JP2023072425A - Communication device, communication method, and program - Google Patents

Abstract

To provide a communication device, a communication method, and a program that contribute to execution of communication with high-security, -reliability, and -convenience mainly from a global address to apparatuses in a private network.SOLUTION: A communication device includes: a receiving unit that receives a packet transmitted via a first network; a conversion rule acquisition unit that refers to the packet and acquires a conversion rule, which is a rule for converting header information of the packet; a conversion unit that converts the header information of the packet based on the conversion rule; and a transmission unit that transmits a packet to a second network based on the converted header information of the packet.SELECTED DRAWING: Figure 3

Description

The present invention relates to a communication device, communication method and program.

2. Description of the Related Art In recent years, with the widespread use of the Internet, many homes use devices that connect a public line network and a private network in a communication service using a fixed line such as an optical fiber called HGW (Home Gate Way). The HGW performs general broadband router functions such as connection to an ISP (Internet Service Provider), assignment of IP addresses to personal computers in the home, and wireless LAN access point (Wi-Fi access point).

HGW is used in some cases, such as opening a web server in a private network and installing a NAS (Network Attached Storage). Web servers and NAS installed in a private network are assigned private addresses through NAT (Network Address Translation) by the HGW. You cannot access web servers or NAS on your network. To solve this problem, there are techniques called static NAT and static IP masquerading, which many HGWs and routers are equipped with.

When using a static NAT setting, it is necessary to know in advance the IP address of the peer device communicating externally to the device in the HGW's private network. For example, there is a case where the global IP address of the own device cannot be grasped, such as when communicating from the outside to a device in the private network of the HGW from a public Wi-Fi at an outside location. In such a case, it is not possible to access devices in the home private network from the outside using static NAT.

When static IP masquerading is used, communications received to a specific port of the global IP address of the HGW are forwarded to a specific port of a specific device within the private network. This poses a security problem because it is possible to access the devices inside.

Patent Literature 1 discloses a communication method in which a terminal within a private network transmits a polling packet to an external server or the like, and communicates with the terminal using a response packet to the polling packet. Specifically, it makes it possible to control terminals within a private network from an external server, etc., by using the correspondence between the source's local address and global address, which is left in the router for a certain period of time when a polling packet is sent. .

Patent Document 2 discloses a router that uses static IP masquerading to enable access to web servers in a private network. A web server for menu display is provided in the router and can be accessed from an external network such as the Internet. When the Web server is accessed, a menu of links to Web devices open to the public within the private network is displayed. When the user selects the link, access to the selected web device is initiated.

Japanese Patent Publication No. 2005-520466 JP 2006-135704 A

In addition, each disclosure of the above prior art documents is incorporated into this document by reference. The following analysis was made by the inventors.

As in Patent Document 1, polling packets are used to enable communication between a terminal in a private network and a server having a global address. However, in this method, since correspondence created on the router is used when communicating from a private address to a global address using UDP (User Datagram Protocol), the communication method is limited to UDP-based communication in which packet arrival is not guaranteed. There are drawbacks such as

On the other hand, when a web server serving as a gateway to a private network is arranged as in Patent Document 2 above, it is impossible for anyone to access devices within the private network by providing an authentication unit in the web server. However, there is a drawback that the transparency of the connection is low and the convenience is lacking due to the intervening process of accessing the gateway once.

A main object of the present invention is to provide a communication device, a communication method, and a program that contribute to high-security, high-reliability, and high-convenience communication mainly from a global address to devices in a private network. and

According to a first aspect of the present invention or disclosure, there are provided a receiving unit for receiving a packet transmitted via a first network, and a rule for referring to the packet and converting header information of the packet. a conversion rule acquisition unit for acquiring a conversion rule; a conversion unit for converting header information of the packet based on the conversion rule; and transmitting a packet to a second network based on the converted header information of the packet. A communication device is provided having a transmitter for transmitting.

According to a second aspect of the present invention or disclosure, a step of receiving a packet transmitted via a first network; obtaining a rule; performing a transformation of header information of the packet based on the transformation rule; and transmitting a packet to a second network based on the transformed header information of the packet. A communication method is provided that includes:

According to a third aspect of the present invention or disclosure, a process of receiving a packet transmitted via a first network and a conversion process that is a rule for converting header information of the packet with reference to the packet acquiring a rule; performing conversion of header information of the packet based on the conversion rule; and transmitting the packet to a second network based on the converted header information of the packet. A program is provided for execution by a computer.
This program can be recorded in a computer-readable storage medium. The storage medium can be non-transient such as semiconductor memory, hard disk, magnetic recording medium, optical recording medium, and the like. The invention can also be embodied as a computer program product.

According to each aspect of the present invention and the disclosure, a communication device, a communication method, and a program that contribute to high-security, high-reliability, and high-convenience communication mainly from a global address to devices in a private network is provided.

It is a figure which shows an example of a structure of the communication apparatus which concerns on one Embodiment. It is a figure which shows an example of the conversion rule in one embodiment. 1 is a diagram illustrating an example of a configuration of a communication device according to a first embodiment; FIG. It is an example of a packet received by the communication device of the first embodiment. 4 is a flow chart showing an example of the operation of the communication device according to the first embodiment; 1 is a schematic diagram showing a hardware configuration of a communication device according to a first embodiment; FIG. FIG. 10 is a diagram showing an overview of a communication system according to a second embodiment; FIG. FIG. 10 is a diagram showing an example of the HGW configuration in the communication system according to the second embodiment; FIG. 10 is a diagram showing an example of the configuration of a PC in a communication system according to a second embodiment; FIG. 1 illustrates a prior art TCP frame; FIG. FIG. 10 is a diagram showing an example of a TCP frame generated by a PC in the communication system of the second embodiment; FIG. FIG. 12 is a diagram showing an example of the configuration of HGW in the communication system according to the third embodiment; FIG. FIG. 12 is a diagram showing an example of the configuration of a PC in a communication system according to a third embodiment; FIG.

First, an overview of one embodiment will be described. It should be noted that the drawing reference numerals added to this outline are added to each element for convenience as an example to aid understanding, and the description of this outline does not intend any limitation. Also, connecting lines between blocks in each figure include both bi-directional and uni-directional. The unidirectional arrows schematically show the flow of main signals (data) and do not exclude bidirectionality. Furthermore, in the circuit diagrams, block diagrams, internal configuration diagrams, connection diagrams, etc. disclosed in the present application, an input port and an output port exist at the input end and the output end of each connection line, respectively, although not explicitly shown. The input/output interface is the same.

FIG. 1 is a diagram showing an example of the configuration of a communication device according to one embodiment. As shown in this figure, the communication device 10 according to one embodiment has a receiver 11 , a conversion rule acquisition unit 12 , a converter 13 and a transmitter 14 .

The receiving unit 11 receives packets transmitted via the first network. A "first network" means a different network segment than a "second network". A communication device 10 separates the first network and the second network, and the communication is routed by the communication device 10 .

The conversion rule acquisition unit 12 acquires a conversion rule that is a rule for converting header information of the packet by referring to the packet. "Conversion" is to overwrite information for routing in the header of a packet, thereby changing information for another routing. For example, a destination IP address in an IP (Internet Protocol) header, or a destination port number in the case of TCP (Transmission Control Protocol) communication. A "conversion rule" is a set of rules for the above conversion. The conversion rule describes, for example, header information before conversion and header information after conversion in association with each other. This is for performing processing such as executing conversion to the header information after conversion corresponding to the case where the header information is received.

Here, the "conversion rule" has some functions in common with the NAT rule held by the router capable of NAT. It is characterized in that the conversion rule is described in the payload portion of the packet received by the receiving unit 11, instead of being written in the packet. The conversion rule acquisition unit 12 acquires the conversion rule of this payload part, and sends it to the conversion unit 13, which will be described later, to convert the header information of the packet. FIG. 2 is a diagram showing an example of conversion rules in one embodiment of the present invention. As shown in this figure, the translation rules are located in the payload portion of the packet. Although the conversion rule is positioned immediately after the header information in the figure, it is not limited to this, and may be positioned anywhere as long as the communication device can recognize the conversion rule in the payload portion.

The conversion unit 13 converts the header information of the packet based on the conversion rule. The conversion may be performed immediately on the received packet, or may be performed by reading the conversion rule when the first packet is received and discarding the first packet. The packet converted by the converter 13 is sent to the transmitter 14 .

A transmitter 14 transmits the packet to the second network based on the converted header information of the packet. The packet converted by the converter 13 is received, the converted header information is read, and the packet is transferred to the second network based on the header information.

As described above, according to the communication apparatus of one embodiment, by reading a packet containing a conversion rule received from the first network and converting the header information of the packet based on the conversion rule, the source address information etc. change, the packet can be forwarded to the second network according to the change. This makes it possible, for example, to transparently access a device located in a private network from a global address. Further, for example, even if the source dynamically acquires an IP address using DHCP (Dynamic Host Configuration Protocol) and the IP address of the source changes, the setting on the communication device 10 side can be changed without directly changing the setting. Communication can continue.

Specific embodiments will be described in more detail below with reference to the drawings. In addition, the same code|symbol is attached|subjected to the same component in each embodiment, and the description is abbreviate|omitted.

[First embodiment]
The first embodiment will be described in more detail with reference to the drawings.

FIG. 3 is a diagram showing an example of the configuration of the communication device according to the first embodiment. As shown in this figure, the communication device 10 according to the first embodiment has a receiving unit 11, a conversion rule acquiring unit 12, a converting unit 13, and a transmitting unit . Since these constituent requirements have already been explained above, description thereof is omitted. The communication device 10 of this embodiment further includes a conversion rule holding unit 15, an authentication information acquisition unit 16, an authentication unit 17, and a validity period information acquisition unit 18.

A conversion rule holding unit 15 holds the conversion rule acquired by the conversion rule acquisition unit 12 . Specifically, for example, the correspondence information between the header information before conversion and the header information after conversion described in the conversion rule is received from the conversion rule acquisition unit 12 and held, and the conversion unit 13 accesses the information. to load the transformation rules.

FIG. 4 is an example of a packet received by the communication device 10 of this embodiment. As shown in this figure, a packet is mainly divided into a header and a payload, and the header information includes source and destination IP addresses, source and destination port numbers, and the like. The payload portion includes a conversion rule, authentication information, and validity period information, which are features of the communication apparatus 10 of this embodiment. As shown in the drawing, the conversion rule associates the destination address and destination port number before conversion with the destination address and destination port number after conversion. Here, the destination address and destination port number before conversion are those of the communication device 10, and the destination address and destination port number after conversion are those of devices belonging to the second network.

The authentication information acquisition unit 16 acquires authentication information for authenticating the transmission source by referring to the packet. Authentication information for authenticating the source terminal or the like is included in the conversion rule or outside the conversion rule of the payload portion of the packet transmitted from the source and received by the receiving unit 11 . The communication device 10 of the present embodiment determines whether or not the header information of the packet can be converted by the authentication unit 17, which will be described later, based on the acquired authentication information. The authentication information acquisition unit 16 acquires this authentication information and passes the authentication information to the authentication unit 17, which will be described later.

The authentication unit 17 performs authentication using the authentication information. As for means of authentication, various methods related to device authentication of terminals and the like are conceivable, and are not limited to specific means. For example, authentication is executed by using a pair of a destination MAC address and a source MAC address included in an Ethernet frame and matching it with a list of MAC address pairs that allow authentication registered in the authentication unit 17 in advance. You may

After executing the authentication, the authentication unit 17 sends the authentication result to the conversion unit 13 . If the result of the authentication is successful, the conversion processing described above is executed in the conversion unit 13 . If the result of authentication is failure, the conversion unit 13 does not execute conversion processing. In this case, the conversion unit 13 may execute processing for discarding the packet.

The conversion unit 13 or the authentication unit 17 may execute a process of deleting the conversion rule held in the conversion rule holding unit 15 when the result of the authentication by the authentication unit 17 is failure.

A validity period information acquisition unit 18 acquires validity period information, which is information that defines a period during which the conversion is performed by referring to the packet. A packet received by the receiving unit 11 may contain validity period information inside or outside the conversion rule of the payload part. “Valid period information” defines the period during which the conversion rule acquired by the conversion rule acquisition unit 12 is applied by the conversion unit 13 . The conversion unit 13 may determine whether or not the valid period has expired, and the receiver unit 11 may discard packets whose valid period has expired.

The conversion unit 13 may execute a process of deleting the conversion rule held in the conversion rule holding unit 15 when it is determined that the validity period has expired.

As described above, the communication apparatus according to the present embodiment converts the header information by the conversion unit 13, thereby enabling the communication from the first network to the second network without setting static NAT, static IP masquerading, etc. in the router. It is possible to connect to the network transparently. In addition, by performing device authentication on the router, like the conventional static IP masquerade, all access to a specific port of the router is unconditionally transferred to a specific device on another network. It is possible to avoid configuration.

Furthermore, by adding validity period information to the conversion rule, the validity period of the conversion rule can be controlled. As a result, it is possible to avoid the risk of being left unattended with the conversion rule applied and being illegally accessed from the outside.

[Explanation of operation]
An example of the operation during communication of the communication device 10 of this embodiment will be described with reference to FIG. 5 is a flowchart illustrating an example of the operation of the communication device according to the first embodiment; FIG. When the communication operation of the communication device 10 starts, the receiver 11 receives packets transmitted via the first network (step S51). Next, the authentication information acquisition unit 16 acquires the authentication information in the packet (step S52). Next, authentication is performed by the authentication unit 17, and it is determined whether or not the authentication is successful (step S53). If it is determined here that the authentication has succeeded, the valid period information acquisition unit 18 acquires valid period information (step S54). If the authentication fails, the authentication unit 17 or the conversion unit 13 deletes the conversion rule held in the conversion rule holding unit 15 (step S55), and proceeds to the process of receiving the next packet (step S51). return. When valid period information is acquired (step S54), the conversion unit 13 determines whether the acquired packet is within the valid period (step S56). If it is determined that it is not within the valid period, the conversion unit 13 deletes the conversion rule in the conversion rule holding unit 15 (step S55) and returns to the process of receiving the next packet (step S51). In the case of the judgment result that it is within the validity period, the conversion rule acquisition unit 12 acquires the conversion rule in the received packet (step S57). The conversion unit 13 converts the header information of the packet based on the acquired conversion rule (step S58). The packet after conversion is transmitted by the transmission unit 14 via the second network, and the process returns to the process of receiving the next packet (step S51).

Note that the order of the above processes may be changed. For example, the communication device 10 first executes a conversion rule acquisition process (step S57), and then executes an authentication information acquisition process (step S52), an authentication process (step S53), and a validity period information acquisition process (step S54). You may

[Hardware configuration]
The communication device 10 can be configured by an information processing device (computer), and has a configuration illustrated in FIG. For example, the communication device 10 includes a CPU (Central Processing Unit) 61, a memory 62, an input/output interface 63, a communication means such as a NIC (Network Interface Card) 64, etc., which are interconnected by an internal bus 65. FIG.

However, the configuration shown in FIG. 6 is not meant to limit the hardware configuration of the communication device 10 . The communication device 10 may include hardware (not shown) and may not include the input/output interface 63 as necessary. Also, the number of CPUs and the like included in the communication device 10 is not limited to the example shown in FIG.

The memory 62 is a RAM (Random Access Memory), a ROM (Read Only Memory), an auxiliary storage device (hard disk, etc.).

The input/output interface 63 is means that serves as an interface for a display device and an input device (not shown). The display device is, for example, a liquid crystal display. The input device is, for example, a device such as a keyboard or mouse that receives user operations.

The functions of the communication device 10 are area management information data stored in the memory 62, position information data for each group, a reception program which is a processing module, a conversion rule acquisition program, a conversion program, an authentication information acquisition program, an authentication program, and validity period information. It is implemented by an acquisition program, a transmission program, and the like. The processing module is implemented by the CPU 61 executing a conversion program stored in the memory 62, for example. Also, the program can be downloaded via a network or updated using a storage medium storing the program. Furthermore, the processing module may be realized by a semiconductor chip. In other words, it is sufficient if there is means for executing the functions performed by the processing module by some kind of hardware and/or software.

[Hardware operation]
When the communication device 10 starts to operate, a reception program is called from the memory 62, is executed by the CPU 61, and receives packets by the NIC 64 via the first network. Next, an authentication information acquisition program is called from the memory 62 and executed by the CPU 61, and authentication information is acquired from information in the payload portion of the received packet. Next, the authentication program is called from the memory 62, is put into an execution state by the CPU 61, and performs authentication processing based on the acquired authentication information.

As a result of the authentication processing, if the authentication is successful, the validity period information acquisition program is called from the memory 62 and is executed by the CPU 61 . The program obtains validity period information from information in the payload portion of the received packet.

As a result of the authentication process, if the authentication fails, the receiving program returns to the process of receiving the packet. At this time, the authentication program may execute a process of deleting a later-described conversion rule held in the memory 62 .

Next, the conversion program is called from the memory 62 and executed by the CPU 61 . The conversion program refers to the acquired validity period information and determines whether it is within the validity period. If it is determined that the validity period has expired, the receiving program returns to the process of receiving the packet.

The valid period information is referred to, and when it is determined that the valid period is valid, the conversion rule acquisition program is called from the memory 62 and is executed by the CPU 61 . The conversion rule acquisition program acquires a conversion rule from packet information and stores it at a specified address in memory 62 .

The conversion program reads the conversion rule stored in the memory 62 and rewrites the header information of the received packet based on the conversion rule. Next, the transmission program is called from the memory 62 and executed by the CPU 61 . The sending program forwards the packet to the second network based on the rewritten header information.

[Explanation of effect]
With the communication device 10 of the present embodiment, it is possible to transfer packets to a different network without setting packet transfer such as static NAT or static IP masquerading to the communication device 10 in advance. Further, high security communication can be performed based on the authentication information and validity period information in the received packet information.

[Second embodiment]
A second embodiment will be described in more detail with reference to the drawings. In the second embodiment, an example of communication between an HGW (Home Gate Way) corresponding to the communication device 10, a PC as a transmission source, and a web server located in a private network is shown.

FIG. 7 is a diagram showing an outline of a communication system according to this embodiment. In this configuration, the HGW 200 separates an external network and a private network with a WAN and a LAN, holds a global IP address in the WAN, and uses the global IP address to communicate with an external network such as the Internet. The web server 250 is connected to the LAN of the HGW, has one private IP address, and listens on port 80. PC 300 is a personal computer, is installed in an external network from the perspective of HGW 200 and web server 250, and communicates with web server 250 from the external network.

FIG. 8 is a diagram showing an example of the configuration of the HGW 200 in the communication system of this embodiment. The HGW 200 comprises an information processing section 201 , a LAN port 202 , a WAN port 203 and a routing control section 204 . The information processing unit 201 controls each function installed in the HGW 200 . The LAN port 202 complies with IEEE802.3 and communicates with communication equipment of a private network. The WAN port 203 complies with IEEE 802.3 and communicates with a communication device with an external network such as the Internet. The routing control unit 204 determines the transfer destination of the communication received by the LAN port 202 or the WAN port 203, and transfers the communication. Communication between the private network and the external network is assumed to be NAPT (Network Address Port Translation).

FIG. 9 is a diagram showing an example of the configuration of the PC 300 in the communication system of this embodiment. The PC 300 comprises an information processing section 301 , a LAN port 302 and a packet generation tool 303 . An information processing unit 301 controls each function installed in the PC 300 . The LAN port 302 complies with IEEE 802.3 and communicates with communication devices of the network to which it is connected. A packet generation tool 303 generates a packet in which information specified by a user is embedded.

FIG. 10 shows a prior art TCP frame 400. As shown in FIG. A TCP frame 400 is composed of an Ethernet header, an IP header, a TCP header, a TCP message, and a CRC. The Ethernet header contains information such as source and destination MAC addresses. The IP header contains information such as source and destination IP addresses. The TCP header contains information such as source and destination port numbers. TCP messages contain arbitrary information. The CRC contains error correction information.

FIG. 11 is a diagram showing an example of a TCP frame generated by the PC 300 in the communication system of this embodiment. A TCP frame 500 is composed of an Ethernet header, an IP header, a TCP header, a TCP message, and a CRC. The Ethernet header contains information such as source and destination MAC addresses. The IP header contains information such as source and destination IP addresses. The TCP header contains information such as source and destination port numbers. The TCP message includes authentication information for the HGW 200 to permit communication from the PC 300, information on processing to be performed on the HGW 200 and the period during which the processing is applied to the HGW 200, the private IP address and port number of the web server 250, It contains the global IP address and port number and optional information that PC 300 uses to communicate with web server 250 . The CRC contains error correction information.

[Description of system operation]
An example of the operation of the communication system according to this embodiment will be described with reference to FIGS. In the configuration of FIG. 7, PC 300 generates a packet containing the following information with packet generation tool 303 in order to access web server 250 installed in the private network of HGW 200 .

Ethernet Header: Source MAC Address and Destination MAC Address IP Header: Source IP Address and Destination IP Address TCP Header: Source Port and Destination Port TCP Message:
Authentication information: Information necessary for the HGW 200 to permit this communication, for example, an authentication password for the WEB setting screen of the HGW 200, which the HGW 200 holds in advance, may be used.
Command: information of processing to be performed on the HGW 200 . In this case, it is a static IP masquerading setting.
Command Validity Period: The period during which the static IP masquerading settings above are applied to the HGW 200 . In this case, 5 minutes.
Private IP address and port number of web server 250 : Global IP address and port number used when PC 300 communicates with web server 250 .
CRC information

Next, the PC 300 transmits the TCP frame 500 generated above to the global IP address of the HGW 200 . When the HGW 200 receives the TCP frame 500 at the WAN port, the information processing section 201 analyzes the information added to the TCP message of the TCP frame 500 .

The information processing unit 201 permits setting to the HGW 200 by the TCP frame 500 if the authentication information added to the TCP message of the TCP frame 500 matches the user ID and password of the WEB GUI previously hosted by the HGW 200 .

The information processing unit 201 receives the static IP masquerade setting command added to the TCP message of the TCP frame 500, the effective period of the command, the private IP address and port number of the web server 250, and the PC 300 used when communicating with the web server 250. Based on the global IP address and port number, static IP masquerading is set in the routing control unit 204 .

In order to access the web server 250 , the PC 300 communicates with port 80 addressed to the global IP address of the HGW 200 . Since static IP masquerading is set in the HGW as described above, the communication received to port 80 of the global IP address of the HGW 200 will be sent to the private IP address of the web server 250 in the private network on the LAN side of the HGW and the specified address. port, and communication between the PC 300 and the web server 250 is realized.

Note that when the valid period of the command added to the TCP message of the TCP frame 500 expires, the information processing section 201 deletes the static IP masquerade setting information from the routing control section 204 .

[Explanation of effect]
Even if the HGW does not have a routing setting such as a static IP masquerade setting that permits external communication from an external network such as the Internet to a web server installed in the home private network, By performing routing settings such as static IP masquerade settings on the IP address, it is possible to communicate from the outside to devices in the private network. In addition, when routing settings such as static IP masquerade settings are performed in the HGW in advance, the specified port is always open and security is vulnerable. By performing routing such as static IP masquerade setting each time communication is performed, it is possible to communicate from the outside to devices in the private network without always opening the port to the HGW.

[Third embodiment]
In the communication system of this embodiment, PC 700 in FIG. 13 sends static IP masquerade information to HGW 600 in FIG. When the PC 700 communicates with the web server 250 instead of notifying the Web server 250, in addition to the original Ethernet frame, control information such as static IP masquerade setting as shown in the TCP message of FIG. 11 is always included in the Ethernet frame. The addition enables communication between the web server 250 in the private network and the PC 700 in the external network.

In the configuration of FIG. 7, in order to attempt to access the web server 250 installed in the private network of the HGW 600 of FIG. 12 from the web browser of the PC 700 of FIG. A general TCP frame 400 as shown in FIG.

The TCP frame 400 transmitted by the PC 700 is passed to the packet processing unit 703, and in addition to the original TCP message, the authentication information, command source IP address, and destination private IP address shown in FIG. 11 are added to the TCP message. , source port, and destination port.

Next, PC 700 transmits the generated TCP frame 500 to the global IP address of HGW 600 . When the HGW 600 receives the TCP frame 500 at the WAN port, the information processing section 601 analyzes the information added to the TCP message of the TCP frame 500 . The information processing unit 601 permits setting to the HGW 600 by the TCP frame 500 if the authentication information added to the TCP message of the TCP frame 500 matches the user ID and password of the WEB GUI preset in the HGW 600 .

Subsequently, the information processing unit 601 outputs the static IP masquerade setting command added to the TCP message of the TCP frame 500, the private IP address and port number of the web server 250, and the global IP used when the PC 700 communicates with the web server 250. The TCP frame 500 is transferred to the packet processor 605 based on the address and port number.

At this time, the TCP frame 500 is passed to the packet processing unit 605, and data such as authentication information and command information added by the packet processing unit 703 of the PC 700 is deleted. Therefore, TCP frame 500 becomes a general TCP frame like TCP frame 400 as shown in FIG.

Packet processing unit 605 transfers the above-described TCP frame to web server 250 via LAN port 602 . Communication between the PC 700 and the web server 250 is realized by the above procedure.

[Explanation of effect]
By using this procedure, routing settings such as static IP masquerading are executed each time communication occurs, so the time during which the port is open to the external network can be shortened compared to the communication system of the second embodiment. , the security level is improved.

Some or all of the above embodiments may also be described as follows, but are not limited to the following.
[Mode 1]
This is the same as the communication device according to the first aspect described above.
[Mode 2]
further comprising a conversion rule holding unit holding the conversion rule acquired by the conversion rule acquisition unit, wherein the conversion unit stores header information of the packet based on the conversion rule held in the conversion rule holding unit; A communications device, preferably of Form 1, for performing transformations.
[Mode 3]
further comprising: an authentication information acquisition unit that acquires authentication information for authenticating a transmission source by referring to the packet; and an authentication unit that performs authentication based on the authentication information, wherein the conversion unit performs authentication in the authentication unit. Preferably, the communication device according to form 1 or 2, which determines whether or not to perform the conversion according to an authentication result.
[Mode 4]
a validity period information acquisition unit that acquires validity period information that is information that defines a period for executing the conversion by referring to the packet;
Preferably, the communication device according to any one of modes 1 to 3, wherein the converting unit determines whether to perform the conversion according to the valid period information acquired by the valid period information acquiring unit.
[Mode 5]
Preferably, the communication device of form 3 dependent on form 2, wherein the conversion unit deletes the conversion rule held in the conversion rule holding unit when the authentication result in the authentication unit is a failure.
[Mode 6]
The conversion unit deletes the conversion rule held in the conversion rule holding unit when the validity period in the validity period information acquired by the validity period information acquisition unit has expired, preferably form 2 A communication device of form 4 dependent on.
[Mode 7]
The conversion rule acquisition unit acquires the conversion rule including information that associates a source address and a destination address,
7. Preferably, the communication device according to any one of modes 1 to 6, wherein the conversion unit performs the conversion according to source address information.
[Mode 8]
The conversion rule acquisition unit acquires the conversion rule including information that associates a port number at which the packet was received by the reception unit with a destination address and port number, and the conversion unit converts the packet into 8. The communication device, preferably according to any one of aspects 1 to 7, wherein said conversion is performed according to the received port number.
[Mode 9]
9. The communication device, preferably according to any one of aspects 1 to 8, wherein a payload portion of said packet includes at least one of said transformation rule, said authentication information and said validity period information.
[Form 10]
This is the communication method according to the second aspect described above.
[Mode 11]
This is the same as the program related to the third viewpoint mentioned above.
It should be noted that forms 10 and 11 can be expanded into forms 2 to 9 in the same manner as form 1. FIG.

The disclosures of the cited patent documents and the like are incorporated herein by reference. Within the framework of the full disclosure of the present invention (including the scope of claims), modifications and adjustments of the embodiments and examples are possible based on the basic technical concept thereof. Also, various combinations or selections of various disclosure elements (including each element of each claim, each element of each embodiment or example, each element of each drawing, etc.) within the framework of the full disclosure of the present invention (including partial deletion) is possible. That is, the present invention naturally includes various variations and modifications that can be made by those skilled in the art according to the entire disclosure including claims and technical ideas. In particular, any numerical range recited herein should be construed as specifically recited for any numerical value or subrange within that range, even if not otherwise stated.

10 Communication device 11 Reception unit 12 Conversion rule acquisition unit 13 Conversion unit 14 Transmission unit 15 Conversion rule storage unit 16 Authentication information acquisition unit 17 Authentication unit 18 Effective period information acquisition unit 61 CPU (Central Processing Unit)
62 memory 63 input/output interface 64 NIC (Network Interface Card)
65 internal bus 200, 600 HGW (Home Gate Way)
201, 601 Information processing section 202 LAN ports 203, 603 WAN (Wide Area Network) ports 204, 604 Routing control section 250 Web servers 300, 700 PC (Personal Computer)
301, 701 Information processing units 302, 602, 702 LAN (Local Area Network) port 303 Packet generation tools 400, 500 TCP frames 605, 703 Packet processing unit

Claims (10)

a receiver that receives packets transmitted over a first network;
a conversion rule acquisition unit that acquires a conversion rule that is a rule for converting header information of the packet by referring to the packet;
a conversion unit that converts the header information of the packet based on the conversion rule;
a transmitting unit configured to transmit packets to a second network based on translated header information of the packets;
A communication device having further comprising a conversion rule holding unit that holds the conversion rule acquired by the conversion rule acquisition unit;
the conversion unit executes conversion of header information of the packet based on the conversion rule held in the conversion rule holding unit;
2. The communication device of claim 1. an authentication information acquisition unit that acquires authentication information for authenticating a sender by referring to the packet;
an authentication unit that performs authentication using the authentication information;
further having
the conversion unit determines whether to perform the conversion according to the authentication result of the authentication unit;
3. A communication device according to claim 1 or 2. a validity period information acquisition unit that acquires validity period information that is information that defines a period for executing the conversion by referring to the packet;
the conversion unit determines whether to perform the conversion according to the validity period information acquired by the validity period information acquisition unit;
A communication device according to any one of claims 1 to 3. The conversion unit deletes the conversion rule held in the conversion rule holding unit when the authentication result in the authentication unit is unsuccessful.
The communication device of claim 3 when dependent on claim 2. The conversion unit deletes the conversion rule held in the conversion rule holding unit when the validity period in the validity period information acquired by the validity period information acquisition unit has expired.
A communication device as claimed in claim 4 when dependent on claim 2. The conversion rule acquisition unit acquires the conversion rule including information that associates a source address and a destination address,
the conversion unit performs the conversion according to the address information of the transmission source;
7. A communication device according to any one of claims 1-6. The conversion rule acquisition unit acquires the conversion rule including information that associates a port number at which the packet was received by the reception unit with a destination address and port number,
The conversion unit performs the conversion according to the port number that received the packet.
Communication device according to any one of claims 1 to 7. receiving packets transmitted over a first network;
obtaining a conversion rule, which is a rule for converting header information of the packet by referring to the packet;
performing conversion of header information of the packet based on the conversion rule;
transmitting a packet to a second network based on the translated header information of the packet;
communication methods, including a process of receiving packets transmitted over a first network;
A process of referring to the packet and obtaining a conversion rule that is a rule for converting the header information of the packet;
a process of converting the header information of the packet based on the conversion rule;
transmitting a packet to a second network based on the translated header information of the packet;
A program that causes a computer to run

Images