JP4722615B2 - Communication method and communication apparatus - Google Patents

Description

  The present invention relates to a communication method and a communication apparatus, and more particularly to a communication method and program for performing P2P communication from a computer connected to a network device having a NAT function, and a communication apparatus.

  In recent years, with the increase of host computers connected to the Internet, the problem of lack of IP (Internet Protocol) addresses has become prominent. Therefore, a NAT (Network Address Translator) function is used as one method for solving the shortage of IP addresses. The NAT function performs communication between a host computer having a private address (private IP address) in a local area network (LAN) that is a closed network and a host computer having a global address (global IP address) in the Internet. Therefore, address conversion is performed. As an extended function of NAT, a network address port translation (NAPT) function is also known and used. The NAPT function is also called IP masquerading, and is a technology that allows a plurality of host computers to be shared using a single global IP address by changing the private IP address and port number. In the present specification, hereinafter, NAT and NAPT are collectively referred to as NAT.

  FIG. 9 shows a network connection diagram for explaining the NAT function. The routers 13 and 14 have a NAT (NAPT) function, and store a conversion table that defines the correspondence / translation relationship between a private address / port number pair and a global address. The terminals 11 and 12 are PCs (personal computers), printers, and the like, and are computer systems in a broad sense in view of the installed processor operating according to a program.

  A private address “A” and a port “100” are assigned to the terminal 11 by the router 13. Here, the packet is transmitted from the terminal 11 to the terminal 12 in another LAN (connected to the router 14 having the global address N) via the Internet via the routers 13 and 14. In the IP header transmitted from the terminal 11, “N” as the destination address 21 and “A” as the source address 22 are written, and “200” as the destination port number 23 in the TCP header or UDP header. “100” is written as the port number 24. The router 13 refers to the conversion table, converts the private address “A” of the source address 22 to the global address “M” of the router 13, and transmits the packet to the router 14.

  Next, an IP packet is transmitted from the terminal 12 to the terminal 11 via the routers 14 and 13. In the header of the packet transmitted from the terminal 12, “M” as the destination address 31 and “B” as the transmission source address 32 are written, and “100” as the destination port number 33 is transmitted in the TCP header or UDP header. “200” is written as the original port number 34. The router 13 refers to the conversion table, converts the global address “M” of the destination address 31 to the private address “A”, and transmits the packet toward the terminal 11 in the LAN.

  On the other hand, applications using P2P (peer to peer) type communication such as online games and video chat (hereinafter referred to as P2P applications) are increasing. P2P type communication directly communicates between terminals without going through a server. In order to use a P2P application in a connection environment using the NAT function, STUN (see Non-Patent Document 1, for example) technology that is a standard of IETF (Internet Engineering Task Force) is known.

  Further, there is a document disclosing a communication method using a network device having a NAT function (for example, see Patent Document 1).

REC3489 “STUN-Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)” March 2003 JP 2005-117487 A

  However, communication may not be possible between terminals even with the STUN technology. This is because the standard is not stipulated in detail, or the parts to be implemented differ depending on the router. Further, if a firewall that cannot perform UDP (User Datagram Protocol) communication is connected in the middle of the communication path, communication between terminals cannot be performed. That is, when there are two or more terminals that perform communication and a network device (router or the like) having a NAT function is connected between the terminals, the communication cannot be performed (so-called “so-called”). , NAT traversal problem). Alternatively, when a network device (WEB proxy server or the like) having a firewall function is connected between terminals, communication cannot be performed (so-called firewall traversal problem).

  Conventionally, in order to deal with these NAT traversal problems and firewall traversal problems, an application installed in the terminal 11 of FIG. 9 is used by using a commercially available SDK (Software Development Kit) for NAT traversal and firewall traversal. There was a need to change. Furthermore, in order to cope with the NAT traversal problem and the firewall traversal problem, it is necessary to change the settings of the router 13 and the like in FIG. Therefore, there is still room for improvement in the above prior art in that communication over NAT and firewall cannot be performed without impacting the network environment.

  The present invention has been made in view of such circumstances, and an object of the present invention is to provide a communication method and a communication apparatus that can reliably execute a P2P application with a simple configuration in a network environment. is there.

  In order to achieve such an object, a communication method (FIGS. 1 and 3) according to the present invention includes a first computer (11) connected to a first network device (13) having a NAT function, and a NAT function. A communication method for performing P2P communication with a second computer (12) connected to a second network device (14) having a logic assigned separately from the first private address A first communication device (17) assigned a first virtual IP address, which is a typical IP address, is connected between the first network device and the first computer; A second communication device (18) to which a second virtual IP address, which is a logical IP address assigned separately from a private address, is assigned to the second network device. A first receiving step (S306), connected to the second computer, wherein the first communication device receives a packet including the second virtual IP address in a header from the first computer. → S316), the first communication device sets the first virtual IP address to the packet received in the first reception step, and uses the NAT traversal function (FIGS. 4 and 5) for the packet. A first transmission step (S316 to S322) for transmitting to the second computer via the first network device, and the first communication device, after the first transmission step, A second receiving step (S306 → S308) for receiving a packet including one virtual IP address and the second virtual IP address from the first network device; And the first communication device sets the second virtual IP address in the header of the packet received in the second reception step, and transmits the packet to the first computer. A transmission step (S308 to S314).

  In order to achieve the above object, a program according to the present invention causes a computer to execute each step of the communication method described above.

  In order to achieve the above object, the communication device (17) of the present invention is connected to the first computer connected to the first network device having the NAT function and the second network device having the NAT function. 1 is a communication device of a communication system (FIG. 1) for performing P2P type communication with a second computer that has been assigned a logical IP assigned separately from the first private address. A first virtual IP address, which is an address, is assigned and connected between the first network device and the first computer, and the communication system is assigned separately from a second private address A second virtual IP address, which is a logical IP address, is allocated between the second network device and the second computer. Another communication device (18) connected, wherein the communication device receives a packet including the second virtual IP address in a header from the first computer; and First transmission for setting the first virtual IP address in the packet received by the receiving means, and transmitting the packet to the second computer via the first network device using the NAT traversal function And second receiving means for receiving a packet including the first virtual IP address and the second virtual IP address from the first network device after transmission by the first transmitting means, The second virtual IP address is set in the header of the packet received by the second receiving means, and the packet is transmitted to the first computer. Characterized in that a transmission means.

  In addition, the code | symbol etc. in the figure in embodiment corresponding to the component of a claim are shown by (). However, the constituent elements described in the claims are not limited to the constituent elements in the embodiment of the above () part.

  With the above configuration, the communication device of the present invention can be introduced without impacting the network environment of the installation destination. Further, the IP address assigned to the terminal (the first computer) can be the one assigned by the first network device (router) that has already been installed in the conventional manner in the conversion table of the NAT function. It is possible to communicate with existing terminals (other PCs, printers, etc.) installed in the PC without changing settings.

  According to the present invention, it is possible to reliably execute a P2P application with a simple configuration in a network environment.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In addition, the same code | symbol is attached | subjected to the location which has the same function in each drawing.

[Device configuration]
FIG. 1 is an explanatory diagram of the P2P communication method of the present embodiment. The packet communication between the terminals 11 and 12 will be described with reference to FIG. The terminals 11, 12 and the like are PCs, printers, and the like, and are computer systems in a broad sense in view of the installed processor operating according to a program.

  The routers 13 and 14 have a NAT (NAPT) function, and store a conversion table that defines the correspondence / translation relationship between a private address / port number pair and a global address. The routers 13 and 14 have global addresses “M” and “N”, respectively. A private address “A” and a port “100” are assigned to the terminal 11 by the router 13. A private address “B” and a port “200” are assigned to the terminal 12 by the router 14.

  Reference numerals 17 and 18 in the figure denote communication devices that are characteristic of the present embodiment, and are referred to as NNM (Nomadic Node Module) in the present embodiment. A private address “P” and a port “100” are assigned to the NNM 17 by the router 13, and a logical IP address “X” is assigned separately from the private address “P”. A logical IP address assigned separately from this private address is called a “virtual IP address” in the present embodiment, and a virtual IP address “X” is assigned to the NNM 17. A method for acquiring the virtual IP address will be described later.

  A private address “Q” and a port “200” are assigned to the NNM 18 by the router 14, and a virtual IP address “Y” is further assigned. Each NNM implements an NNM program created by incorporating a commercially available SDK for NAT traversal and firewall traversal. The processing contents of the NNM program will be described later.

  The session management server 25 stores socket (port number + virtual IP address + global address) data. The storage of the socket of the session management server 25 will be described later.

  A WEB proxy server (not shown) having a firewall function is connected to the LAN including the terminal 11, the NNM 17, and the router 13. Similarly, another WEB proxy server (not shown) having a firewall function is also connected to the LAN including the terminal 12, the NNM 18, and the router 14.

  Here, the packet is transmitted from the terminal 11 to the terminal 12 in another LAN (connected to the router 14 with the global address N) via the Internet via the NNM 17, the routers 13 and 14, and the NNM 18. In the IP header of the packet 30 transmitted from the terminal 11, the virtual IP address “Y” is written as the destination address 21 and “A” is written as the source address 22, and the destination port number 23 is written in the TCP header or UDP header. “200” and “100” are written as the source port number 24. The virtual IP address “Y” as the destination address 21 is acquired by the terminal 11 from the session management server 25 using the destination port number “200” as a key.

  The NNM 17 sets the destination global address (virtual IP address) “Y” in the payload, acquires the source virtual IP address “X” stored in a RAM (random access memory) (not shown), and sets it in the payload. . The storage of the transmission source virtual IP address “X” in the RAM will be described later. The NNM 17 acquires the destination global address “N” and the private address “P” as the source address, and sets them in the header. The destination global address “N” is acquired by the NNM 17 from the session management server 25 using the destination port number “200” as a key. The private address “P” is assigned in advance by the router 13. Then, the NNM 17 transfers the packet to the NNM 18 by using a function such as an SDK for NAT traversal and firewall traversal.

  The router 13 refers to the conversion table, converts the private address “P” of the transmission source address to the global address “M” of the router 13, and transmits the packet to the router 14.

  Next, the packet is transmitted from the terminal 12 to the terminal 11 via the NNM 18, the routers 14 and 13, and the NNM 17. In the header of the packet transmitted from the terminal 12, the virtual IP address “X” is written as the destination address 31 and “B” is written as the source address 32, and “100” is set as the destination port number 33 in the TCP header or UDP header. "200" is written as the source port number 34. Subsequent processing of the NNM 18 is the same as that of the NNM 17 described above.

  The router 14 refers to the conversion table, converts the private address “Q” of the source address to the global address “N” of the router 14, and transmits the packet to the router 13.

  The router 13 refers to the conversion table, converts the global address “M” of the destination address 31 to the private address “P”, and transmits the packet 40 toward the NNM 17 in the LAN.

  The NNM 17 deletes the destination virtual IP address “X” from the payload, and sets the payload source virtual IP address “Y” as a source address in the header. The NNM 17 acquires the destination private address “A”, sets the destination address in the header, and transmits the packet to the terminal 11. Acquisition of the private address “A” of the connected terminal 11 will be described later.

  In normal communication, the NNM 17 operates as a bridge that acquires IP from the router 13 by DHCP (dynamic host configuration protocol). A logical IP address (virtual IP address “X”) is newly assigned to the NNM 17 separately from the real IP address (private address “P”) assigned by the router 13. When NNMs communicate with each other, a virtual IP address is designated. Communication between virtual IP addresses is performed by setting up a session over NAT and firewall over a commercially available SDK or the like and tunneling packets over the session.

  By connecting the NNM 17, the terminal 11 can be accessed from terminals on other networks with the virtual IP address “X” assigned to the NNM 17. The NNM 17 is characterized in that by providing this virtual IP address “X”, communication across NAT and firewall can be performed without affecting (modifying) existing applications running on the terminal 11.

[Description of operation]
Next, a main procedure of communication control processing executed by a CPU (central processing unit) (not shown) of the NNM 17 in the packet communication between the terminals 11 and 12 described above with reference to FIG.

  Processing related to the above-described operation of the NNM 17 of this embodiment is performed according to the processing procedure shown in the flowcharts of FIGS. These processing procedures are processes performed when the CPU of the NNM 17 reads and executes an NNM program stored in a ROM (read only memory).

  FIG. 2 is a flowchart showing the NNM power ON process of the NNM 17 when the power of the terminal 11 and the NNM 17 is turned on in a situation where the router 13, the session management server 25, etc. are already started up.

When the power is turned on, the NNM 17 receives a negotiation packet from the connected terminal 11 (step S200). Negotiations from the terminal 11 include obtaining a private address “A” from the router 13 by DHCP, an ARP (Address Resolution Protocol) request, and the like. Next, the NNM 17 recognizes the private address “A” of the connected terminal 11 from the received packet, and stores it in the RAM (step S202). At this stage, the NNM 17 acquires its own private address “P” from the router 13 and stores it in the RAM. Next, in step S204, the NNM 17 branches the process according to the virtual IP address acquisition method. For example, the setting method for acquiring the virtual IP address may be a known setting means such as enabling switching selection with a DIP switch or the like mounted on the NNM.

  When acquiring the virtual IP address by the setting file in the NNM, the NNM 17 acquires the virtual IP address “X” set in advance from the setting file in the NNM and stores it in the RAM (step S206). The NNM 17 acquires its own port number “100” and global address “M” set in the conversion table of the inquiry router to the router 13 and stores them in the RAM (step S208). The NNM 17 transmits the socket (port number “100” + virtual IP address “X” + global address “M”) to the session management server 25 and stores it.

  When acquiring the virtual IP address from the session management server 25, the NNM 17 acquires its own port number “100” set in the conversion table of the inquiry router from the router 13, and stores it in the RAM (step S212). The NNM 17 requests the session management server 25 to allocate a virtual IP address for the port number “100” (step S214). Then, the NNM 17 acquires a socket (port number “100” + virtual IP address “X” + global address “M”) stored in advance in the session management server 25 (step S216). The NNM 17 acquires the virtual IP address “X” and the global address “M” from the acquired socket, and stores them in the RAM (step S218).

  When acquiring a virtual IP address by communication between NNMs, the NNM 17 recognizes a free virtual IP address in a predetermined virtual IP address space by negotiation between NNMs in its own LAN (step S220). The NNM 17 acquires the youngest virtual IP address (in this example, “X”) among the free virtual IP addresses, and stores it in the RAM (step S222). Then, the NNM 17 acquires its own port number “100” and global address “M” set in the conversion table of the inquiry router to the router 13 and stores them in the RAM (step S224). The NNM 17 transmits the socket (port number “100” + virtual IP address “X” + global address “M”) to the session management server 25 and stores it (step S226).

  FIG. 3 is a flowchart showing the NNM normal processing of the NNM 17 in the normal state after turning on the power of the NNM 17.

  When the NNM 17 detects reception of a packet, the NNM 17 determines whether the received packet is a packet addressed to the virtual IP address (steps S300 → S302). That is, in step S302, if the IP address in the network segment (eg, 10.0.0.0/8) unique to the virtual IP address is set in the received packet, the NNM 17 determines that the IP address is the virtual IP address. The received packet is determined to be a packet addressed to the virtual IP address. For example, when the IP address “Y” or “X, Y” is set in the received packet as in the packet 30 or 40 shown in FIG. 1, the NNM 17 changes the IP address to the virtual IP address “Y” or It is determined as “X, Y”, and it is determined that the packet 30 or 40 is a packet addressed to the virtual IP address.

  If the NNM 17 determines in step S302 that the received packet is not a packet addressed to the virtual IP address, the NNM 17 transfers the received packet as it is to the network on the opposite side of the receiving side (step S304).

  When the NNM 17 determines in step S302 that the received packet is a packet addressed to the virtual IP address, the NNM 17 receives the received packet based on the private address “A” of the connected terminal 11 acquired in the process of step S202 in FIG. Is a packet addressed to the terminal 11 (step S306). For example, if the private address “A” of the terminal 11 is set as the transmission source address 22 in the reception packet as in the packet 30 shown in FIG. 1, the NNM 17 transmits the reception packet from the terminal 11 to another NNM. Judged to be a packet. Further, for example, the NNM 17 determines that the received packet is a packet addressed to the terminal 11 when the private address “A” of the terminal 11 is not set in the received packet as in the packet 40 illustrated in FIG. 1.

  A case where the received packet is a packet addressed to another NNM from the terminal 11 in step S306 will be described with reference to the example of FIG. In the IP header of the packet 30 transmitted from the terminal 11, the virtual IP address “Y” is written as the destination address 21 and “A” is written as the source address 22, and the destination port number 23 is written in the TCP header or UDP header. “200” and “100” are written as the source port number 24. The NNM 17 sets the destination global address (virtual IP address) “Y” in the payload (step S316). Next, the NNM 17 acquires the source virtual IP address “X” stored in the RAM, and sets it in the payload (step S318). The storage of the transmission source virtual IP address “X” in the RAM is performed by the process described above with reference to FIG.

  The NNM 17 acquires the destination global address “N” and the private address “P” as the transmission source address, and sets them in the header (step S320). The destination global address “N” is acquired by the NNM 17 from the session management server 25 using the destination port number “200” as a key. The private address “P” is assigned in advance by the router 13. Then, the NNM 17 transfers the packet to the NNM 18 by using a function such as an SDK for NAT traversal and firewall traversal (step S322). Details of the processing in step S322 will be described later.

  A case where the received packet is a packet addressed to the terminal 11 in step S306 will be described with reference to the example of FIG. In the header of the packet 40 transmitted from the router 13, the private address “P” is written as the destination address and the global address “N” is written as the source address, and “100” is set as the destination port number in the TCP header or UDP header. “200” is written as the transmission source port number. Furthermore, the destination global address (virtual IP address) “X” is set in the payload, and the source virtual IP address “Y” is set in the payload. The NNM 17 deletes the destination virtual IP address “X” from the payload (step S308). Next, the NNM 17 sets the source virtual IP address “Y” of the payload as a source address in the header (step S310).

  The NNM 17 sets the private address “A” of the connected terminal 11 acquired in the process of step S202 in FIG. 2 in the header as a destination address (step S312). The NNM 17 transfers the packet edited in this way to the terminal 11 (step S314).

  In the following, the process of step S322 in FIG. 3 (process of transferring a packet to the NNM 18 using a function such as a NAT traversal and firewall traversal SDK) will be described. Since various methods are well known to those skilled in the art using commercially available SDKs for NAT traversal and firewall traversal, their outlines will be described with reference to an example suitable for this embodiment.

  At the beginning of the process of step S322, the NNM 17 detects the installation status of the NAT and firewall. Various methods well known to those skilled in the art may be applied to this detection. When NAT traversal is necessary, the NNM 17 performs processing shown in FIGS. When it is necessary to cross the firewall, the NNM 17 performs processing shown in FIGS.

  4 and 5 are explanatory diagrams of the NAT traversal processing of NNM, showing an example suitable for this embodiment of the NAT traversal processing, and an example to which the technique disclosed in Patent Document 1 is applied. In order to realize a P2P application in a connection environment using the NAT function, it is necessary to always open a predetermined port in the router from the start to the end of communication. A method for opening a port at the beginning of communication with reference to FIG. 4 and a method for maintaining a port once opened with reference to FIG.

  Referring to FIG. 4, when performing P2P communication between terminals, avoid blocking by ICMP (Internet Control Message Protocol) packet (destination unreachable message), and first open the router port used in the session. It is necessary to keep. Therefore, the number of hops to the router 13 is checked, and a UDP packet for opening a port is transmitted.

  Specifically, the NNM 17 generates an ICMP echo packet and transmits it with TTL (Time To Live) = 1. Sequentially increasing TTL = 2.3... And transmitting a plurality of echo packets. When an echo packet 51 having a TTL value equal to the number of hops of the router 13 is transmitted, the echo packet 52 is returned from the router 13 to the NNM 17. The NNM 17 can know the number of hops to the router 13 from the returned echo packet 52.

  Next, the NNM 17 sets a value α obtained by adding 1 to the number of hops of the router 13 to the TTL, and transmits the port setting packet 53 of the transmission source port number “100”. As a result, the port of the transmission source port number “100” of the router 13 is opened. Since the port setting packet 53 is deleted at the next hop of the router 13, it does not affect other communications.

  With such a configuration, communication between the NNMs using the packets 54 and 55 can be performed by opening the port of the transmission source port number “100” of the router 13. At this time, if the router 14 also has a function of blocking by the ICMP packet, the NNM 18 performs the same processing.

  Next, referring to FIG. 5, while the packet transmission / reception is interrupted in the same session, it is necessary to maintain the opened port so that the router does not clear the conversion table. Therefore, keep-alive packets are transmitted at regular time intervals while packet transmission / reception is interrupted. For example, the number of hops to the router 13 is checked in advance using the ICMP echo packet described above. The NNM 17 sets a value α obtained by adding 1 to the number of hops of the router 13 to the TTL, and transmits the UDP packet 61 of the transmission source port number “100”. As a result, the contents of the conversion table stored in the router 13 are not deleted, and packets with the same port number set can be transmitted thereafter.

  In the embodiment shown in FIGS. 4 and 5, it may be transmitted only to a router having a function of blocking by an ICMP packet. This is because some routers have a function of discarding a packet and closing a port when the TTL setting value is α.

  When the port setting packet and the keep alive packet reach another NNM, the communication is prevented from being disrupted. For example, as shown in FIG. 5, flags 63 and 64 are added to the head of all packets, and “1” is set for a keep-alive packet and “0” is set for a normal packet. In this way, even when the NNM receives a keep-alive packet, it can be identified and discarded.

  6 to 8 are flowcharts of the NNM firewall traversal process, showing an example suitable for the present embodiment of the firewall traversal process.

  In FIG. 6, the NNM 17 searches for a usable communication method (step S600). If the return value of step S600 is other than ffffH, that is, if the network can use UDP (step S602), the NNM 17 generates a communication path using an available communication method (step S604).

  FIG. 7 is a flowchart of the communication method search process in step S600 described above. The NNM 17 transmits a packet (using a port other than a well-known port number such as HTTP or POP3) to the port number n of the server (WEB proxy not shown) using UDP (step S700). The NNM 17 determines whether or not the packet has reached the server-side standby port number (step S702). When the packet arrives at the server-side standby port number, the NNM 17 sets a return value = 0 (UDP communication is available) in the RAM (step S704), and returns to the caller process (return).

  When the packet does not reach the server-side standby port number, the NNM 17 transmits the packet to the port 443 (used by HTTPS communication) of the server using UDP (step S706). The NNM 17 determines whether a packet has arrived at the server-side standby port number (step S708). When the packet arrives at the standby port number on the server side, the NNM 17 sets a return value = 1 (UDP communication addressed to the port 443 is possible) in the RAM (step S710), and returns to the caller process (return). .

  If the packet does not reach the server-side standby port number, the NNM 17 transmits the packet to the 80th port (used by HTTP communication) of the server using UDP (step S712). The NNM 17 determines whether or not the packet has reached the server-side standby port number (step S714). When the packet arrives at the standby port number on the server side, the NNM 17 sets a return value = 2 (UDP communication addressed to the 80th port is possible) in the RAM (step S716), and returns to the caller process (return). .

  When the packet does not reach the server-side standby port number, the NNM 17 transmits a packet (using a port other than the well-known port number such as HTTP or POP3) to the server port number n using TCP (step S718). . The NNM 17 determines whether or not the packet has reached the server-side standby port number (step S720). If the packet arrives at the server-side standby port number, the NNM 17 sets a return value = 3 (TCP communication is available) in the RAM (step S722), and returns to the caller process (return).

  When the packet does not reach the server-side standby port number, the NNM 17 transmits the packet to the port 443 (used by HTTPS communication) of the server using TCP (step S724). The NNM 17 determines whether or not the packet has reached the server-side standby port number (step S726). When the packet arrives at the standby port number on the server side, the NNM 17 sets a return value = 4 (TCP communication addressed to the port 443 is possible) in the RAM (step S728), and returns to the caller process (return). .

  When the packet does not reach the standby port number on the server side, the NNM 17 transmits the packet to the 80th port (used by HTTP communication) of the server using TCP (step S730). The NNM 17 determines whether or not the packet has arrived at the server-side standby port number (step S732). When the packet arrives at the server-side standby port number, the NNM 17 sets a return value = 5 (TCP communication addressed to the 80th port is possible) in the RAM (step S734), and returns to the caller process (return). .

  If the packet does not reach the server-side standby port number, the NNM 17 sets a return value = ffffH (UDP unavailable) in the RAM (step S736), and returns to the caller process (return).

  FIG. 8 is a flowchart of the communication path generation process in step S604 described above. When the return value of the above-described step S600 is any of 3, 4, or 5, the NNM 17 wraps the UDP data in TCP in order to perform UDP communication in an environment where UDP cannot be used (steps S800 → S802).

  Next, when the return value of the above-described step S600 is either 1 or 4, the NNM 17 waits for the communication destination terminal at the port 443 (step S806) and connects to the port 443 (step S804). → S808).

  Alternatively, if the return value in step S600 described above is either 2 or 5 (step S804 → S810), the NNM 17 waits for the communication destination terminal at the port 80 (step S812). Connection is made (step S814).

  Here, as an example, it is assumed that SSL (Secure Sockets Layer) communication by the CONNECT method is permitted in an environment where a WEB proxy is installed on the network. In the subsequent steps, the NNM 17 performs a process of “beyond the firewall by the HTTPS CONNECT method”.

  The NNM 17 converts the payload to be transmitted into a data string that can be handled by HTTP (step S816). Next, the NNM 17 adds an HTTP header to the TCP packet and attaches the converted data string (the header to be added uses a CONNECT header defined by HTTP) (step S818). The NNM 17 puts the address of the communication destination terminal in the CONNECT header, transmits the packet to the WEB proxy (step S820), and returns to the caller process (return). As a result, the WEB proxy misidentifies the SSL communication, permits the communication, and transfers the packet to the communication destination terminal.

[Effect of the embodiment]
As described above, according to the present embodiment, as a first aspect, the communication method (FIGS. 1 and 3) includes the first computer (11) connected to the first network device (13) having the NAT function. ) And the second computer (12) connected to the second network device (14) having the NAT function, the first private address is a communication method for performing P2P type communication. A first communication device (17) assigned with a first virtual IP address, which is a logical IP address assigned separately, is connected between the first network device and the first computer. The second communication device (18) assigned the second virtual IP address, which is a logical IP address assigned separately from the second private address, A first reception device that is connected between the network device and the second computer, and wherein the first communication device receives a packet including the second virtual IP address in a header from the first computer. In step (S306 → S316), the first communication device sets the first virtual IP address to the packet received in the first reception step, and sets the packet to the NAT traversal function (FIGS. 4 and 5). A first transmission step (S316 to S322) for transmitting to the second computer via the first network device using the first network device, and the first communication device after the first transmission step A second receiving step (S) of receiving a packet including the first virtual IP address and the second virtual IP address from the first network device (S 06 → S308), the first communication device sets the second virtual IP address in the header of the packet received in the second reception step, and transmits the packet to the first computer. And a second transmission step (S308 to S314).

  Here, as a second aspect, in the first aspect, the packet received in the first reception step includes the second virtual IP address in the destination address of the header, and in the first transmission step The packet to be transmitted includes the first virtual IP address and the second virtual IP address in the payload, and the packet received in the second reception step includes the first virtual IP address in the payload. The packet that includes the second virtual IP address and is transmitted in the second transmission step includes the second virtual IP address in the source address of the header.

  As a third aspect, in the first or second aspect, a third network having a firewall function in a network including the first communication device, the first network device, and the first computer. A device (a WEB proxy server (not shown)) is connected, and in the first transmission step, the first communication device has a firewall traversal function (see FIG. 6 to FIG. 6) that sets a packet in which the first virtual IP address is set. 8) can be further used for transmission.

  According to a fourth aspect, in the aspect described in any one of the first to third aspects, the first communication device receives a packet that does not include the second virtual IP address in a header from the first computer. If the packet is transmitted to the first network device and a packet not including the first virtual IP address and the second virtual IP address is received from the first network device, A third transmission step (S302 → S304) for transmitting the packet to the first computer may be further provided.

With the above configuration, the communication method using the communication device (NNM 17) of the present embodiment has the following effects.
-It is not necessary to change the application on the terminal 11 by SDK or the like.
The NNM 17 may be connected to the terminal 11 between the terminal 11 and the router 13 with one touch without changing the setting of the network device (router 13).
-Direct communication between the terminals 11 and 12 is possible (in the packet communication between the terminals 11 and 12, one logical LAN is provided).

[Other Embodiments]
In addition to the embodiments described above, the following embodiments can be implemented.
1) Remote reference of a network camera By connecting a camera device having an NNM and a network port, remote monitoring from an external network is made possible simply by installing the camera in a network consisting of a camera, NNM, and router.
2) Remote reference of information home appliances Connecting home appliances with NNM and network ports enables home appliance references from external networks (home appliance references: remote control of air conditioners, audio media file references, video recorders) Video content streaming).
3) Device remote power ON
By installing an application capable of operating the power supply of another device in NNM or connecting a device that turns off the power supply, it is possible to operate the power supply of the device from a remote network.
4) Remote operation of a personal computer By connecting NNM and a personal computer terminal and installing existing remote control software in the personal computer, remote operation of the personal computer is realized from an external network.
5) Remote printing Connect the NNM and the printer device and print via the Internet. It is possible to output to a printer in a remote place such as a home or a printer to a printing service provider from a digital camera used outside the office directly via a network.
6) Realization of IP telephone Just by installing NNM in a network composed of terminals, NNM, and routers, SIP (session initiation protocol), A telephone system using an IP such as H.323 (including a TV conference system and a TV telephone system) is realized.
7) Device remote maintenance By connecting the NNM to a device having a network terminal, it becomes possible to monitor the state of the device from an external network. By remotely monitoring the status of consumables and failure conditions, the equipment can be maintained quickly and efficiently.
8) The above-described embodiment is illustrative and not restrictive. Therefore, modifications other than the above-described embodiment are possible. As long as the modification is based on the technical idea of the present invention described in the claims, the modification is within the technical scope of the present invention.

It is explanatory drawing of the P2P communication method of embodiment which can apply this invention. It is a flowchart which shows the NNM power ON process of embodiment which can apply this invention. It is a flowchart which shows the NNM normal process of embodiment which can apply this invention. It is explanatory drawing of the NAT traversal process of NNM of embodiment which can apply this invention. It is explanatory drawing of the NAT traversal process of NNM of embodiment which can apply this invention. It is a flowchart of the NNM firewall crossing process of embodiment which can apply this invention. It is a flowchart of the NNM firewall crossing process of embodiment which can apply this invention. It is a flowchart of the NNM firewall crossing process of embodiment which can apply this invention. It is a network connection diagram for demonstrating the conventional NAT function.

Explanation of symbols

11, 12, 15, 16 Terminal 13, 14 Router 17, 18, 19, 20 NNM
21, 31 Destination global address 22, 32 Source private address 23, 33 Destination port number 24, 34 Source port number 25 Session management server 30, 40 packets

Claims (9)

In a communication method for performing P2P communication between a first computer connected to a first network device having a NAT function and a second computer connected to a second network device having a NAT function ,
A first communication device to which a first virtual IP address, which is a logical IP address assigned separately from a first private address, is assigned between the first network device and the first computer. And a second communication device assigned a second virtual IP address, which is a logical IP address assigned separately from the second private address, is connected to the second network device and the second network device. Connected to two computers,
A first receiving step in which the first communication device receives a packet including the second virtual IP address in a header from the first computer;
The first communication device sets the first virtual IP address to the packet received in the first reception step, and uses the NAT traversal function to set the packet to the packet via the first network device. A first transmission step of transmitting to the two computers;
A second receiving step in which the first communication device receives a packet including the first virtual IP address and the second virtual IP address from the first network device after the first transmitting step; When,
A second transmission step in which the first communication device sets the second virtual IP address in a header of the packet received in the second reception step, and transmits the packet to the first computer; A communication method comprising: and. The packet received in the first receiving step includes the second virtual IP address in the destination address of the header,
The packet transmitted in the first transmission step includes the first virtual IP address and the second virtual IP address in a payload,
The packet received in the second reception step includes the first virtual IP address and the second virtual IP address in a payload,
The communication method according to claim 1, wherein the packet transmitted in the second transmission step includes the second virtual IP address in a transmission source address of a header. A third network device having a firewall function is connected in a network including the first communication device, the first network device, and the first computer;
The said 1st communication apparatus transmits the packet which set the said 1st virtual IP address further using a firewall traversal function in the said 1st transmission step. The claim 1 or 2 characterized by the above-mentioned. Communication method. When the first communication device receives a packet that does not include the second virtual IP address in the header from the first computer, the packet is transmitted to the first network device, and the first communication device transmits the packet to the first network device. When a packet not including the virtual IP address and the second virtual IP address is received from the first network device, a third transmission step of transmitting the packet to the first computer is further provided. The communication method according to any one of claims 1 to 3.   A program causing a computer to execute each step of the communication method according to claim 1. A communication system for performing P2P communication between a first computer connected to a first network device having a NAT function and a second computer connected to a second network device having a NAT function A communication device,
The communication device is assigned a first virtual IP address, which is a logical IP address assigned separately from a first private address, and is connected between the first network device and the first computer. Has been
The communication system is assigned a second virtual IP address, which is a logical IP address assigned separately from a second private address, and is connected between the second network device and the second computer. Other communication devices
The communication device
First receiving means for receiving a packet including the second virtual IP address in a header from the first computer;
The first virtual IP address is set in the packet received by the first receiving means, and the packet is transmitted to the second computer via the first network device using the NAT traversal function. First transmission means;
Second receiving means for receiving a packet including the first virtual IP address and the second virtual IP address from the first network device after transmission by the first transmitting means;
A second transmission unit configured to set the second virtual IP address in a header of the packet received by the second reception unit, and to transmit the packet to the first computer. Communication device. The packet received by the first receiving means includes the second virtual IP address in the destination address of the header,
The packet transmitted by the first transmission means includes the first virtual IP address and the second virtual IP address in a payload,
The packet received by the second receiving means includes the first virtual IP address and the second virtual IP address in a payload,
The communication apparatus according to claim 6, wherein the packet transmitted by the second transmission unit includes the second virtual IP address in a transmission source address of a header. A third network device having a firewall function is connected to a network including the communication device, the first network device, and the first computer.
The communication device according to claim 6 or 7, wherein the first transmission unit transmits the packet in which the first virtual IP address is set by further using a firewall traversal function. . When a packet that does not include the second virtual IP address in the header is received from the first computer, the packet is transmitted to the first network device, and the first virtual IP address and the second virtual IP address are transmitted. 7. A third transmission means for transmitting a packet not including the virtual IP address of the first network device to the first computer when the packet is received from the first network device. The communication apparatus in any one of thru | or 8.

Images