JP2016134733A - Network system and server device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow a server device to acquire the information of a layer 2(L2), and to provide a service based on the information of the layer 2(L2).SOLUTION: A service provision unit 13 is installed in a second network domain DM2, receives a request frame from a client device TM1 installed in a first network domain DM1, and provides a service according to the request frame. A management table 16 holds the layer 2 information and layer 3 information of the client device. The request frame from the client device is a frame requesting a service requiring the layer 2 information. Upon receiving the request frame, the service provision unit searches for the management table by using the layer 3 information of a transmission source included therein, as a search key, and then provides a service by using the layer 2 information acquired by the search.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a network system and a server device, for example, a server device that provides a service in response to a request from a client device and a network system including the server device.

  For example, Patent Document 1 discloses a system in which a terminal monitoring device and a network management device are installed in a network to which a router is connected, and the terminal is disconnected from the network when a failure occurs in the terminal connected to the router. ing. Specifically, the terminal monitoring device monitors communication from the terminal and notifies the network management device of the IP address of the terminal where the failure has occurred. The network management device collects and stores information of the ARP table of the router, acquires a port (MAC address of the router port) corresponding to the IP address notified from the terminal monitoring device based on the stored information, Sends a command to the router to disconnect the port from the network.

JP 2005-204055 A

  For example, in a network system, a method in which a server device provides a predetermined service to a client device in response to a request from the client device is widely used. Here, for example, when the client device and the server device belong to different network domains, the server device receives a request frame from the client device via a router or the like.

  In this case, the server device refers to the information in the header part of the received request frame, and the service using the layer 3 (L3) information (typically IP (Internet Protocol) address) of the client device is It can be provided to the client device. However, since the server device cannot acquire the layer 2 (L2) information (typically MAC (Media Access Control) address) of the client device, it uses the layer 2 (L2) information of the client device. It is difficult to provide services to client devices.

  The present invention has been made in view of the above, and one of its purposes is that in a network system and a server device, the server device acquires layer 2 (L2) information, and the layer 2 ( A service based on the information of L2) can be provided to the client device.

  The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.

  Of the inventions disclosed in the present application, the outline of a typical embodiment will be briefly described as follows.

  The network system according to the present embodiment includes a relay device, a service providing unit, and a management table. The relay device is installed at the boundary between the first network domain and the second network domain, and relays a frame between the first network domain and the second network domain. The service providing unit is installed in the second network domain, receives a request frame from a client device installed in the first network domain, and provides a service corresponding to the request frame to the client device. The management table holds layer 2 information and layer 3 information of the client device. Here, the request frame from the client device is a frame for requesting a service for which layer 2 information is required. When the service providing unit receives the request frame, the service providing unit searches the management table using the source layer 3 information included in the request frame as a search key, and provides the service using the layer 2 information acquired by the search. To do.

  The effects obtained by the representative embodiments of the invention disclosed in the present application will be briefly described. In the network system and the server device, the server device acquires layer 2 (L2) information, and the layer 2 A service based on the information of (L2) can be provided to the client device.

In the network system by Embodiment 1 of this invention, it is the schematic which shows the structural example of the principal part. FIG. 2 is an explanatory diagram showing an operation example in the network system of FIG. 1. It is the schematic which shows the structural example of the principal part in the network system by Embodiment 2 of this invention. FIG. 4 is an explanatory diagram showing an operation example in the network system of FIG. 3. FIG. 5 is an explanatory diagram illustrating an operation example following FIG. 4. It is the schematic which shows the structural example of the principal part in the network system by Embodiment 3 of this invention. In the network system by Embodiment 3 of this invention, it is the schematic which shows the structural example different from FIG. 6 of the principal part. It is the schematic which shows the structural example of the principal part in the network system by Embodiment 4 of this invention. In the network system by Embodiment 4 of this invention, it is the schematic which shows the structural example different from FIG. 8 of the principal part. FIG. 2 is an explanatory diagram showing an operation example in the network system as a comparative example of FIG. 1.

  In the following embodiment, when it is necessary for the sake of convenience, the description will be divided into a plurality of sections or embodiments. However, unless otherwise specified, they are not irrelevant, and one is the other. Some or all of the modifications, details, supplementary explanations, and the like are related. Further, in the following embodiments, when referring to the number of elements (including the number, numerical value, quantity, range, etc.), especially when clearly indicated and when clearly limited to a specific number in principle, etc. Except, it is not limited to the specific number, and may be more or less than the specific number.

  Further, in the following embodiments, the constituent elements (including element steps and the like) are not necessarily indispensable unless otherwise specified and apparently essential in principle. Needless to say. Similarly, in the following embodiments, when referring to the shapes, positional relationships, etc. of the components, etc., the shapes are substantially the same unless otherwise specified, or otherwise apparent in principle. And the like are included. The same applies to the above numerical values and ranges.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

(Embodiment 1)
<Network system configuration>
FIG. 1 is a schematic diagram showing a configuration example of main parts of a network system according to Embodiment 1 of the present invention. The network system shown in FIG. 1 includes an L2 switch 10 that performs Layer 2 (L2) relay processing based on the OSI reference model, a relay device 11 that performs Layer 3 (L3) relay processing, a Web server device 12, and DHCP. (Dynamic Host Configuration Protocol) server device (DHCP processing unit) 15.

  The relay device 11 is, for example, an L3 switch, a router, or the like, and has a plurality (three in this case) of ports P1 to P3. The relay device 11 is installed at the boundary between the network domain (first network domain) DM1 and the network domain (second network domain) DM2, and relays frames (and packets) between the network domain DM1 and the network domain DM2. . In addition, since the packet relayed in layer 3 (L3) is actually relayed in the format included in the frame, in this specification, the frame and the packet are not particularly distinguished, and are described in a unified frame. Do.

  The L2 switch 10 has a plurality of ports Pd [1] to Pd [n], Pu. The client device TM1 is connected to the port Pd [1], and the port Pu is connected to the port P1 of the relay device 11. In the example of FIG. 1, the port P1 of the relay device 11 belongs to the network domain DM1, and the L2 switch 10 and the client device TM1 are installed in the network domain DM1. The client device TM1 has a MAC address MA1 and an IP address IP1, and is used by the client 17.

  The Web server device 12 is connected to the port P2 of the relay device 11. In the example of FIG. 1, the port P2 of the relay device 11 belongs to the network domain DM2, and the Web server device 12 is installed in the network domain DM2. The Web server device 12 includes a service providing unit 13. The service providing unit 13 is configured, for example, by causing a processor (CPU) to perform program processing.

  The service providing unit 13 receives a request frame from the client device TM1 installed in the network domain DM1, and provides a service corresponding to the request frame to the client device TM1. Here, the service providing unit 13 includes a management table reference unit 14. Although the details will be described later, the management table reference unit 14 is provided to provide a service that requires layer 2 (L2) information to the client apparatus TM1.

  The DHCP server device (DHCP processing unit) 15 is connected to the port P3 of the relay device 11. The DHCP server device 15 may be installed in any one of the network domains DM1 and DM2, and may be installed in a network domain different from the network domains DM1 and DM2 depending on circumstances. The DHCP server device 15 includes a management table 16 that holds layer 2 (L2) information (here, MAC address MA1) and layer 3 (L3) information (here, IP address IP1) of the client device TM1.

  As is widely known, the DHCP server device 15 dynamically assigns an IP address (in this case, IP1) to the client device TM1. For example, when the DHCP server device 15 is installed in the network domain DM1, it first receives a request frame from the client device TM1. Specifically, the request frame is DHCP discovery using a destination MAC address as a broadcast address. Next, the DHCP server device 15 selects one of the unused IP addresses, performs a predetermined exchange with the client device TM1, and then uses the IP address (here, IP1) as the client device. Assign to TM1. Then, the DHCP server device 15 registers the correspondence relationship between the IP address IP1 and the MAC address MA1 of the client device TM1 in the management table 16.

  On the other hand, when the DHCP server device 15 is installed in a network domain (for example, DM2) different from the network domain DM1, the relay device 11 receives a request frame (DHCP discovery) from the client device TM1. The relay device 11 mediates communication between the client device TM1 and the DHCP server device 15 by using a DHCP relay agent function for relaying DHCP frames between different network domains. As a result, the IP address IP1 is assigned to the client device TM1 in the same manner as described above, and the correspondence between the IP address IP1 and the MAC address MA1 of the client device TM1 is registered in the management table 16. The MAC address MA1 is stored in the message area of the DHCP frame.

<Operation of network system (comparative example)>
FIG. 10 is an explanatory diagram showing an operation example in the network system as a comparative example of FIG. The network system shown in FIG. 10 differs from the network system shown in FIG. 1 in that the Web server device 12 ′ includes a service providing unit 13 ′ different from that shown in FIG. Unlike the case of FIG. 1, the service providing unit 13 ′ does not include the management table reference unit 14. In FIG. 10, the DHCP server device 15 is not shown for convenience.

  In such a configuration, it is assumed that the client 17 makes a service request to the Web server apparatus 12 'via the client apparatus TM1. First, the client apparatus TM1 transmits a service request frame FL1 (step S101). In the request frame FL1, the source MAC address SA (MAC) is the MAC address MA1, and the source IP address SA (IP) is the IP address IP1. The destination MAC address is the MAC address of the relay device 11 (referred to as MA2), and the destination IP address is the IP address of the Web server device 12 '.

  The L2 switch 10 relays the request frame FL1 received at the port Pd [1] to the port Pu based on its own FDB (Forwarding DataBase), and the relay device 11 receives the request frame FL1 at the port P1. . The relay device 11 relays the request frame FL1 received at the port P1 to the port P2 based on its own routing table and the like. At this time, the relay device 11 changes the transmission source MAC address SA (MAC) of the request frame FL1 to the MAC address MA2 of the own device, and transmits the changed request frame FL2 from the port P2 (step S102). It is assumed that the relay device 11 does not execute NAT (Network Address Translation).

  The Web server device 12 '(service providing unit 13') receives the request frame FL2. The request frame FL2 includes the layer 3 (L3) information (typically IP address IP1) of the client device TM1 in the header portion. Therefore, the service providing unit 13 'can provide the client device TM1 with a service that requires the layer 3 (L3) information.

  However, the request frame FL2 does not include the layer 2 (L2) information (typically the MAC address MA1) of the client device TM1 in the header portion. For this reason, it becomes difficult for the service providing unit 13 'to provide the client device TM1 with a service that requires the layer 2 (L2) information.

<< Operation of Network System (Embodiment 1) >>
FIG. 2 is an explanatory diagram showing an operation example of the network system of FIG. In FIG. 2, the processing (steps S101 and S102) until the Web server device 12 (service providing unit 13) receives the request frame FL2 is the same as in FIG. When the service providing unit 13 (management table reference unit 14) receives the request frame FL2, the source layer 3 (L3) information (here, the source IP address SA (IP) “) included in the request frame FL2 is received. The management table 16 of the DHCP server device 15 is searched using “IP1”) as a search key. As a result, the service providing unit 13 (management table reference unit 14) acquires layer 2 (L2) information (here, the MAC address MA1) (step S103).

<< Main effects of the first embodiment >>
As described above, by using the network system and the server device (Web server device 12) of the first embodiment, as shown in FIG. 2, the service providing unit 13 is different from the case of FIG. It becomes possible to provide a service that requires layer 2 (L2) information (for example, MAC address MA1).

  Note that various methods can be used as a specific method for searching the management table 16 of the DHCP server device 15 in step S103 of FIG. For example, the management table reference unit 14 may cause the DHCP server device 15 to search the management table 16 and acquire the search result. Alternatively, the management table reference unit 14 may collect and hold all information in the management table 16 as appropriate. The stored information may be searched by the device.

  Here, the layer 2 (L2) information and the layer 3 (L3) information are a MAC address and an IP address, respectively, and the MAC address corresponding to the IP address is acquired from the management table 16 of the DHCP server device 15 As an example. However, the layer 2 (L2) information and the layer 3 (L3) information are not necessarily limited to the MAC address and the IP address, and the management table is not limited to the management table 16 of the DHCP server device 15.

(Embodiment 2)
<< Configuration of network system (application example) >>
FIG. 3 is a schematic diagram showing a configuration example of the main part of the network system according to the second embodiment of the present invention. The network system shown in FIG. 3 is different from the network system shown in FIG. 1 in that the Web server device 12 is an authentication server device such as a RADIUS server. The Web server device 12 includes an authentication execution unit 20 and an authentication table 21 in addition to the service providing unit 13 illustrated in FIG. The authentication execution unit 20 is configured, for example, by causing a processor (CPU) to perform program processing, and the authentication table 21 is configured by a storage unit such as a hard disk or RAM (Random Access Memory).

  In response to an authentication request from the outside of the apparatus, the authentication execution unit 20 compares the information accompanying the authentication request with the information held in the authentication table 21 to determine whether the authentication request is permitted or not. Here, when the client 17 wants to apply the MAC address authentication to the client device TM1, the service providing unit 13 provides the client 17 with a service for applying to that effect.

<< Operation of network system (application example) >>
FIG. 4 is an explanatory diagram showing an operation example in the network system of FIG. 3, and FIG. 5 is an explanatory diagram showing an operation example following FIG. In FIG. 4, it is assumed that user authentication of the client 17 (client apparatus TM1) has already been completed. That is, it is assumed that the client 17 inputs account information such as a user ID and a password using the client device TM1 and the authentication request for the account information is already permitted by the Web server device (authentication server device) 12.

  In such a state, first, the client 17 transmits a request frame FL1 to the Web server device 12 via the client device TM1 (step S101). Here, the request frame FL1 is a frame for applying for application of MAC address authentication. Specifically, for example, the client 17 accesses a Web screen provided by the Web server device 12 and clicks a MAC address authentication application item or the like displayed on the Web screen. Along with this, the request frame FL1 is transmitted.

  Next, as in the case of FIG. 2, the relay device 11 receives the request frame FL1, and transmits the request frame FL2 in which the transmission source MAC address SA (MAC) is changed to the MAC address MA2 to the Web server device 12 ( Step S102). The Web server device 12 (service providing unit 13) that has received the request frame FL2 searches the management table 16 in the same manner as in FIG. 2, and acquires the MAC address MA1 of the client device TM1 (step S103). Here, the service providing unit 13 registers the MAC address MA1 acquired from the management table 16 in the authentication table 21 (step S104). Note that this registration may be performed, for example, through the approval of a network administrator or the like.

  The processing in step S104 in FIG. 4 makes it possible to apply MAC address authentication to the client device TM1, as shown in FIG. In FIG. 5, it is assumed that the client device TM1 is newly connected to the L2 switch 10 by restarting the client device TM1 or the like (step S201). For example, the L2 switch 10 is an authentication switch having a RADIUS client function. The L2 switch 10 detects a new connection of the client device TM1, and transmits a MAC address authentication authentication request to the Web server device 12 using the MAC address MA1 as account information (step S202).

  The authentication execution unit 20 of the Web server device 12 receives the authentication request, and compares the account information (here, the MAC address MA1) accompanying the authentication request with the account information registered in the authentication table 21 ( Step S203). Here, since the MAC address MA1 is registered in the authentication table 21, the authentication execution unit 20 permits the authentication request. Then, the authentication execution unit 20 returns an authentication request permission notification to the L2 switch 10 (step S204).

  The L2 switch 10 receives the permission notification from the Web server device 12 and performs a predetermined connection restriction (step S205). Various methods can be used for connection restriction. As an example, the L2 switch 10 registers the correspondence relationship between the port Pd [1] and the MAC address MA1 of the client device TM1 in the connection permission list, and thereafter receives it at the port Pd [1] based on the connection permission list. Frame relay from the client device TM1 is permitted. Alternatively, the L2 switch 10 assigns a predetermined VLAN (Virtual LAN) received together with the permission notification to the port Pd [1], and permits access to various devices connected in the same VLAN.

<< Main effects of the second embodiment >>
As described above, by using the network system and the server device (Web server device 12) of the second embodiment, when the client 17 (client device TM1) applies for the application of MAC address authentication, a high-quality service is provided to the client 17. Can be provided to. Specifically, first, at the time of this application, it is desirable that the Web server device 12 automatically obtains the MAC address (MAC address to be applied) MA1 of the client device TM1.

  Here, as a comparative example, the Web server device 12 can manually input the MAC address to the client 17 using, for example, the Web screen in step S101 of FIG. However, in this case, the burden on the client 17 or an input error may occur, so that the quality of service may be deteriorated. In some cases, an unauthorized MAC address may be input maliciously and security may be reduced. When the method of the second embodiment is used, the correct MAC address MA1 of the client device TM1 can be automatically acquired, and thus such a problem can be solved.

(Embodiment 3)
<< Configuration of Network System (Modification [1]) >>
FIG. 6 is a schematic diagram showing a configuration example of the main part of the network system according to the third embodiment of the present invention. The network system shown in FIG. 6 is different from the network system shown in FIG. 1 in that the service providing unit 13 and the DHCP processing unit 15 in FIG. 6 includes a DHCP processing unit 26 including the management table 16 and a service providing unit 13 including the management table reference unit 14.

  FIG. 7 is a schematic diagram showing a configuration example different from FIG. 6 of the main part in the network system according to the third embodiment of the present invention. The network system shown in FIG. 7 differs from the configuration example of FIG. 6 in that the server device 30 further includes an authentication execution unit 20 and an authentication table 21. The authentication execution unit 20 and the authentication table 21 together with the service providing unit 13 constitute an authentication unit 31. That is, the server device 30 shown in FIG. 7 has a configuration in which the DHCP processing unit 15 shown in FIG. 3 is further provided in the Web server device (authentication server device) 12 shown in FIG.

<< Main effects of the third embodiment >>
As described above, by using the network system and the server devices 25 and 30 according to the third embodiment, first, the management table 16 and the service providing unit 13 are mounted in the same server device. Communication via the relay device 11 as shown is not necessary. Thereby, the communication load etc. of a network can be reduced.

  Furthermore, it is easy to improve security. That is, for example, the DHCP server device 15 shown in FIG. 2 or the like is normally preferably configured not to permit access to the management table 16 from the outside of the device from the viewpoint of security. However, when the DHCP server device 15 and the Web server device 12 are configured as separate devices, exceptionally, it is necessary to perform settings for permitting such access in the DHCP server device 15, and security associated with this is required. There is concern about the decline.

  Therefore, as in the third embodiment, such a problem can be solved by configuring the DHCP server device 15 and the Web server device 12 as a single server device. In particular, the authentication unit 31 and the DHCP processing unit 26 illustrated in FIG. 7 are a series of network management viewpoints such that the DHCP processing unit 26 assigns an IP address to the client device authenticated by the authentication unit 31. Responsible for the function. Therefore, by configuring these with a single server device, network management efficiency and device cost may be reduced in some cases.

(Embodiment 4)
<< Configuration of Network System (Modification [2]) >>
FIG. 8 is a schematic diagram showing a configuration example of main parts of a network system according to Embodiment 4 of the present invention. FIG. 9 is a schematic diagram showing a configuration example different from FIG. 8 of the main part in the network system according to the fourth embodiment of the present invention. For example, in the first embodiment and the like, a configuration example in which the service providing unit 13 refers to the management table 16 of the DHCP server device (DHCP processing unit) 15 has been described, but the management table is not necessarily limited thereto.

  In the example of FIG. 8, the management table is an ARP (Address Resolution Protocol) table 35 of the relay apparatus 11. As is widely known, the ARP table 35 holds a correspondence relationship between an IP address, a MAC address, and a port identifier obtained by issuing an ARP request. In the example of FIG. 8, the ARP table 35 shows the correspondence between the IP address IP1 and MAC address MA1 of the client terminal TM1 and the port P1 (its port identifier {P1}) that has received the ARP reply from the client terminal TM1. keeping.

  Further, the service providing unit 13 of FIG. 8 includes an ARP table reference unit 36 having the same function as the management table reference unit 14 of FIG. The ARP table reference unit 36 acquires the MAC address (MA1) by searching the ARP table 35 of the relay apparatus 11 using the IP address (for example, IP1) as a search key.

  On the other hand, in the example of FIG. 9, the management table is the management table 41 of the RARP server device 40. The RARP server device 40 is installed in the network domain DM1, and is connected to the port Pd [n] of the L2 switch 10 here. The management table 41 holds the IP address IP1 and MAC address MA1 of the client terminal TM1, as in the case of FIG.

  For example, when receiving a RARP (Reverse Address Resolution Protocol) request from the client terminal TM1, the RARP server device 40 returns the IP address IP1 based on the management table 41. 9 obtains the MAC address (MA1) by searching the management table 41 of the RARP server device 40 using the IP address (for example, IP1) as a search key.

  As described above, using the network system and the server device of the fourth embodiment also provides the same effects as those of the first embodiment.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiments. However, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention. For example, the above-described embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to one having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. . Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.

10 L2 switch 11 Relay device 12, 12 ′ Web server device 13, 13 ′ Service providing unit 14 Management table reference unit 15 DHCP server device (DHCP processing unit)
DESCRIPTION OF SYMBOLS 16 Management table 17 Client 20 Authentication execution part 21 Authentication table 25,30 Server apparatus 26 DHCP processing part 31 Authentication part 35 ARP table 36 ARP table reference part 40 RARP server apparatus DM1, DM2 Network domain FL1, FL2 Request frame P1-P3 , Pd [1] to Pd [n], Pu port SA (IP) source IP address SA (MAC) source MAC address TM1 client device

Claims (12)

A relay device installed at a boundary between the first network domain and the second network domain and relaying a frame between the first network domain and the second network domain;
A service providing unit installed in the second network domain, receiving a request frame from a client device installed in the first network domain, and providing a service corresponding to the request frame to the client device;
A management table holding layer 2 information and layer 3 information of the client device;
With
The request frame is a frame for requesting a service for which layer 2 information is required,
When the service providing unit receives the request frame, the service providing unit searches the management table using the source layer 3 information included in the request frame as a search key, and uses the layer 2 information acquired by the search to perform a service. I will provide a,
Network system. The network system according to claim 1,
The layer 2 information is a MAC address,
The layer 3 information is an IP address.
Network system. The network system according to claim 2, wherein
The management table is provided in a DHCP processing unit that dynamically assigns an IP address to the client device.
Network system. The network system according to claim 3, wherein
The service providing unit and the DHCP processing unit are provided in one server device.
Network system. The network system according to claim 3, wherein
Furthermore, an authentication execution unit that determines permission or non-permission of the authentication request by comparing information accompanying the authentication request with information held in the authentication table in response to an authentication request from the outside,
The request frame is a frame for applying for application of MAC address authentication,
The service providing unit applies MAC address authentication to the client device by registering the MAC address acquired from the management table in the authentication table.
Network system. The network system according to claim 5, wherein
The service providing unit, the DHCP processing unit, and the authentication execution unit are provided in one server device.
Network system. The network system according to claim 2, wherein
The management table is an ARP table of the relay device.
Network system. A server device provided in a second network domain, including a service providing unit that receives a request frame from a client device installed in the first network domain and provides a service corresponding to the request frame to the client device. ,
A management table for holding layer 2 information and layer 3 information of the client device is provided inside or outside the server device,
The request frame is a frame for requesting a service for which layer 2 information is required,
When the service providing unit receives the request frame, the service providing unit searches the management table using the source layer 3 information included in the request frame as a search key, and uses the layer 2 information acquired by the search to perform a service. I will provide a,
Server device. The server device according to claim 8, wherein
The layer 2 information is a MAC address,
The layer 3 information is an IP address.
Server device. The server device according to claim 9, wherein
The management table is provided in a DHCP processing unit that dynamically assigns an IP address to the client device.
Server device. The server device according to claim 10, wherein
Furthermore, an authentication execution unit that determines permission or non-permission of the authentication request by comparing information accompanying the authentication request with information held in the authentication table in response to an authentication request from the outside,
The request frame is a frame for applying for application of MAC address authentication,
The service providing unit applies MAC address authentication to the client device by registering the MAC address acquired from the management table in the authentication table.
Server device. The server device according to claim 10 or 11,
The server device includes the DHCP processing unit,
Server device.

Images