall is installed between each base and the wide area network DNS apparatus, and settings other than DNS inquiry are made to the firewall.

  The terminal in the base 1 inquires the DNS apparatus 1 for name resolution other than the connection between VPNs, and inquires the wide area network DNS apparatus for name resolution related to the connection between VPNs. Specifically, a search condition is set for the terminal in the base 1 so as to inquire the wide area network DNS device for name resolution of the wide area network domain. For other name resolutions, the existing search conditions are maintained, and the search conditions are set so that forward or recursive queries are performed in the existing search order. Note that the setting for the terminal is performed by a user belonging to the site 1 or the like.

  On the other hand, settings are also made for the DNS device 1 installed at the site 1. For example, the following addition (third line) is made in the options statement of the “named.conf” file of the DNS device 1. In the following, i is i = 1, 2,..., N. The setting for the DNS device 1 is performed by a user belonging to the site 1 or the like.

zone “vpn_i.vpn.example.co.jp” {
type stub;
masters {dns @ vpn. example. co. jp's IP address;
file “vpn_i.vpn.example.co.jp.zone”;
forwarders {};

  Now, with the above-described DNS arrangement, there is a problem that name resolution can be performed even in a collaborative space (other inter-VPN connection) to which the base does not belong. In addition, in the above-described DNS arrangement, there is a problem that the result of name resolution is cached in the DNS device installed at the local site. In the second embodiment, these problems are also solved.

  First, a method for solving the problem of name resolution for other VPN connections will be described. As described above, the wide area network DNS device according to the second embodiment manages the Zone file for each connection between VPNs. Further, the wide area network DNS apparatus according to the second embodiment controls access to the zone file by using an ACL (Access Control List). Since the address for identifying the terminal under each base set in the shared resource virtual router is unique among the addresses set in the shared resource virtual router, control by ACL is possible.

  For example, with respect to a Zone file related to a predetermined connection between VPNs, the communication partner identification address of a terminal belonging to a base permitted to disclose DNS registration information described in the Zone file is registered in the ACL.

  For example, in the ACL, "access-list 101 permit ip address of the terminal that allows name resolution xx xy x wide area network DNS device address yyyy" and "access-list 101 deny ip any" "any" is registered. The former describes that access from a terminal that allows name resolution to a wide area network DNS device is permitted. Such a description is described for the number of terminals that are allowed access. Here, the “address of a terminal that allows name resolution” is an address (second address) after address conversion by the NAT device. The latter describes denying all access from terminals other than the address of the terminal that allows access to the wide area network DNS device. Note that the ACL description method is not limited to the above, and can be arbitrarily changed according to the device for setting the ACL.

  Then, the wide area network DNS device extracts a DNS inquiry transmission source address, and the extracted transmission source address is a terminal belonging to a base that is permitted to publish DNS registration information described in the inquired zone file. What is necessary is just to determine whether it is a registered address.

  However, for example, there are cases where a name that is allowed to be resolved or a name that is not allowed to be resolved is defined for each user, such as a server that is allowed to be accessed depending on users belonging to the connection between VPNs. . In other words, it is a case where user-level control is required. Even if the name can be resolved, if it is filtered so that it cannot be accessed by a firewall, there is no security problem.

  In such a case, techniques such as DNS proxy and DPI (Deep Packet Inspection) are used. 33 and 34 are diagrams for explaining user level control.

  For example, the method illustrated in FIG. 33 is a method of installing a DNS proxy between a DNS device installed at a base and a wide area network DNS device, and is a kind of filtering function. For example, the DNS proxy function may be implemented in an HGW (Home GateWay) that terminates the VPN on the user side or a VPN termination device that terminates the VPN on the wide area network side.

  The DNS proxy analyzes a query sent from the terminal at the base, determines whether access is permitted using the query source and the query target name, and if not permitted. Makes an error response.

  That is, as illustrated in FIG. 33, when the terminal transmits a name resolution query, the query transmitted by the terminal is received by the DNS proxy (see (1) in FIG. 33). When the DNS proxy inquires about names other than the wide area network domain, the DNS proxy forwards the inquiry to the DNS device installed at the base (see (2) in FIG. 33).

  On the other hand, when the DNS proxy inquires about the name of the wide area network domain, the DNS proxy transfers the inquiry to the wide area network DNS device (see (3) in FIG. 33). However, the DNS proxy can determine whether or not access is permitted by using the query source and the query target name, and can perform an error response if not permitted. It should be noted that user level access permission information must be registered in advance in the DNS proxy. This registration may be performed, for example, in the same description as the ACL described above, for example, at the time of contract for the inter-VPN connection service.

  On the other hand, for example, the technique illustrated in FIG. 34 is a technique for causing the wide area network DNS device itself to perform the same determination as that of the DNS proxy. The wide area network DNS device analyzes the query sent from the terminal at the base, determines whether access is permitted using the source of the query and the name of the query, and is not allowed In case, an error response is made.

  That is, as illustrated in FIG. 34, when the terminal transmits a name resolution query (see (1) in FIG. 34), the query transmitted by the terminal is first received by the DNS device installed at the base. (See (2) in FIG. 34).

  If the DNS device inquires about the name of the wide area network domain, the DNS apparatus transfers the inquiry to the wide area network DNS device (see (3) in FIG. 34). Then, the wide area network DNS device determines whether or not access is permitted using the inquiry transmission source and the inquiry target name, and if not, performs an error response.

  It should be noted that user level access permission information needs to be registered in advance in the wide area network DNS device. This registration may be performed, for example, in the same description as the ACL described above, for example, at the time of contract for the inter-VPN connection service. Or, the administrator of the connection between VPNs of the company registers which user may access which virtual router from the Web server for the user, and which user may allow access from other VPNs. May be. The inter-VPN connection management system 100 may be registered in the wide area network DNS device at the timing when information is registered or at any other timing.

  Next, a method for solving the problem that the result of name resolution is cached in the DNS device will be described. The DNS apparatus according to the second embodiment may be implemented by either setting a TTL (Time To Live) short or implementing a function of clearing registration information of the wide area network domain from the cache every time. A known technique may be used for the function of clearing the registration information of the determined domain from the cache.

  In the second embodiment, the DNS function corresponding to the wide area network DNS device, the number of I / Fs with the DNS, and the like can be saved by sharing them instead of dividing them for each base or virtual router. Cost reduction is also realized. In addition, it can be said that DNS can be realized statically by assigning zone files to each base that exists statically, instead of every (dynamic) virtual router that is generated and disappears in time.

  Further, by using the server virtualization technology, one piece of hardware can be virtually seen as a plurality. Therefore, by using this virtualization technology, the number of wide area network DNS devices is virtually the same as the number of bases. In other words, each virtual DNS device may be accommodated in a virtual router prepared for each site. That is, for example, in the second embodiment, there is a correspondence relationship of one shared resource virtual router in all bases to one wide area network DNS device. However, by virtualizing, one base—one virtual router—one You may comprise the correspondence of a virtual DNS apparatus by the number of bases.

  In the second embodiment, as described above, various settings such as firewall settings and ACL registration are performed in accordance with the DNS arrangement. However, registration and deletion of these pieces of information can be performed by, for example, a wide area network DNS device. You may carry out at the timing which registers registration information, and the timing which deletes. That is, in the second embodiment, when the DNS registration unit 138 determines that it is time to set the registration information, the registration information is registered in the wide area network DNS device, and the deletion unit 139 ends the inter-VPN connection service. When it was determined that it was time, the registration information was deleted from the wide area network DNS device. Therefore, similarly, for example, when the DNS registration unit 138 or the deletion unit 139 registers or deletes firewall settings or ACLs, the registration information should be set to the wide area network DNS device or the registration information from the wide area network DNS device. You may perform with respect to an applicable apparatus at the timing of deletion.

[Effect of Example 2]
As described above, according to the second embodiment, in response to the connection request between VPNs, the DNS registration information generation unit 137 has a communication partner identification address for identifying a terminal under another base serving as a communication partner within the base. When paid out for each site belonging to the connection between VPNs, the name of the terminal is determined so as to be unique within the site, and the set of the determined terminal name and communication partner identification address is used as DNS registration information for the connection between VPNs. Created for each location. Also, the DNS registration unit 138 registers the DNS registration information generated by the DNS registration information generation unit 137 in the wide area network DNS device for each base belonging to the connection between VPNs.

  The address translation information changes for each connection between VPNs, and even if the connection between the same VPNs is terminated once, there is a possibility that it will change when it is performed again. Therefore, the address-terminal name correspondence in name resolution also changes. Therefore, there is a need for a method of changing the DNS registration according to the address translation so as to absorb the above change.

  In this regard, according to the second embodiment, when the communication partner identification address is issued in response to the inter-VPN connection request, the inter-VPN connection management system 100 automatically sets the combination of the terminal name and the communication partner identification address to a wide area. Since it is registered in the network DNS device, the burden on the administrator can be reduced. That is, by automatically registering and deleting entries in the DNS each time using the determined address translation information, DNS name resolution can be automatically performed without human intervention.

  Further, according to the second embodiment, the wide area network DNS device manages the DNS registration information indicating the correspondence relationship between the communication partner identification address and the name of the terminal for each base, and makes an inquiry for name resolution of the correspondence relationship. Accept from the base. Then, the wide area network DNS device identifies the inquiry base and performs name resolution according to whether or not the inquiry by the base is permitted.

  Further, according to the second embodiment, the wide area network DNS device identifies the inquiry source base, identifies the inquiry source terminal, and performs name resolution according to whether the inquiry by the terminal at the base is permitted. I do.

  For this reason, according to the second embodiment, it is possible to control at the base level and the user level in the DNS response.

  That is, in the above-described inter-VPN connection system, the name of a terminal belonging to another base is resolved by DNS to acquire the address of the terminal and connect. Here, the DNS Zone file is basically configured for each site, but as a result, address inquiry can be made from all terminals in one site. On the other hand, there is a demand for the administrator to limit users (terminals) that can access other bases (and users (terminals) that allow access from other bases) because of security requirements. This restriction can be realized by a method of restricting access to users other than those permitted by the firewall, or a method of setting only the routing for the permitted users. However, for users who are not allowed to access other sites, it is safer to not give the address even if the name of the terminal of the connection partner is known. Therefore, it is reasonable to execute a method of performing a restriction such as answering or not answering the name resolution request to the DNS except for the user who permits the access, together with registration in the DNS.

  In the inter-VPN connection system according to the second embodiment, the wide area network DNS apparatus is installed by connecting the wide area network DNS apparatus and each base between the VPNs. However, the arrangement of the DNS in the present invention is not limited to this. Is not something Hereinafter, the arrangement of the DNS in the third embodiment will be described in more detail with reference to FIG. FIG. 35 is a diagram for explaining the arrangement of DNS in the third embodiment.

  As illustrated in FIG. 35, in the third embodiment, a DNS device is installed at each site. For example, the DNS device 1 installed at the site 1 performs name resolution within the site 1 or on the Internet (not shown).

  Also, in the third embodiment, unlike the second embodiment, an I / F for a wide area network DNS apparatus is created in the VPN termination apparatus that accommodates each base, and the wide area network DNS apparatus is connected via the NAPT (Network Address Port Translation). Connecting. Although not shown in FIG. 35, for example, a firewall is installed between the wide area network DNS device I / F and the wide area network DNS device, and the firewall is configured not to pass anything other than DNS inquiries. do.

  As for the technique for solving the problem of name resolution for other inter-VPN connections, as in the second embodiment, the wide-area network DNS device in the third embodiment also creates a zone file for each inter-VPN connection. Access to the file may be controlled by ACL. Since each site is identified by a port number, control by ACL is control using a port number.

  Up to now, for example, the inter-VPN connection management system 100 according to the second embodiment and the inter-VPN connection management system 100 according to the third embodiment have been described. No particular consideration was given to the case where a certain terminal has multiple assignments to a plurality of collaborative spaces in overlapping time zones. In this regard, in the inter-VPN connection management system 100 according to the fourth embodiment described below, it is possible to perform name resolution correctly even when a single site belongs to multiple cooperating spaces.

  FIG. 36 is a diagram for explaining determination of a terminal name in multiple attribution. First, a specific example of multiple attribution will be described with reference to FIG. As illustrated in FIG. 36, in the collective virtual router, an inter-VPN connection identified by the virtual router name “vrf1” and an inter-VPN connection identified by the virtual router name “vrf2” are constructed. These inter-VPN connections are established in overlapping time zones.

  Here, the inter-VPN connection identified by the virtual router name “vrf1” includes the terminal α1 at the base A, the terminal β1 at the base B, and the terminal γ1 at the base C as illustrated in FIG. Further, as illustrated in FIG. 36, the terminal α1 at the base A and the terminal γ1 at the base C belong to the connection between VPNs identified by the virtual router name “vrf2”. That is, the terminal α1 at the site A has multiple assignments in the overlapping time zone to the inter-VPN connection identified by the virtual router name “vrf1” and the inter-VPN connection identified by the virtual router name “vrf2”. In addition, the terminal γ1 at the site C also has multiple assignments to the inter-VPN connection identified by the virtual router name “vrf1” and the inter-VPN connection identified by the virtual router name “vrf2” in the overlapping time zone.

  Also, although not shown in FIG. 36, for the connection between VPNs identified by the virtual router name “vrf1”, the communication partner identification address “address B1” for identifying the terminal β1 is identified for the base A. Assume that the communication partner identification address “address C1” for identifying the terminal γ1 is issued. Further, it is assumed that the communication partner identification address “address A1” for identifying the terminal α1 and the communication partner identification address “address C2” for identifying the terminal γ1 are issued for the base B. Further, it is assumed that the communication partner identification address “address A2” for identifying the terminal α1 and the communication partner identification address “address B2” for identifying the terminal β1 are paid out for the site C.

  Further, for the inter-VPN connection identified by the virtual router name “vrf2”, it is assumed that the communication partner identification address “address C3” for identifying the terminal γ1 is issued for the base A. Further, it is assumed that the communication partner identification address “address A3” for identifying the terminal α1 is issued for the base C.

On the other hand, the wide area network DNS device manages DNS registration information for each site. For example, a wide area network device may
The DNS registration information “address C1” indicating the correspondence between “address B1” and “terminal β1” The DNS registration information “address C3” indicating the correspondence between “terminal γ1” and “terminal γ1” DNS registration information to be stored is stored.

  Under such circumstances, when the terminal α1 performs communication toward the terminal γ1, the terminal α1 needs to acquire the address of the terminal γ1 by making an inquiry to the wide area network DNS device using the name of the terminal γ1. is there. However, the terminal “α1” has the same “name of terminal γ1” both when connecting between VPNs identified by the virtual router name “vrf1” and when connecting between VPNs identified by the virtual router name “vrf2”. To try name resolution. For this reason, the wide area network DNS device cannot determine whether to respond “address C1” or “address C3” as a response to name resolution.

  Therefore, the inter-VPN connection management system 100 according to the fourth embodiment determines the name of the terminal so that the name of the terminal is unique for each connection between VPNs, and sets a set of the determined name of the terminal and the communication partner identification address. , DNS registration information is determined.

  An example will be described. For example, in the second embodiment, the DNS registration information generation unit 137 uses the “terminal name” managed in the inter-VPN connection information storage unit 121 as it is as the “terminal name” of the DNS registration information. In this case, it also matches the “terminal name” input as the inter-VPN connection request). The “terminal name” in this case is identification information for identifying a terminal under each base in the inter-VPN connection management system 100, and is basically one for one terminal.

  Therefore, in the fourth embodiment, the DNS registration information generation unit 137 adds the “virtual router name” to the “terminal name”, for example, so that the terminal name is unique for each connection between VPNs. Determine the name. For example, as illustrated in FIG. 36, in the base A, it is necessary to distinguish the terminal γ1 under the virtual router name “vrf1” from the terminal γ1 under the virtual router name “vrf2”. Therefore, the DNS registration information generation unit 137 adds the virtual router name to the terminal name “γ1@vpn3.example.co.jp” of the terminal γ1 managed in the inter-VPN connection information storage unit 121, and “γ1 @ vrf1”. .Vpn3.example.co.jp ”or“ γ1@vrf2.vpn3.example.co.jp ”.

  Then, the DNS registration information generation unit 137 generates an A record that is DNS registration information. For example, the communication partner identification address for identifying the terminal γ1 under the virtual router name “vrf1” is “172.16.3.10”, and the communication for identifying the terminal γ1 under the virtual router name “vrf1”. Assume that the partner identification address is “172.16.30.10”. Then, the DNS registration information generation unit 137 has DNS record information A record “γ1.vrf1 IN A 172.16.3.10” and A record “γ1.vrf2 IN A 172.16.30.10”. Is generated. This description of the A record means that there is a DNS at the domain level “vpn3.example.co.jp”, and that the DNS resolves the name including the names of the subdomains (vrf1, vrf2).

  Note that the method of determining the name of the terminal so that the name of the terminal is unique for each connection between VPNs is not limited to the above method. As long as the name of a terminal for identifying a terminal under another base serving as a communication partner within a base is uniquely determined for each connection between VPNs, any determination method may be used. Good.

  Next, a DNS registration apparatus according to the fifth embodiment will be described with reference to FIG. In the fifth embodiment, a DNS registration device is provided separately from the inter-VPN connection management system, and the address determined by the inter-VPN connection management system is notified to the DNS registration device.

  FIG. 37 is a block diagram illustrating the configuration of the DNS registration apparatus 200 according to the fifth embodiment. As illustrated in FIG. 37, the DNS registration apparatus 200 according to the fifth embodiment includes a communication unit 210, an input unit 211, an output unit 212, an input / output control I / F unit 213, a storage unit 220, and a control. Unit 230.

  The storage unit 220 includes a DNS registration information storage unit 221 and an attachment storage unit 222. The DNS registration information storage unit 221 corresponds to the DNS registration information storage unit 126 described in the second embodiment and has a similar function. Further, the attachment storage unit 222 corresponds to the attachment storage unit 127 described in the second embodiment and has the same function.

  The control unit 230 includes a DNS registration information generation unit 231 and a DNS registration unit 232. The DNS registration information generation unit 231 corresponds to the DNS registration information generation unit 137 described in the second embodiment and has a similar function. That is, the DNS registration information generation unit 231 receives notification of necessary information from the inter-VPN connection management system, determines a set based on this information, and generates DNS registration information. The DNS registration unit 232 corresponds to the DNS registration unit 138 described in the second embodiment and has a similar function.

  In other words, the DNS registration device 200 according to the fifth embodiment is obtained by separating some of the functions provided in the inter-VPN connection management system 100 according to the second embodiment into another physical casing. Also, the DNS registration apparatus 200 according to the fifth embodiment does not necessarily have to include each unit illustrated in FIG. 37, or may include other units. For example, if the DNS registration device 200 notifies the inter-VPN connection management system of the DNS registration information after the DNS registration information is generated by the DNS registration information generation unit 231, the DNS registration information storage unit 221 and the attachment storage unit 222 are not necessarily used. There is no need to prepare. In this case, the DNS registration information notified from the DNS registration device 200 may be stored on the inter-VPN connection management system side, and settings for the wide area network DNS device may be performed based on the DNS registration information.

  Although the first to fifth embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the above-described embodiments.

  For example, in the above embodiment, it is assumed that all terminal names are registered in the DNS without distinguishing whether the terminal name is to be registered in the DNS. However, the present invention is not limited to this. For example, an administrator who manages the connection between VPNs at the site registers in advance a terminal that allows external access to the connection management system 100 between VPNs using a Web server for users. The inter-VPN connection management system 100 sets a firewall so as to follow this registration, and controls access from the outside.

  Further, for the terminals registered by the administrator, the terminal names may be disclosed to these external terminal users in order to allow access from other bases. For this reason, the inter-VPN connection management system 100 registers a set of a terminal name and an address as an A record in the wide area network DNS apparatus. On the other hand, a terminal name that does not allow access from the outside does not need to be disclosed, and it is desired to control so that the address is not returned even if the terminal name is inquired to the wide area network DNS device. Therefore, the inter-VPN connection management system 100 does not register with the wide area network DNS device.

[Network configuration]
In the above embodiment, a star type network configuration is assumed. However, the present invention is not limited to this, and the present invention can be similarly applied to a full mesh type network configuration.

[Others]
Of the processes described in the above embodiments, all or part of the processes described as being performed automatically can be performed manually, or all of the processes described as being performed manually are performed. Alternatively, a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, a VRF (VPN routing and forwarding table) may be applied as an example of a transfer control device, and as a result, a plurality of transfer control devices are virtually operated in one transfer control device. be able to. Further, all or any part of each processing function performed in each device is realized by a CPU (Central Processing Unit) and a program analyzed and executed by the CPU, or hardware by wired logic. Can be realized as

  Note that the DNS registration method described in the above embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via an IP network such as the Internet. The program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM (Compact Disk Read Only Memory), an MO (Magneto-Optical disk), a DVD (Digital Versatile Disk). It can also be executed by being read from a recording medium by a computer.

1 DNS
DESCRIPTION OF SYMBOLS 10 DNS registration apparatus 11 Registration information production | generation part 12 DNS registration part

Claims (12)

In response to an inter-base connection request for connecting multiple bases between bases, a communication partner identification address for identifying a terminal under another base that is a communication partner within the base is issued for each base belonging to the connection between bases. And the name of the terminal so as to be unique within the base, and the base that belongs to the connection between bases as registration information to be registered in the DNS is a set of the determined name of the terminal and the communication partner identification address. Generating means for generating each;
A DNS registration apparatus comprising: registration means for registering registration information generated by the generation means in DNS for each site belonging to the inter-base connection.   The generation unit determines a name of the terminal so as to be unique for each connection between bases, and generates a set of the determined terminal name and the communication partner identification address for each base. 2. The DNS registration device according to 1. An inter-VPN connection management system for managing a system for connecting between VPNs at a plurality of bases via a wide area network,
DNS registration device
In response to an inter-VPN connection request for connecting a plurality of VPNs between VPNs, a communication partner identification address for identifying a terminal under another base serving as a communication partner within the base is issued for each base belonging to the connection between VPNs. And the base name belonging to the inter-VPN connection as registration information to be registered in the DNS. Generating means for generating each;
Registration means for registering registration information generated by the generation means in a wide-area DNS device for each base belonging to the connection between VPNs,
The wide area DNS device
Registration information storage means for storing registration information for each base belonging to the connection between VPNs, and reception means for receiving an inquiry for name resolution from each base;
A VPN comprising: a name resolution unit that identifies a base of a query source when the reception unit receives the query, searches the registration information storage unit according to the identified base, and performs name resolution. Connection management system.   The said generation means determines the name of the said terminal so that it may become unique for every connection between VPNs, and determines the group of the determined name of the terminal and the said communicating party identification address for every base. 3. The VPN connection management system according to 3.   When the inquiry is accepted by the accepting means, the name resolution means identifies the inquiry source base, identifies the inquiry source terminal, and determines whether the inquiry by the terminal at the base is permitted. 5. The inter-VPN connection management system according to claim 3 or 4, wherein a solution is made. The inter-VPN connection management system installs the wide-area DNS device by connecting the wide-area DNS device and each base between the VPNs in the system,
6. The name resolution unit of the wide area DNS apparatus, when an inquiry is received by the reception unit, identifies a base based on a source address included in the inquiry and performs name resolution. The connection management system between VPNs as described in any one. The inter-VPN connection management system installs the wide area DNS device by connecting the wide area DNS device and each base via a NAPT device,
7. The name resolution unit of the wide area DNS apparatus, when an inquiry is received by the reception unit, identifies a base by a port number of a transmission source included in the inquiry and performs name resolution. The connection management system between VPNs as described in any one of these.   The said wide area DNS apparatus with which the connection management system between VPNs as described in any one of Claims 3-7 is provided.   A DNS registration program for causing a computer to function as the DNS registration device according to claim 1 or 2, or the DNS registration device provided in the inter-VPN connection management system according to any one of claims 3 to 7. .   A wide-area DNS program that causes a computer to function as a wide-area DNS device included in the inter-VPN connection management system according to any one of claims 3 to 7. Computer
In response to an inter-base connection request for connecting multiple bases between bases, a communication partner identification address for identifying a terminal under another base that is a communication partner within the base is issued for each base belonging to the connection between bases. And the name of the terminal so as to be unique within the base, and the base that belongs to the connection between bases as registration information to be registered in the DNS is a set of the determined name of the terminal and the communication partner identification address. Generation process to be generated for each,
A DNS registration method, comprising: a registration step of registering registration information generated by the generation step in a DNS for each site belonging to the inter-base connection. An inter-VPN connection management method for managing a system for inter-VPN connection between VPNs at a plurality of bases via a wide area network,
A computer as a DNS registration device
In response to an inter-VPN connection request for connecting a plurality of VPNs between VPNs, a communication partner identification address for identifying a terminal under another base serving as a communication partner within the base is issued for each base belonging to the connection between VPNs. And the base name belonging to the inter-VPN connection as registration information to be registered in the DNS. Generation process to be generated for each,
A registration step of registering registration information generated by the generation step in a wide-area DNS device for each site belonging to the connection between VPNs,
A computer as the wide area DNS device
Acceptance process to accept inquiries from each site for name resolution,
When the inquiry is accepted by the accepting step, the base of the inquiry source is identified, and according to the identified base, a registration information storage unit that stores registration information for each base belonging to the connection between VPNs is searched for name resolution. A connection management method between VPNs, comprising: a name resolution step.

Images