JP2017139604A - Communication device and communication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To obtain a communication device which can perform communication through a network in an environment in which the allocation of host information is restricted.SOLUTION: The communication device is constituted by first communication means 1, second communication means 2, bridge processing means 3, internal communication control means 4 and internal transfer means 5. The first communication means 1 performs communication with a first network. The second communication means 2 performs communication with a communication terminal device, which performs communication with the first network through the self-device, through a second network. The internal communication control means 4, when acquiring predetermined data from an information device which is connected to the first network, transmits and receives each packet to which host information of the communication terminal device is added, as self-device information, to/from the information device through the first network. When an input packet satisfies a predetermined filter condition which is set based on the host information of the communication terminal device, the internal transfer means 5 transfers the input packet to the inside of the self-device.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a communication apparatus that performs packet relay processing, and more particularly, to a technique in which a communication apparatus performs data communication necessary for processing of the own apparatus.

  In an IP (Internet Protocol) network, a bridge device having a bridge processing function for relaying a packet is widely used as a communication device. The bridge device performs a bridge process in layer 2 of an OSI (Open Systems Interconnection) reference model. When performing the bridging process, it is not necessary to assign host information such as an IP address or a MAC (Media Access Control) address to the bridge device. However, a bridge device that has functions such as a firewall and UTM (Unified Threat Management) and communicates with a server or the like via a network such as the Internet is also used for firmware update and maintenance processing. A bridge device that communicates with a server or the like via such a network needs to be assigned host information such as an IP address in order to perform communication.

  However, in an environment where there is a restriction on the number of IP addresses that can be assigned on the network, it may not be possible to assign an IP address to the bridge device. In such an environment, a bridge device having a firmware update function or the like may not be able to communicate with a server or the like having update data via a network and may not be able to use the update function.

  For example, when a bridge device is connected to a home router connected to the Internet, the home router can obtain an IP address, but the bridge device cannot receive an IP address assignment and involves communication. The function cannot be used. Therefore, even in an environment where there is a restriction on allocation of host information such as an IP address, it is desirable that there is a technology that enables each communication device to communicate via a network, and related technologies are being developed. . For example, a technique as disclosed in Patent Document 1 is disclosed as a technique that allows each communication device to perform communication via a network even in an environment where there is a restriction on the allocation of host information.

  Patent Document 1 relates to a communication apparatus that includes a plurality of network interfaces each connected to a communication line and performs communication between the network interface and the IP network. A common IP address and MAC address are assigned to each network interface of the communication apparatus of Patent Document 1. In the communication apparatus of Patent Document 1, communication between the IP network and each network interface is performed using a common IP address and MAC address, and each network interface is identified by a port number. As described above, Patent Document 1 describes that communication with an IP network can be performed using a common IP address and MAC address by distinguishing each network interface card by the port number of each network interface.

Special table 2012-521147 gazette

  However, the technique of Patent Document 1 is not sufficient in the following points. In the communication apparatus of Patent Document 1, network interfaces that are in parallel with each other are distinguished by port numbers, thereby enabling communication with a network using a set of IP addresses and MAC addresses. On the other hand, in a communication device such as a bridge device, communication is performed using a bridge device and an IP address or the like that is limited in a serially connected relationship such as a communication terminal device that communicates with a network via the bridge device. There is a need to do. Therefore, a communication terminal device that communicates with the network via the bridge device cannot be identified by a port number or the like and cannot communicate using a common IP address or the like. Therefore, the technique of Patent Document 1 is not sufficient as a technique for a plurality of communication apparatuses including a bridge apparatus to communicate via a network in an environment where there is a restriction on allocation of host information.

  In order to solve the above-described problems, an object of the present invention is to obtain a communication apparatus that can perform communication via a network even in an environment where there is a restriction on allocation of host information.

  In order to solve the above problems, a communication apparatus of the present invention includes a first communication unit, a second communication unit, a bridge processing unit, an internal communication control unit, and an internal transfer unit. The first communication means communicates with the first network. The second communication means communicates via the second network with a communication terminal device that communicates with the first network via the own device. The bridge processing means performs a bridge process for transferring packets input from the first network and the second network based on information included in the packets. When acquiring predetermined data from the information device connected to the first network, the internal communication control means uses the packet added with the host information of the communication terminal device as its own information as the internal processing packet. Data is transmitted to and received from the information device via the network. The internal transfer means, when the bridge processing means 3 performs the bridge processing of the input packet, when the packet satisfies a predetermined filter condition set based on the host information of the communication terminal device, the internal processing packet To the inside of its own device.

  The communication method of the present invention performs a bridge process for transferring packets input from the first network and the second network based on information contained in the packets. In the communication method of the present invention, when predetermined data is acquired from an information device connected to the first network, a packet in which the host information of the communication terminal device is added as its own information is used as the first internal processing packet. To the information device via the network. The communication terminal device communicates with the first network via its own device. The communication method of the present invention transfers a packet as an internal processing packet to the inside of its own device when the packet satisfies the predetermined filter condition set based on the host information when performing the bridge processing of the input packet. To do.

  According to the present invention, communication can be performed via a network even in an environment where there is a restriction on allocation of host information.

It is a figure which shows the outline | summary of a structure of the 1st Embodiment of this invention. It is a figure which shows the outline | summary of a structure of the 2nd Embodiment of this invention. It is a figure which shows the outline | summary of a structure of the bridge | bridging apparatus of the 2nd Embodiment of this invention. It is a figure which shows the outline | summary of the operation | movement flow in the 2nd Embodiment of this invention. It is a figure which shows the outline | summary of the operation | movement flow in the 2nd Embodiment of this invention. It is a figure which shows the outline | summary of a structure of the 3rd Embodiment of this invention. It is a figure which shows the outline | summary of a structure of the bridge | bridging apparatus of the 3rd Embodiment of this invention. It is a figure which shows the outline | summary of the operation | movement flow in the 3rd Embodiment of this invention. It is a figure which shows the outline | summary of the operation | movement flow in the 3rd Embodiment of this invention. It is a figure which shows the outline | summary of the operation | movement flow in the 3rd Embodiment of this invention. It is a figure which shows the outline | summary of the operation | movement flow in the 3rd Embodiment of this invention. It is a figure which shows the outline | summary of a structure of the 4th Embodiment of this invention. It is a figure which shows the outline | summary of a structure of the bridge | bridging apparatus of the 4th Embodiment of this invention. It is a figure which shows the outline | summary of the operation | movement flow in the 4th Embodiment of this invention.

(First embodiment)
A first embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 shows an outline of the configuration of the communication apparatus according to the present embodiment. The communication apparatus of this embodiment includes a first communication unit 1, a second communication unit 2, a bridge processing unit 3, an internal communication control unit 4, and an internal transfer unit 5. The first communication means 1 communicates with the first network. The 2nd communication means 2 communicates via the 2nd network with the communication terminal device which communicates with a 1st network via an own apparatus. The bridge processing unit 3 performs a bridge process of transferring packets input from the first network and the second network based on information included in the packets. When the internal communication control means 4 obtains predetermined data from the information device connected to the first network, the internal communication control means 4 uses the packet added with the host information of the communication terminal device as its own information as the first internal processing packet. It transmits and receives to and from the information device via the network. When the bridge processing means 3 performs the bridge processing of the input packet, the internal transfer means 5 performs internal processing on the packet when the packet satisfies a predetermined filter condition set based on the host information of the communication terminal device. It is transferred as a packet to its own device.

  In the communication apparatus of this embodiment, when acquiring predetermined data from the information apparatus, the internal communication control unit 4 transmits a packet to which the host information of the communication terminal apparatus is added as information of the own apparatus to the information apparatus. Further, in the communication apparatus of the present embodiment, when the input packet satisfies a predetermined filter condition set based on the host information of the communication terminal apparatus, the internal transfer unit 5 uses the packet as an internal processing packet and sets the packet of the own apparatus. Transferring inside. As described above, the communication device according to the present embodiment communicates the host information of the communication terminal device that performs communication via the own device as the information on the own device, so that the own device has an IP (Internet Protocol) address or the like. Communication can be performed even when host information is not included. Moreover, since the communication apparatus of this embodiment uses only the packet which has predetermined | prescribed filter conditions among the packets which have host information of communication terminal information, and internally uses them, it gives to communication of a communication terminal apparatus The influence can be suppressed. As a result, the communication apparatus according to the present embodiment can perform communication via a network in an environment where there is a restriction on the allocation of host information.

(Second Embodiment)
A second embodiment of the present invention will be described in detail with reference to the drawings. FIG. 2 shows an outline of the configuration of the communication system of the present embodiment. The communication system of this embodiment includes a bridge device 10, a terminal device 20, and a server 30. The bridge device 10 and the server 30 are connected to each other via the network 40. The bridge device 10 may be connected to the network 40 via a router or the like. The terminal device 20 is connected to the bridge device 10 via the network 41.

  The communication system of this embodiment is configured as an IP network. In the communication system of the present embodiment, the bridge device 10 performs a bridge process on packets input from the network 40 and the network 41. By the bridge processing of the bridge device 10, the terminal device 20 communicates with the server 30 or other communication device or information processing device communication via the network 41, the bridge device 10, and the network 40. A plurality of terminal devices 20 and servers 30 may be provided.

  The configuration of the bridge device 10 will be described. FIG. 3 shows an outline of the configuration of the bridge device 10 of the present embodiment. The bridge device 10 includes a first external interface unit 11, a second external interface unit 12, a bridge processing unit 13, an internal interface unit 14, an internal session storage unit 15, an application unit 16, and an input unit 17. It has.

  The first external interface unit 11 and the second external interface unit 12 are network interfaces that communicate with the terminal device 20 and the server 30 via a network. The first external interface unit 11 of the present embodiment is connected to the network 40 and communicates with the server 30. The second external interface unit 12 communicates with the terminal device 20. The first external interface unit 11 and the second external interface unit 12 may each include a plurality of physical ports.

  The first external interface unit 11 of the present embodiment corresponds to the first communication unit 1 of the first embodiment. The second external interface unit 12 of the present embodiment corresponds to the second communication unit 2 of the first embodiment.

  The bridge processing unit 13 has a function of performing a bridge process and transferring an input packet to an external interface serving as an output destination. The bridge processing unit 13 has a function of detecting packets used for internal processing of the bridge device 10 among the input packets.

  When a packet is input, the bridge processing unit 13 refers to the filter condition stored in the internal session storage unit 15 and determines whether the input packet matches the filter condition. When the input packet does not satisfy the filter condition, the bridge processing unit 13 performs a bridge process and transfers the packet to an external interface corresponding to the destination of the packet. When the input packet matches the filter condition, the bridge processing unit 13 outputs the packet that matches the filter condition to the internal interface unit 14.

  The filter condition is set based on the host information that the terminal device 20 has. In the host information, items including a physical address and a logical address of the own apparatus necessary for communication on the network are set. For example, a MAC (Media Access Control) address, an IP (Internet Protocol) address, a subnet address, a gateway address, and a DNS (Domain Name System) server address are set in the host information. When PPPoE (Point-to-Point Protocol over Ethernet (registered trademark)) is used, a session ID and an MTU (Maximum Transmission Unit) are further set as host information. When configured as a VLAN (Virtual Local Area Network), a VLAN-ID or the like is further set as host information.

  In the filter condition, items including the address of the terminal device 20, the address of the communication destination server 30, and the protocol are set in the host information. Among the filter conditions, the address of the terminal device 20 and the address of the communication destination server 30 are used to detect that the packet is being transmitted / received between the terminal device 20 and the server 30. The protocol information is used to detect a packet that can be used for internal processing of the own device among packets transmitted and received between the terminal device 20 and the server 30.

  In this embodiment, host information such as a transmission source IP address and a destination IP address and protocol information are set in the filter condition. The bridge processing unit 13 extracts a transmission source IP address and a destination IP address from the header of the packet, and determines whether the packet is a packet transmitted / received between the terminal device 20 and the server 30. In addition, in the protocol item for determining whether to use for internal processing of the own device, a protocol that is less frequently used by the terminal device 20 in normal communication is set. By using a packet of a protocol that is less frequently used by the terminal device 20 in normal communication, the influence on the communication of the terminal device 20 can be suppressed.

  In the case of TCP and UDP, information on the destination port number and destination port number is further set in the filter condition. In the filter condition, a session ID or the like is further set in the case of PPPoE, and a VLAN-ID or the like is further set in the case of VLAN. The bridge processing unit 13 of this embodiment corresponds to the bridge processing unit 3 and the internal transfer unit 5 of the first embodiment.

  The internal interface unit 14 has a function of controlling communication performed by the bridge device 10 with the server 30. The internal interface unit 14 is a virtual network interface that processes communication within the bridge device 10. The internal interface unit 14 operates between the application unit 16 and the bridge processing unit 13. In the internal interface unit 14, a value obtained by copying the host information of the terminal device 20 is set as the host information of the own device. The host information is input from the input unit 17 and stored in the internal interface unit 14.

  The internal interface unit 14 may store host information corresponding to a plurality of terminal devices 20. When a plurality of host information is stored, necessary host information is selected and used for communication in the bridge device 10. The internal interface unit 14 of the present embodiment corresponds to the internal communication control unit 4 of the first embodiment.

  The internal session storage unit 15 has a function of storing a filter condition used when the bridge processing unit 13 determines whether an input packet is a packet used inside the bridge device 10. The internal session storage unit 15 stores filter conditions used when the bridge processing unit 13 determines whether to transfer the input packet to the internal interface unit 14. The internal session storage unit 15 may store a plurality of filter conditions.

  The application unit 16 has a function of executing firmware and application programs necessary for the operation of the bridge device 10. The application unit 16 transmits and receives packets to and from the server 30 in order to acquire update data and data necessary for execution of application programs having firmware, firewall functions, and the like.

  The input unit 17 has a function as an input interface for setting data. From the input unit 17, host information stored in the internal interface unit 14 and filter condition data stored in the internal session storage unit 15 are input. In the communication system of the present embodiment, host information and filter condition data are input by an operator using an input device connected to the input unit 17. The host information and the filter condition data may be input from another communication device or information processing device connected to the input unit 17. The host information filter condition data may be input from another communication apparatus or information processing apparatus via a network. The input unit 17 sends the input host information and filter condition data to the internal interface unit 14 and the internal session storage unit 15, respectively.

  The terminal device 20 is a communication terminal device that communicates with the server 30 or other information devices via the bridge device 10 and the network 40. The terminal device 20 is connected to the second external interface unit 12 via a network 41 configured by wireless communication or a network cable. The terminal device 20 has host information for communicating with other communication devices and the like in the IP network. As the terminal device 20, a mobile phone device, a smartphone, an information terminal device, a home electric device, a video display device, and other electronic devices having a communication function are used.

  The server 30 is an information device connected to the network 40. The server 30 stores update data and setting data of application programs such as firmware of the bridge device 10 and a firewall. The server 30 executes the data processing requested from the bridge device 10 and the terminal device 20, and returns the result. In addition, the server 30 transmits data requested from the bridge device 10 and the terminal device 20 to the request source. The server 30 transmits and receives packets between the bridge device 10 and the terminal device 20 via the network 40. The server 30 communicates based on the host information of the terminal device 20 when transmitting and receiving packets to and from the bridge device 10.

  The network 40 is a communication network that connects between the bridge device 10 and the server 30. The network 40 of this embodiment is the Internet. The network 40 may be another communication network such as a LAN (Local Area Network) formed on the premises. The network 41 is a communication network that connects between the bridge device 10 and the terminal device 20. The network 41 is configured as a LAN (Local Area Network), for example. The network 41 is a smaller network than the network 40.

  The operation of the communication system of this embodiment will be described. First, an operation when the bridge device 10 transmits a packet to the server 30 when a process requiring access to the server 30 occurs in the application unit 16 of the bridge device 10 of the communication system according to the present embodiment will be described. . FIG. 4 shows an outline of an operation flow when processing that requires access to the server 30 occurs in the application unit 16 of the bridge device 10 of the communication system according to the present embodiment.

  When data to be transmitted to the server 30 is generated in the application unit 16 and packet transmission processing occurs (step 111), the application unit 16 sends the data to be transmitted to the internal interface unit 14. When receiving data from the application unit 16, the internal interface unit 14 adds host information and an identifier indicating the type of packet to generate a packet for transmission. The internal interface unit 14 adds the stored host information of the terminal device 20 to the packet as host information of the own device.

  When the packet for transmission is generated, the internal interface unit 14 transfers the generated packet to the bridge processing unit 13 (step 112). When the packet is received from the internal interface unit 14, the bridge processing unit 13 transfers the received packet to the first external interface unit 11 (step 113). When receiving a packet from the bridge processing unit 13, the first external interface unit 11 transmits the received packet to the server 30 via the network 40 (step 114).

  When the server 30 receives a packet from the bridge device 10 via the network 40, the server 30 processes the received packet and generates reply data. When the reply data is generated, the bridge device 10 generates a reply packet based on the host information added to the received packet, that is, the host information of the terminal device. When the server 30 generates a reply packet, the server 30 transmits the generated packet to the network 40.

  Next, an operation when the bridge device 10 of the communication system according to the present embodiment receives a packet from the network 40 or the network 41 will be described. FIG. 5 shows an outline of an operation flow when the bridge device 10 of the communication system according to the present embodiment receives a packet.

  A packet sent from the network 40 or the network 41 is input to and received by the first external interface unit 11 or the second external interface unit 12 of the bridge device 10 (step 121). When receiving the packet, the first external interface unit 11 and the second external interface unit 12 transfer the received packet to the bridge processing unit 13. (Step 122).

  When a packet is received from the first external interface unit 11 and the second external interface unit 12, the bridge processing unit 13 checks whether the received packet matches the filter condition stored in the internal session storage unit 15. . The bridge processing unit 13 compares each item of the filter condition set as the internal transfer condition with the corresponding item of the input packet data, and determines whether the input packet matches the internal transfer condition. to decide.

  When the received packet does not match the filter condition (No in step 123), the bridge processing unit 13 performs a bridge process on the received packet based on the destination information and forwards it to the corresponding external interface unit (step 124). . The external interface unit that has received the packet from the bridge processing unit 13 outputs the received packet to the network 40 or the network 41.

  When the received packet matches the filter condition (Yes in Step 123), the bridge processing unit 13 transfers the received packet to the internal interface unit 14 (Step 124). When receiving the packet from the bridge processing unit 13, the internal interface unit 14 transfers the received packet to the application unit 16 (step 126). When receiving the packet, the application unit 16 processes the data of the received packet.

  The internal interface unit 14 of the bridge device 10 of the communication system according to the present embodiment generates a packet in which the host information of the terminal device 20 is added as information of the own device. The internal interface unit 14 transmits the generated packet to the server 30 via the bridge processing unit 13, the first external interface unit 11, and the network 40. As described above, the bridge device 10 according to the present embodiment transmits a packet as the host information of the terminal device 20 communicating with the network 40 via the own device and the host information of the own device.

  Further, the bridge processing unit 13 of the bridge device 10 transfers, to the internal interface unit 14, a packet that matches the filter condition among the packets input from the network and subjected to the bridge processing. In this way, by transferring a packet that matches the filter condition to the inside of its own device, the data sent from the server 30 based on the host information of the terminal device 20 can be acquired inside the bridge device 10. . In addition, since only the packets that match the filter condition among the packets sent using the host information of the terminal device 20 are used for the communication of the bridge device 10, the influence on the communication of the terminal device 20 can be suppressed. . As described above, the bridge device 10 according to this embodiment can acquire data by transmitting and receiving packets to and from the server 30 via the network 40 even when host information such as an IP address is not assigned. . As a result, the communication system according to the present embodiment can perform communication via a network in an environment where there is a restriction on allocation of host information.

(Third embodiment)
A third embodiment of the present invention will be described in detail with reference to the drawings. FIG. 6 shows an outline of the configuration of the communication system of the present embodiment. In the bridge device 10 of the communication system according to the second embodiment, the host information stored in the internal interface unit 14 is set by data input by an operator or the like. The bridge device of the communication system according to the present embodiment is characterized in that the host information stored in the internal interface unit is set based on the analysis result of the host information included in the packet input to the bridge processing unit.

  The communication system of this embodiment includes a bridge device 50, a terminal device 20, and a server 30. The communication system of this embodiment is configured as an IP network. The bridge device 50 and the server 30 are connected to each other via the network 40. Further, the terminal device 20 is connected to the bridge device 50 via the network 41. A plurality of terminal devices 20 and servers 30 may be provided. The configurations and functions of the terminal device 20, the server 30, the network 40, and the network 41 of this embodiment are the same as those of the terminal device 20, the server 30, the network 40, and the network 41 of the second embodiment.

  The configuration of the bridge device 50 will be described. FIG. 7 shows an outline of the configuration of the bridge device 50 of the present embodiment. The bridge device 50 includes a first external interface unit 11, a second external interface unit 12, a bridge processing unit 13, an internal session storage unit 15, and an application unit 16. The bridge device 50 further includes an internal interface unit 51, a host information analysis unit 52, and an input unit 53.

  The configurations and functions of the first external interface unit 11, the second external interface unit 12, the bridge processing unit 13, the internal session storage unit 15, and the application unit 16 of this embodiment are the same-named parts of the second embodiment. It is the same.

  The internal interface unit 51 has the same function as the internal interface unit 14 of the second embodiment. The internal interface unit 51 has a function of updating the stored host information. The internal interface unit 51 updates the host information based on the information extracted by the host information analysis unit 52 from the packet transmitted to and received by the terminal device 20 input to the bridge processing unit 13. The items of the host information stored in the internal interface unit 51 are the same as those in the second embodiment.

  The host information analysis unit 52 has a function of extracting host information from a packet transmitted to and received by the terminal device 20 input to the bridge processing unit 13. When the host information analysis unit 52 monitors the bridge processing of the bridge processing unit 13 and detects a packet transmitted and received by the terminal device 20, the host information analysis unit 52 extracts host information of the terminal device 20 from the detected packet. The host information analysis unit 52 sends the extracted host information of the terminal device 20 to the internal interface unit 51, and adds or updates the host information stored in the internal interface unit 51.

  The input unit 53 has a function as an input interface for setting data. Filter condition data stored in the internal session storage unit 15 is input from the input unit 53. In the communication system of the present embodiment, the filter condition data is input by an operator using an input device connected to the input unit 53. The filter condition data may be input from another communication device or information processing device connected to the input unit 53. The input unit 53 sends the input filter condition data to the internal session storage unit 15.

  Moreover, it is good also as a structure which can input the host information preserve | saved at the internal interface part 51 from the input part 53 similarly to 2nd Embodiment. For example, the host information stored in the internal interface unit 51 based on the analysis result of the host information analysis unit 52 after the operator inputs host information from the input unit 53 at the time of initial setting or maintenance and starts the operation. It may be added or updated dynamically.

  The operation of the communication system of this embodiment will be described. In the communication system according to the present embodiment, the operation when the bridge device 50 performs the bridge process and the internal transfer process for the received packet is the same as that in the second embodiment. In the communication system of the present embodiment, the operation when the bridge device 50 transmits a packet generated by the internal processing to the server 30 is the same as that of the second embodiment. Therefore, in the following, in the bridge device 50 according to the present embodiment, the host information stored in the internal interface unit 51 is set based on the analysis result of the host information included in the packet input to the bridge processing unit 13. Only the operation will be described. FIG. 8 shows an outline of an operation flow when the host information stored in the internal interface unit 51 is set based on the analysis result of the host information included in the packet input to the bridge processing unit 13 of this embodiment. Is shown.

  When the bridge processing unit 13 detects that a packet has been input from the first external interface unit 11 or the second external interface unit 12 (step 131), the bridge processing unit 13 checks the type of the packet. When the confirmation of the packet type is started, the bridge processing unit 13 first confirms whether the packet is a DHCP (Dynamic Host Configuration Protocol) packet.

  When the packet is a DHCP packet (Yes in Step 132), the bridge processing unit 13 starts a DHCP session process (Step 133). The DHCP session processing in the bridge processing unit 13 will be described later. When the DHCP session process is completed, the bridge processing unit 13 performs the bridge process based on the destination of the packet without discarding the packet (step 142).

  When the packet is not a DHCP packet (No in step 132), the bridge processing unit 13 determines whether the packet is a PPPoE session protocol packet. When the packet is a PPPoE session protocol packet (Yes in step 134), the bridge processing unit 13 starts the PPPoE session processing (step 135). The PPPoE session process in the bridge processing unit 13 will be described later. When the PPPoE session process is completed, the bridge processing unit 13 performs a bridge process based on the destination of the packet without discarding the packet (step 142).

  When the packet is not a PPPoE session protocol packet (No in step 134), the bridge processing unit 13 determines whether the packet is an ARP (Address Resolution Protocol) packet. When the packet is an ARP packet (Yes in step 136), the bridge processing unit 13 starts ARP processing (step 137). When the ARP process is started, the bridge processing unit 13 extracts address information from the ARP packet and adds data to the ARP table. When data is added to the ARP table, the bridge processing unit 13 performs bridge processing based on the destination of the packet without discarding the packet (step 142).

  When the packet is not an ARP packet (No in step 136), the bridge processing unit 13 determines whether the packet is an IP packet. When the packet is an IP packet (Yes in Step 138), the bridge processing unit 13 starts IP processing (Step 139). The IP process will be described later. When the IP processing is completed, the bridge processing unit 13 performs the bridge processing based on the destination of the packet without discarding the packet (step 142).

  When the packet is not an IP packet (No in step 138), the bridge processing unit 13 determines whether the packet matches the internal transfer filter condition. The method for determining whether a packet matches the filter condition is the same as in the second embodiment. When the packet matches the internal transfer filter condition (Yes in Step 140), the bridge processing unit 13 transfers the packet to the internal interface unit 14 (Step 141). When the packet is transferred to the internal interface unit 14, processing is performed in the same manner as in the second embodiment.

  When the packet does not match the internal transfer processing filter condition (No in Step 140), the bridge processing unit 13 performs the bridge processing based on the destination of the packet without discarding the packet (Step 142).

  The DHCP session process will be described. FIG. 9 shows an outline of an operation flow when the bridge processing unit 13 performs a DHCP session process. When the bridge processing unit 13 determines that the packet is a DHCP packet (step 151), the host information analysis unit 52 determines whether the message type of the packet is REQUEST.

  When the message type is REQUEST (Yes in Step 152), the host information analysis unit 52 stores the packet information as a REQUEST history (Step 153). When the host information analysis unit 52 saves the REQUEST history, the bridge processing unit 13 performs normal bridge processing (step 157).

  When the message type is not REQUEST (No in step 152), the host information analysis unit 52 determines whether the message type of the packet is ACK (acknowledgement). When the message type is not ACK (No in Step 154), the bridge processing unit 13 performs normal bridge processing (Step 157).

  When the message type is ACK (Yes in Step 154), the host information analysis unit 52 determines whether the packet matches the REQUEST history. When the packet matches the REQUEST history (Yes in step 155), the host information analysis unit 52 extracts information corresponding to the host information from the packet information, and adds the extracted information to the host information of the internal interface unit 51. (Step 156). In addition, when the message type of the packet indicates that DHCP information such as RELEASE or DCLINE is discarded, the host information analysis unit 52 deletes the corresponding host information in the internal interface unit 51.

  When the information extracted by the host information analysis unit 52 is added to the host information of the internal interface unit 51, the bridge processing unit 13 performs normal bridge processing (step 157). When the packet does not match the REQUEST history (No in Step 155), the bridge processing unit 13 performs normal bridge processing (Step 157).

  Next, PPPoE session processing will be described. FIG. 10 shows an outline of an operation flow of PPPoE session processing in the bridge device 50 of the present embodiment. When the bridge processing unit 13 determines that the packet is a PPPoE session processing packet (step 161), the host information analysis unit 52 determines whether the message type of the packet is PADR (PPPoE Active Discovery Request). When the message type is PADR (Yes in Step 162), the host information analysis unit 52 stores the packet information as a PADR history (Step 163). When the host information analysis unit 52 saves the PADR history, the bridge processing unit 13 performs normal bridge processing (step 180).

  When the message type is not PADR (No in step 162), the host information analysis unit 52 determines whether the message type is PADS (PPPoE Active Discovery Session-confirmation). When the message type is PADS (Yes in Step 164), the host information analysis unit 52 compares the packet information with the PADR history.

  When the packet information matches the PADR history (Yes in Step 165), the host information analysis unit 52 saves the packet information as PPPoE session information (Step 166). When the host information analysis unit 52 stores the PPPoE session information, the bridge processing unit 13 performs a normal bridge process (step 180). When the packet information does not match the PADR history (No in Step 165), the bridge processing unit 13 performs normal bridge processing (Step 180).

  When the message type is not PADS (No in step 164), the host information analysis unit 52 determines whether the message type is LCP (Link Control Protocol) Configuration Request. When the message type is LCP Configuration Request (Yes in Step 167), the host information analyzing unit 52 determines whether the packet information matches the PPPoE session information.

  When the packet information matches the PPPoE session information (Yes in Step 168), the host information analysis unit 52 stores the packet information as an LCP history (Step 169). When the host information analysis unit 52 saves the LCP history, the bridge processing unit 13 performs normal bridge processing (step 180). When the packet information does not match the PPPoE session information (No in Step 168), the bridge processing unit 13 performs normal bridge processing (Step 180).

  When the message type is not the LCP Configuration Request (No in Step 167), the host information analysis unit 52 determines whether the message type is the LCP Configuration Ack. When the message type is LCP Configuration Ack (Yes in Step 170), the host information analysis unit 52 determines whether the information of the packet matches the LCP history.

  When the packet information matches the LCP history (Yes in Step 171), the host information analysis unit 52 updates the PPPoE session information based on the packet information (Step 172). When the host information analysis unit 52 updates the PPPoE session information, the bridge processing unit 13 performs normal bridge processing (step 180). When the packet information does not match the LCP history (No in Step 171), the bridge processing unit 13 performs normal bridge processing (Step 180).

  When the message type is not LCP Configuration Ack (No in Step 170), the host information analysis unit 52 determines whether it is an IPCP (Internet Protocol Control Protocol) Configuration Request. When the message type is IPCP Configuration Request (Yes in Step 173), the host information analyzing unit 52 determines whether the packet information matches the PPPoE session information.

  When the packet information matches the PPPoE session information (Yes in Step 174), the host information analysis unit 52 stores the packet information as an IPCP history (Step 175). When the host information analysis unit 52 saves the IPCP history, the bridge processing unit 13 performs normal bridge processing (step 180). When the packet information does not match the PPPoE session information (No in Step 174), the bridge processing unit 13 performs normal bridge processing (Step 180).

  When the message type is not IPCP Configuration Request (No in Step 173), the host information analysis unit 52 determines whether it is IPCP Configuration Ack. When the message type is IPCP Configuration Ack (Yes in Step 176), the host information analysis unit 52 determines whether the information of the packet matches the IPCP history.

  When the packet information matches the IPCP history (Yes in Step 177), the host information analysis unit 52 updates the PPPoE session information based on the packet information (Step 178). When the PPPoE session information is updated, the host information analysis unit 52 adds the PPPoE session information as host information to the host information of the internal interface unit 51 (step 179). When the message type indicates deletion of PPPoE such as PADT or Termination Request, the host information analysis unit 52 deletes the corresponding host information in the internal interface unit 51. When the host information analysis unit 52 adds the host information, the bridge processing unit 13 performs normal bridge processing (step 180).

  When the packet information does not match the IPCP history (No in Step 177), the bridge processing unit 13 performs normal bridge processing (Step 180). When the message type is not IPCP Configuration Ack (No in Step 176), the bridge processing unit 13 performs normal bridge processing (Step 180).

  Next, IP processing will be described. FIG. 11 shows an outline of an operation flow when the bridge processing unit 13 performs a DHCP session process. When the bridge processing unit 13 determines that the packet is a DHCP packet (step 191), the host information analysis unit 52 determines whether an ARP entry that matches the MAC address and IP address of the transmission source exists in the ARP table of the bridge processing unit 13. Judging.

  When there is no ARP entry that matches the MAC address and IP address of the transmission source (No in step 192), the bridge processing unit 13 performs normal bridge processing (step 200). When there is an ARP entry that matches the MAC address and IP address of the transmission source (Yes in step 192), the host information analysis unit 52 determines whether there is an ARP entry that matches the destination MAC address in the ARP table.

  When there is no ARP entry that matches the destination MAC address (No in Step 193), the bridge processing unit 13 performs normal bridge processing (Step 200). When there is an ARP entry that matches the destination MAC address (Yes in step 193), the host information analysis unit 52 determines whether the IP address of the ARP entry matches the destination IP address.

  When the destination IP address matches the IP address of the ARP entry (Yes in Step 194), the bridge processing unit 13 performs normal bridge processing (Step 200). When the destination IP address does not match the IP address of the ARP entry (No in Step 194), the host information analysis unit 52 determines that the packet is transmitted from the terminal device 20 to a different subnet via the gateway. To do. If it is determined that the packet is sent to a different subnet, the host information analysis unit 52 starts setting each item of host information based on the packet information. When the setting of each item of host information is started, the host information analysis unit 52 sets the information of the source MAC address of the packet in the item of the MAC address of the host information (step 195). When the MAC address is set, the host information analysis unit 52 sets the packet source IP address information in the IP address item of the host information (step 196). When the IP address is set, the host information analysis unit 52 sets the IP address information of the ARP entry in the gateway address item of the host information (step 197).

  When the gateway address is set, the host information analysis unit 52 extracts upper bit information common to the IP addresses of all ARP entries in the ARP table. When the upper bit information common to the IP address of the ARP entry is extracted, the host information analysis unit 52 regards the extracted upper bit information as the subnet address and sets it in the subnet address item of the host information (step 198). ). When each item of host information is set, the host information analysis unit 52 adds the set information to the host information of the internal interface unit 51 (step 199). When the host information analysis unit 52 adds host information, the bridge processing unit 13 performs normal bridge processing (step 200).

  The communication system of this embodiment has the same effect as the communication system of the second embodiment. Further, in the communication system of the present embodiment, the host information analysis unit 52 of the bridge device 50 monitors the bridge processing of the bridge processing unit 13, and the packet transmitted by the terminal device 20 for acquiring host information or the like is transmitted. Detected. The host information analysis unit 52 extracts information such as host information from the packet when the terminal device 20 detects a packet being transmitted / received for acquisition of host information, and the internal interface based on the extracted information. Host information of the unit 51 is set.

  As described above, the bridge device 50 according to the present embodiment sets the host information stored in the internal interface unit 51 based on the information extracted from the packet subjected to the bridge processing by the bridge processing unit 13. Therefore, the bridge device 50 of the present embodiment can dynamically update the host information stored in the internal interface unit 51 without setting the host information from the input unit 53. In addition, the bridge device 50 according to the present embodiment extracts data from the packet that is transmitted and received by the terminal device 20, and performs normal bridge processing on the extracted packet. Therefore, the operation performed for the bridge device 50 to set the host information does not affect the communication of the terminal device 20. As described above, the communication system according to the present embodiment can perform communication via a network in an environment where there is a restriction on allocation of host information without requiring complicated setting work by an operator.

(Fourth embodiment)
A fourth embodiment of the present invention will be described in detail with reference to the drawings. FIG. 12 shows an outline of the configuration of the communication system of the present embodiment. In the bridge device of the communication system of the second and third embodiments, the filter condition stored in the internal session storage unit 15 is set based on information input from the input unit by the operator. The bridge device of the communication system according to the present embodiment is characterized in that the filter condition stored in the internal session storage unit is updated based on information extracted from a packet input to the internal interface unit.

  The communication system of this embodiment includes a bridge device 60, a terminal device 20, and a server 30. The communication system of this embodiment is configured as an IP network. The bridge device 60 and the server 30 are connected to each other via the network 40. In addition, the terminal device 20 is connected to the bridge device 60 via the network 41. A plurality of terminal devices 20 and servers 30 may be provided. The configurations and functions of the terminal device 20, the server 30, the network 40, and the network 41 of this embodiment are the same as those of the terminal device 20, the server 30, the network 40, and the network 41 of the second embodiment.

  The configuration of the bridge device 60 will be described. FIG. 13 shows an outline of the configuration of the bridge device 60 of the present embodiment. The bridge device 60 includes a first external interface unit 11, a second external interface unit 12, a bridge processing unit 13, an internal interface unit 14, and an application unit 16. The bridge device 60 further includes an internal session storage unit 61, an internal session analysis unit 62, and an input unit 63.

  The configurations and functions of the first external interface unit 11, the second external interface unit 12, the bridge processing unit 13, the internal interface unit 14 and the application unit 16 of the present embodiment are the same as those of the second embodiment. It is the same.

  The internal session storage unit 61 has the same function as the internal session storage unit 15 of the second embodiment. The internal session storage unit 61 has a function of updating the saved filter condition. The internal session storage unit 61 updates the filter condition based on the information extracted by the internal session analysis unit 62 from the packet input to the internal interface unit 14. Items set as filter conditions are the same as in the second embodiment.

  The internal session analysis unit 62 has a function of extracting information corresponding to the filter condition from the packet input to the internal interface unit 14. The internal session analysis unit 62 extracts information corresponding to the filter condition from the packet input from the bridge processing unit 13 to the internal interface unit 14. The internal session analysis unit 62 extracts, for example, a transmission source IP address, a destination IP address, and protocol information from the packet as information corresponding to the filter condition. The internal session analysis unit 62 sends information extracted from the packet to the internal session storage unit 61 to add or update the filter condition.

  The input unit 63 has a function as an input interface for setting data. From the input unit 63, host information data stored in the internal interface unit 14 is input. In the communication system of this embodiment, host information data is input by an operator using an input device connected to the input unit 63. The filter condition data may be input from another communication apparatus or information processing apparatus connected to the input unit 63. The input unit 63 sends the input host information data to the internal interface unit 14.

  Moreover, it is good also as a structure which can input the filter conditions preserve | saved at the internal session memory | storage part 61 from the input part 63 similarly to 2nd Embodiment. For example, the filter conditions stored in the internal session storage unit 61 based on the analysis result of the internal session analysis unit 62 after the operator inputs the filter conditions from the input unit 63 and starts the operation at the time of initial setting or maintenance. May be added or updated dynamically.

  The operation of the communication system of this embodiment will be described. In the communication system according to the present embodiment, the operation when the bridge device 60 performs a bridge process and an internal transfer process for the received packet is the same as that in the second embodiment. The operation when the bridge device 60 transmits a packet generated by the internal processing to the server 30 in the communication system of the present embodiment is the same as that of the second embodiment. Therefore, in the following, in the bridge device 60 of the present embodiment, the operation when the filter condition stored in the internal session storage unit 61 is set based on the information of the packet processed by the internal interface unit 14 is performed. Only explained. FIG. 14 shows an outline of the operation flow when the filter conditions stored in the internal session storage unit 61 are set based on the information of the packet processed by the internal interface unit 14.

  When it is detected that the internal interface unit 14 has received a packet (step 211), the internal session analysis unit 62 determines whether the internal interface unit 14 has received a packet from the application unit 16. When the internal interface unit 14 receives a packet from the application unit 16 (Yes in step 212), the internal session analysis unit 62 extracts information corresponding to each item of the filter condition from the information in the packet (step 213). When information corresponding to each item of the filter condition is extracted, the internal session analysis unit 62 sets the filter condition of the internal session storage unit 61 based on the extracted information (step 214).

  As the filter condition item, for example, a packet destination and a source address are extracted. In the case of TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), port number information is further extracted as a filter condition. If the packet is a TCP packet and has a FIN flag, an RST flag, or the like indicating the end of the session, the internal session storage unit 61 deletes the corresponding filter condition.

  When the internal session analysis unit 62 sets the filter condition of the internal session storage unit 61, the internal interface unit 14 transfers the packet to the bridge processing unit 13 (step 215). The packet transferred to the bridge processing unit 13 is transmitted from the external interface unit corresponding to the destination.

  When the internal interface unit 14 receives a packet from the bridge processing unit 13 (No in step 212), the internal session analysis unit 62 does not extract a filter condition from the packet. The internal interface unit 14 that has received the packet from the bridge processing unit 13 transfers the received packet to the application unit 16 (step 216).

  The bridge device 60 of the communication system according to the present embodiment has a configuration for dynamically setting the filter condition stored in the internal session storage unit 61. In addition to such a configuration, the bridge device 60 according to the present embodiment may include a configuration that dynamically sets host information stored in the internal interface unit, as in the third embodiment. When the host information is dynamically set, the host information analysis unit similar to that of the third embodiment is provided, and the host information is extracted from the packet for which the bridge processing is performed by the bridge processing unit 13. By adopting a configuration in which both the host information and the filter condition can be dynamically updated, the setting work when the bridge device 60 performs communication using the host information of the terminal device 20 can be further simplified.

  The communication system of this embodiment has the same effect as the communication system of the second embodiment. In the communication system of the present embodiment, the internal session analysis unit 62 of the bridge device 60 monitors the processing of the internal interface unit 14 and extracts information corresponding to the filter condition from the packet to be transmitted. The internal session analysis unit 62 sets filter conditions stored in the internal session storage unit 61 based on the extracted information. As described above, in the bridge device 60 according to the present embodiment, the filter condition stored in the internal session storage unit 61 is set based on the information extracted from the packet processed by the internal interface unit 14. . Therefore, the bridge device 60 of the present embodiment can dynamically update the filter condition stored in the internal session storage unit 61 without setting the filter condition from the input unit 63. As a result, the communication system according to the present embodiment can perform communication via a network in an environment where there is a restriction on allocation of host information without requiring complicated setting work by an operator.

DESCRIPTION OF SYMBOLS 1 1st communication means 2 2nd communication means 3 Bridge processing means 4 Internal communication control means 5 Internal transfer means 10 Bridge apparatus 11 1st external interface part 12 2nd external interface part 13 Bridge processing part 14 Internal interface part DESCRIPTION OF SYMBOLS 15 Internal session memory | storage part 16 Application part 17 Input part 20 Terminal device 30 Server 40 Network 41 Network 50 Bridge apparatus 51 Internal interface part 52 Host information analysis part 53 Input part 60 Bridge apparatus 61 Internal session storage part 62 Internal session analysis part 63 Input Part

Claims (10)

A first communication means for communicating with a first network;
A communication terminal device that communicates with the first network via its own device and a second communication means that communicates via a second network;
Bridge processing means for performing bridge processing for transferring packets input from the first network and the second network based on information included in the packets;
When acquiring predetermined data from the information device connected to the first network, a packet in which the host information of the communication terminal device is added as information of the own device is used as an internal processing packet via the first network. Internal communication control means for transmitting and receiving to and from the information device,
When the bridge processing unit performs the bridge processing of the input packet, the packet is set to the internal when the packet satisfies a predetermined filter condition set based on the host information of the communication terminal device. An internal transfer means for transferring the packet as a processing packet to the inside of the device;
A communication apparatus comprising: Internal processing means comprising: means for performing processing relating to control of the own apparatus as internal processing; and means for generating data of the internal processing packet for transmitting / receiving data necessary for the internal processing to / from the information device Further comprising
The internal communication control unit adds the host information of the communication terminal device as information of the own device to the data of the internal processing packet generated by the internal processing unit, and transmits the information device via the first network. The communication apparatus according to claim 1, wherein the internal processing packet transmitted to the internal processing unit is transmitted to the internal processing unit.   The bridge processing performed by the bridge processing means is monitored, and the host information of the communication terminal apparatus is determined from the predetermined type packet when the communication terminal apparatus detects a predetermined type of packet being transmitted / received. The communication apparatus according to claim 1, further comprising a packet analysis unit that extracts a packet.   When the packet analysis unit detects the predetermined type of packet, the transfer unit performs a bridge process without discarding the predetermined type of packet after the packet analysis unit finishes extracting the host information. The communication device according to claim 3, wherein the communication device is performed.   A filter condition setting unit configured to monitor the internal processing packet transmitted by the internal communication control unit via the first network and set the predetermined filter condition based on information extracted from the internal processing packet; The communication apparatus according to any one of claims 1 to 4, further comprising: A communication device according to any one of claims 1 to 5;
A server connected to the first network;
A communication terminal device having host information assigned to the own device and connected to the second network;
With
The communication apparatus is configured to acquire the predetermined data by communicating with the server via the first network based on the host information of the communication terminal apparatus. Performing a bridge process for transferring packets input from the first network and the second network based on information included in the packets;
When acquiring predetermined data from an information device connected to the first network, host information of a communication terminal device communicating with the first network via the own device is used as information of the own device. Transmitting the added packet as an internal processing packet to the information device via the first network;
When performing the bridging process on the input packet, if the packet satisfies a predetermined filter condition set based on the host information, the packet is transferred to the inside of the device as the internal processing packet. A communication method characterized by the above.   Monitoring the bridging process and extracting the host information of the communication terminal device from the predetermined type packet when the communication terminal device detects a predetermined type of packet being transmitted / received. The communication method according to claim 7.   9. The communication method according to claim 8, wherein when the predetermined type of packet is detected, the bridge processing is performed without discarding the predetermined type of packet after the extraction of the host information is completed. .   10. The packet transmitted through the first network is monitored, and the predetermined filter condition is set based on information extracted from the internal processing packet. Communication method.

Images