JP6256110B2 - Packet processing system and packet processing method - Google Patents

Description

  The present invention relates to a packet processing system and a packet processing method.

In recent years, devices that can provide new added value may be arranged in a network according to diversification of services and threats. Devices for realizing a new added value include, for example, a DPI (Deep Packet Inspection) device that analyzes the contents of data flowing in a network, a firewall device that performs packet filtering, and a UTM (Unified with multiple security functions) Threat Management) device, bandwidth control device, etc. Hereinafter, a device whose main purpose is processing other than traffic forwarding is referred to as a “value-added device”. Further, the processing performed by the value-added system apparatus is hereinafter referred to as “value-added system processing”.

JP 2013-38715 A

  However, the use of an added value system device has the following problems. A value-added device performs a complicated process compared to a relay device such as a router or a switch whose main purpose is to forward traffic, and therefore has a higher processing load than the relay device. Therefore, when a value-added system device is arranged on the route of user traffic and a large amount of traffic including traffic that is not the target of value-added system processing on the route flows to the value-added device, the value-added system device It can be a bottleneck.

  By preparing a value-added system that has the ability to process traffic, including those that are not subject to value-added processing on the user traffic path, bottlenecks that occur on the user traffic path can be eliminated. There is sex. However, since a value-added device is a very expensive device compared to a relay device, it is costly to prepare a value-added device that can handle a traffic volume comparable to the amount processed by the relay device. Not realistic.

  In addition, the value-added device is less reliable than the relay device in terms of the frequency of occurrence of failures such as software bugs. Further, when the value-added system device is arranged on the user traffic route, there is a possibility that the influence of a failure due to a bug or the like of the value-added system device is widespread.

  According to one aspect, an object of the present invention is to provide a packet processing system and a packet processing method for reducing a risk caused by placing a value-added device in a network.

One aspect of the present invention is:
A packet processing system including a communication device and a relay device located on a packet path,
The packet processing system includes:
At least one packet processing device that connects to the relay device outside the path and performs predetermined processing on the packet;
Further including
The communication device, depending on whether or not a packet transmission source terminal is the target of the predetermined processing, to the packet is sent with a header destined for the packet processing device,
The packet processing device, when receiving a packet with the header attached, removes the header, performs the predetermined processing, and forwards the packet with the header removed to the relay device.
It is a packet processing system.

  Another aspect of the present invention is a packet processing method in which a communication device and a packet processing device in a packet processing system each execute the above-described processing. In addition, another aspect of the present invention can include a program that causes a computer to function as the above-described communication apparatus and packet processing apparatus, and a computer-readable non-transitory recording medium that records the program. A non-temporary recording medium that can be read by a computer or the like is a recording medium in which information such as data or programs is accumulated by electrical, magnetic, optical, mechanical, or chemical action and can be read from a computer or the like. Say.

  According to the disclosed packet processing system and packet processing method, it is possible to reduce the risk due to the arrangement of value-added devices in the network.

It is a figure which shows the structural example of the network system which concerns on 1st Embodiment. It is a figure which shows an example of the address transition of the packet in the network system at the time of 4rd application. It is a figure which shows an example of the hardware constitutions of GW apparatus. It is a figure which shows an example of a function structure of a GW apparatus. It is an example of a NAPT table. It is a figure which shows an example of a function structure of an added value system apparatus. It is a figure which shows an example of a function structure of a system management node. It is a figure which shows an example of a terminal user information management table. It is an example of the flowchart of a process at the time of receiving a packet from the user terminal of a GW apparatus. It is an example of the flowchart of the process of the GW apparatus at the time of receiving the IPv6 packet from a carrier network. It is an example of the flowchart of a process at the time of receiving the IPv6 packet of a value added apparatus. It is an example of the flowchart of a process when a value-added apparatus receives an IPv4 packet. It is an example of the flowchart of the process of a system management node when the inquiry request | requirement of the presence or absence of the transfer of the traffic from a GW apparatus to a value added system apparatus is received. It is an example of the flowchart of the update process of the terminal user information management table of a system management node. It is an example of the sequence diagram of the process which concerns on the traffic transferred to a value-added apparatus. It is a figure which shows an example of a structure of the network system which concerns on 2nd Embodiment. It is a figure which shows an example of the address transition of the packet in the network system which concerns on 2nd Embodiment. It is an example of the flowchart of a process at the time of receiving the IPv6 packet from the user terminal of the GW apparatus in 2nd Embodiment. It is an example of the sequence diagram of the process which concerns on the traffic transferred to the value added apparatus 2 in a network system.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment.

<First Embodiment>
FIG. 1 is a diagram illustrating a configuration example of a network system 100 according to the first embodiment. The network system 100 includes a system management node 1, a value added system device 2, a router 3, a gateway (GW) device 4, and a user terminal 5. In the network system 100, the access network in which the user terminal 5 exists is an IPv4 network configured with an IPv4 address. The carrier network is an IPv6 network configured with IPv6 addresses. The network system 100 is an example of a “packet processing system”. The IPv4 address is an example of a “first address system”. The IPv6 address is an example of a “second address system”.

  The GW apparatus 4 is located at the boundary between the access network and the carrier network. The router 3 is located at the boundary between the carrier network and the IPv4 Internet. The system management node 1 is located in the carrier network.

  In the network system 100, user traffic between the user terminal 5 and a destination device in the IPv4 Internet passes through the route of the IPv4 network (access NW), the GW device 4, the IPv6 network (carrier NW), the router 3, and the IPv4 Internet. . Hereinafter, the route of user traffic is also referred to as inline. Inline is an example of a “packet route”.

  In the first embodiment, the value-added system device 2 is connected in parallel to the router 3 and is located outside the inline. A position outside the inline is also called an outline. In the case of such a network configuration, the traffic to be added to the value-added process is temporarily removed from the inline and transferred to the value-added apparatus 2. For example, there are the following two methods for transferring the target traffic of the value-added processing to the value-added device 2.

(Method 1) Method for causing the router 3 to determine transfer to the value-added system device 2 For example, an access list is set in the router 3 of the example shown in FIG. The value-related device 2 is rewritten, and the target packet for value-added processing is transferred to the value-added device 2. The access list is a list in which the destination or source address of the target packet for value-added processing is described, and packets corresponding to the destination or source address registered in the access list are extracted.

  However, in the method of transferring a packet to the value-added system device 2 using the access list, for example, the condition of traffic to be transferred to the value-added system device 2 is changed with the addition or deletion of a user or a device. Accordingly, an access list change occurs. That is, every time a configuration change in the network occurs, the access list set in the router 3 is rewritten. For example, in a network that places importance on reliability, such as a communication carrier, method 1 is applied because it tends to avoid frequent changes in the configuration of routers 3 and switches such as rewriting of an access list. It is difficult to

(Method 2) Method of transferring to value-added system device 2 using a tunnel For example, a tunneling protocol such as GRE (Generic Routing Encapsulation) between GW device 4 and value-added system device 2 in the example shown in FIG. Then, a tunnel is established, and the target packet for value-added processing is transferred to the value-added device 2. In the tunneling protocol, packets are encapsulated and transmitted / received by devices at both ends.

  In the tunneling protocol, the encapsulation information is recorded and managed in a table by the devices at both ends, and the devices at both ends perform encapsulation processing with reference to the table. Since processing to refer to the table is heavy and the value-added system device 2 performs high-value-added value-based processing, the value-added system device 2 is caused to perform processing that places a load on tunnel establishment and maintenance Is difficult.

  Therefore, in both method 1 and method 2, although the target packet of the value-added system processing can be passed through the value-added system apparatus 2, and other packets can be prevented from passing through the value-added system apparatus 2, Both method 1 and method 2 are difficult to apply.

  On the other hand, in the network system 100 shown in FIG. 1, an IPv4 network and an IPv6 network are mixed, and an IPv4 packet is encapsulated with an IPv6 header in the IPv6 network that is a carrier network. One method for encapsulating IPv4 packets with an IPv6 header is 4rd (IPv4 Residual Deployment). An IPv4 packet encapsulated with an IPv6 header is also referred to as an IPv4 over IPv6 packet. Further, since packets are encapsulated and communicated between two devices, communication using IPv4 over IPv6 packets is also expressed as “IPv4 over IPv6 tunnel”. However, the tunnel in this case does not perform processing such as establishing a session between terminals, but merely encapsulates communication packets between terminals.

  In 4rd, as in the network system 100 shown in FIG. 1, a network configuration is assumed in which the core network is shifted to the IPv6 network in a state where each end user uses the IPv4 network. In the 4rd system, CE (Customer Edge) and BR (Border Relay) are provided as devices for transferring packets in the IPv6 network.

  CE and BR are both devices located at the boundary between the IPv4 network and the IPv6 network. CE is a user-side device arranged in a user's home. The BR is arranged at the boundary between the IPv6 core network and the IPv4 Internet. In the network system 100 shown in FIG. 1, the GW device 4 corresponds to the CE, and the router 3 and the value added device 2 correspond to the BR.

  In 4rd, an IPv4 address is calculated from an IPv6 address according to a predetermined rule. It is also possible to derive an IPv6 address from an IPv4 address by performing a calculation reverse to the predetermined rule. Since the method for deriving the IPv4 address of 4rd is known, the description in this specification is omitted. In the first embodiment, the GW device 4, the router 3, and the value added system device 2 perform address translation between IPv4 address and IPv6 address, encapsulation of IPv4 packet, and decapsulation of IPv6 packet according to 4rd. I will do it.

  FIG. 2 is a diagram illustrating an example of packet address transition in the network system 100 when 4rd is applied. FIG. 2 shows the flow of packets that are not subject to value-added processing. 2, for the sake of convenience, the user terminal 5, the GW apparatus 4, the router 3, and the IPv4 Internet of the network system 100 shown in FIG. 1 are extracted and shown. In the example shown in FIG. 2, the GW apparatus 4 connects an IPv4 private network as an end user access network.

  In the example shown in FIG. 2, the communication in the direction from the user terminal 5 to the IPv4 Internet is upstream. Communication in the direction from the IPv4 Internet to the user terminal is downstream.

In the example shown in FIG. 2, the GW device 4 serves as a DHCP server of the IPv4 private network, and the user terminal 5 acquires the private IPv4 address “192.168.0.30/24” from the GW device 4. The GW apparatus 4 is an IPv6 carrier network.
An IPv6 address block “2001: db8: abcd :: / 48” is acquired from a DHCP server (not shown). The GW apparatus 4 calculates the range of the global IPv4 address and port number that can be used by the GW apparatus 4 according to the 4rd method from the acquired value of the IPv6 address block. Here, it is assumed that “192.0.2.171:0x1CD0”−“192.0.2.171:0x1CDF” is calculated as the range of the global IPv4 address and port number that can be used by the GW apparatus 4.
The sequence following the address comma indicates the port number.

The packet address transition in the upstream will be described. When the user terminal 5 transmits an IPv4 packet to the destination device 6 in the IPv4 Internet, the IPv4 packet arrives at the GW device 4. The GW apparatus 4 first performs NAPT (Network Address Port Translation) to convert the source IPv4 address from the private IPv4 address to the global IPv4 address. Assume that the private IPv4 address “192.168.0.30:xxxx” of the packet transmission source is converted by the GW apparatus 4 to the global IPv4 address “192.0.2.171:0x1CD0”.

Next, the GW apparatus 4 encapsulates the IPv4 packet subjected to the NAPT with an IPv6 header. The destination IPv6 address of the IPv6 capsule header is the address “2001: db8 :: 1” of the interface of the router 3 which is the end point of the tunnel by the encapsulation. IP
The source IPv6 address of the v6 capsule header is the IPv6 address “2001: db8: abcd: 1: calculated by the GW apparatus 4 according to 4rd from the source IPv4 address and port number“ 192.0.2.171:0x1CD0 ”of the IPv4 packet. : 1 ”. The source IPv6 address of this IPv6 capsule header is an address indicating the IPv6 interface of the GW apparatus 4. Note that the source IPv6 address of the IPv6 capsule header is also the address of the IPv6 interface of the GW apparatus 4 that is the start point of the tunnel by encapsulation.

  When the packet encapsulated with the IPv6 capsule header arrives at the router 3, the IPv6 capsule header is removed (reverse encapsulation). The router 3 transmits the IPv4 packet obtained by decapsulation to the IPv4 Internet, and the IPv4 packet arrives at the destination device 6.

  Next, packet address transition in the downstream of the return packet from the destination device 6 will be described. An IPv4 packet that is a return packet from the destination device 6 first arrives at the router 3. The router 3 encapsulates the IPv4 packet with the IPv6 capsule header. The destination IPv6 address “2001: db8: abcd: 1 :: 1” of the IPv6 capsule header is calculated according to 4rd from the destination IPv4 address and destination port number “192.0.2.171:0x1CD0” of the IPv4 packet. This IPv6 address is the IPv6 address of the GW apparatus 4. The source IPv6 address of the IPv6 capsule header is the address “2001: db8 :: 1” of the IPv6 interface of the router 3 that is the start point of the tunnel.

The packet encapsulated with the IPv6 capsule header arrives at the GW apparatus 4 that is the destination of the IPv6 capsule header. The GW apparatus 4 acquires the IPv4 packet by removing the IPv6 capsule header. Next, the GW apparatus 4 converts the destination IPv4 address of the IPv4 packet from the global IPv4 address to the private IPv4 address. This conversion is performed using a table recorded at the time of NAPT in the upstream. When the NAPT processing is completed, the return packet is transmitted to the user terminal 5.

  When 4rd is used, when the CE or BR encapsulates the IPv4 packet with the IPv6 capsule header, the IPv6 address can be calculated from the IPv4 address by the 4rd calculation method. That is, the CE and BR do not have to hold a table for acquiring an IPv6 address from an IPv4 address.

  Therefore, in the first embodiment, 4rd is used, and the GW apparatus 4 switches the address of the end point of the IPv4 over IPv6 tunnel according to whether or not the traffic is a target of value-added processing. When the traffic is not the target of the value-added processing, the GW apparatus 4 sets the IPv4 over IPv6 tunnel end point to the IPv6 address of the IPv6 interface of the router 3 as described in FIG. When the traffic is a target of value-added processing, the GW device 4 sets the end point of the IPv4 over IPv6 tunnel to the IPv6 address of the IPv6 interface of the value-added device 2.

  Even when the GW device 4 switches the end point address of the IPv4 over IPv6 tunnel in accordance with the traffic, the router 3 may perform routing as usual according to the destination address of the packet even when forwarding the traffic to the value added system device 2. . As a result, it is possible to flow desired traffic to the value-added system device 2 without changing the configuration of the router 3 in the carrier network. Further, since the traffic flowing through the value-added system device 2 can be suppressed to the target traffic of the value-added system processing, the range of influence of the value-added system device 2 when a failure occurs can be reduced.

  In addition, by using 4rd, the GW device 4, the router 3, and the value-added system device 2 that perform encapsulation can acquire an IPv6 address from an IPv4 address according to 4rd. Therefore, the GW apparatus 4, the router 3, and the value added system apparatus 2 do not include, for example, a table that holds a one-to-one entry of an IPv6 address and an IPv4 address or a table for managing a tunnel session. It's okay. Since the calculation process has a lighter load than the table search process, the load on the value-added system device 2 can be suppressed by using 4rd. Resources can also be saved.

  In the first embodiment, the system management node 1 instructs the GW apparatus 4 whether to transfer to the value-added system apparatus 2 according to traffic. However, the present invention is not limited to this, and the GW apparatus 4 holds the conditions of the target traffic of the value-added system processing in advance, and sets the IPv4 over IPv6 tunnel end point of the traffic satisfying the conditions as the IPv6 address of the value-added system apparatus 2. You may make it do. The GW apparatus 4 is an example of a “communication apparatus”. The value-added system device 2 is an example of a “packet processing device”. The router 3 is an example of a “relay device”.

In the first embodiment, it is assumed that the return packet is also a target of the value-added processing, and the return packet is also allowed to flow through the value-added device 2. For this purpose, the value-added system device 2 decapsulates the IPv4 over IPv6 packet from the GW device 4 and performs route advertisement on the GW device 4 to the router 3. This route advertisement is performed according to a routing protocol that is valid between the router 3 and the value-added system device 2. The route advertisement includes an IP address and information that uses the next hop to the IP address as a route advertisement source device. By performing route advertisement for the GW device 4, when the router 3 receives a return packet from the IPv4 Internet, the return packet is transferred to the value-added system device 2. Note that when the value-added processing is not performed on the return packet, the value-added device 2 does not have to perform route advertisement to the router 3.

<Device configuration>
(GW equipment)
FIG. 3 is a diagram illustrating an example of a hardware configuration of the GW apparatus 4. The GW apparatus 4 includes a CPU (Central Processing Unit) 401, a memory 402, an auxiliary storage device 405, a packet transfer engine 403, and line interfaces 404A and 404B, which are electrically connected by a bus.

  The line interfaces 404A and 404B are interfaces for inputting / outputting information to / from the network. The line interface 404A connects an IPv4 network that is an access network of the user terminal 5. The line interface 404B connects an IPv6 network that is a carrier network. The line interface 404A connects a private network in the house, and is, for example, a NIC (Network Interface Card), a wireless LAN (Local Area Network) card, or the like. The line interface 404B is connected to a carrier network and is, for example, a card having an optical communication interface.

  The memory 402 is a semiconductor memory such as a RAM (Random Access Memory) and a ROM (Read Only Memory). The memory 402 is a semiconductor memory that provides a storage area and a work area for loading a program stored in the auxiliary storage device 405 to the CPU 401 as a main storage device, and is used as a buffer and a cache. Examples of the memory 402 include DRAM (Dynamic RAM) and SDRAM (Synchronous DRAM).

  The auxiliary storage device 405 stores various programs and data used by the CPU 401 when executing each program. The auxiliary storage device 405 is, for example, an EPROM (Erasable Programmable ROM), a hard disk drive (Hard Disc Drive), or the like. The auxiliary storage device 405 holds, for example, an operating system (OS), an encapsulation processing program, and various other application programs. The encapsulation processing program is a program for encapsulating the IPv4 packet by switching the destination IPv6 address of the IPv6 capsule header of the IPv4 over IPv6 tunnel according to the traffic.

The CPU 401 executes various processes by loading the OS, the encapsulation processing program, and the like held in the auxiliary storage device 405 into the memory 402 and executing them. CPU
401 is not limited to one, and a plurality of 401 may be provided.

  The packet transfer engine 403 is a processor that transfers packets between the line interfaces 404A and 404B and the CPU 401.

  The hardware configuration of the GW apparatus 4 is not limited to that shown in FIG. 3 and can be changed as appropriate depending on the product to be used. For example, the GW apparatus 4 may include a portable recording medium driving device, and read and execute a program from a portable recording medium such as an SD card.

  FIG. 4 is a diagram illustrating an example of a functional configuration of the GW apparatus 4. The GW apparatus 4 includes a transfer control unit 41, a path control unit 42, and a packet processing unit 43 as functional blocks.

The transfer control unit 41 includes a packet transfer processing unit 411, an IPv4 interface unit 412, and an IPv6 interface unit 413. In the first embodiment, the IPv4 interface unit 4
12, IPv6 interface unit 413 is a logical interface associated with line interfaces 404A and 404B, which are physical interfaces. For example, when there are a plurality of line interfaces connected to the IPv4 network or the IPv6 network, the IPv4 interface unit 412 or the IPv6 interface unit 413 exists for each line interface. A plurality of IPv4 interface units 412 or IPv6 interface units 413 (logical interfaces) may be associated with one line interface (physical interface).

  The IPv4 interface unit 412 is an interface for connecting a private network. The IPv6 interface unit 413 is an interface for connecting a global network. Also, the packet output from the private network to the global network is converted between the private IPv4 address and the global IPv4 address by NAT or NAPT. Therefore, the IPv4 interface unit 412 and the IPv6 interface unit 413 are set to enable NAT or NAPT, respectively.

  The IPv6 interface unit 413 is an interface connected to the IPv6 network. When an IPv4 packet is passed through the IPv6 network, encapsulation is performed using an IPv6 capsule header. Therefore, the IPv6 interface unit 413 is set to enable encapsulation.

  The packet transfer processing unit 411 is a function realized by the packet transfer engine 403. The packet transfer processing unit 411 relays the packet between the IPv4 interface unit 412 and the IPv4 routing unit 421. Further, the packet transfer processing unit 411 relays the packet between the IPv6 interface unit 413 and the IPv6 routing unit 422.

  The route control unit 42 performs routing. More specifically, the route control unit 42 determines an output interface of the packet according to the destination of the packet input to the GW device 4. The route control unit 42 includes an IPv4 routing unit 421 and an IPv6 routing unit 422.

  The IPv4 routing unit 421 performs routing of IPv4 packets. The IPv4 routing unit 421 is a function realized by the execution of an IPv4 routing protocol by the CPU 401. Examples of the routing protocol for IPv4 include OSPFv2 (Open Shortest Path First version 2), BGP (Border Gateway Protocol), and the like.

  The IPv6 routing unit 422 performs routing of IPv6 packets. The IPv6 routing unit 422 is a function realized by the execution of an IPv6 routing protocol by the CPU 401. Examples of the routing protocol for IPv6 include OSPFv3 and MP-BGP4 (Multiprotocol-BGP4).

A packet is input from the packet transfer processing unit 411 or the encapsulation processing unit 431 to the IPv4 routing unit 421 and the IPv6 routing unit 422. The IPv4 routing unit 421 and the IPv6 routing unit 422 hold the routing tables 421T and 422T, respectively, and determine the output interface of the input packet based on the destination of the input packet and the information in the routing tables 421T and 422T. The routing tables 421T and 422T store at least an address of the destination network and an output interface to the destination network. Routing table 4
21T and 422T are stored in the storage area of the memory 402, for example.

  When the input packet corresponds to any of the following for the input packet from the packet transfer processing unit 411, the IPv4 routing unit 421 and the IPv6 routing unit 422 output the packet to the packet processing unit 43. (1) When setting is made to enable NAT or NAPT in both the input and output interfaces. That is, the IPv4 interface unit 412 that connects the private network is an input interface, and the IPv6 interface unit 413 that connects the global network is an output interface, and vice versa. (2) When setting is made to enable encapsulation on either the input or output interface. That is, in the GW apparatus 4, the IPv6 interface unit 413 is an input or output interface.

  If neither (1) nor (2) is applicable, the IPv4 routing unit 421 and the IPv6 routing unit 422 output the input packet from the packet transfer processing unit 411 to the packet transfer processing unit 411.

  For example, since a packet from the user terminal 5 to the IPv4 Internet is input from the IPv4 interface unit 412 and the IPv6 interface unit 413 is determined as an output interface, the packet processing unit 43 corresponds to the above (1) and (2). Is output. For example, since a return packet from the IPv4 Internet to the user terminal 5 is input from the IPv6 interface unit 413 and the IPv4 interface unit 412 is determined as an output interface, the packet processing unit corresponds to the above (1) and (2). 43 is output.

  For example, when there are a plurality of IPv4 interface units 412 and a packet is determined with one IPv4 interface unit 412 as an input interface and another IPv4 interface unit 412 as an output interface, the above (1) or (2 ). In this case, the packet is output to the packet transfer processing unit 411 by the IPv4 routing unit 421 and transferred to the IPv4 interface unit 412 which is an output interface by the packet transfer processing unit 411.

  For the input packet from the packet processing unit 43, the IPv4 routing unit 421 and the IPv6 routing unit 422 are not related to whether the input packet corresponds to the above (1) or (2). The packet is output to 411.

  The packet processing unit 43 performs processing applied to the packet itself, such as NAT or NAPT, encapsulation processing, for the packet input from the IPv4 routing unit 421 or the IPv6 routing unit 422. The packet processing unit 43 is a function realized by the CPU 401 executing the encapsulation processing program.

  The packet processing unit 43 includes an encapsulation processing unit 431, an encapsulation notification processing unit 432, and an address information processing unit 433. In the first embodiment, a system that applies 4rd described in FIG. 2 is assumed. Therefore, the GW apparatus 4 will be described as performing NAPT. However, the present invention is not limited to NAPT, and when the GW device 4 does not need to use the port number in derivation of the IPv4 address from IPv6, such as when the GW device 4 connects one user terminal, May be implemented.

  For example, the address information processing unit 433 performs conversion (NAPT) between a private IPv4 address and a global IPv4 address, and conversion between an IPv4 address and an IPv6 address. The address information processing unit 433 performs these address conversion processes in response to a request from the encapsulation processing unit 431, and returns the conversion result to the encapsulation processing unit 431.

  The address information processing unit 433 holds an address information storage unit 433S and a NAPT table 433T. The address information storage unit 433S stores a global IPv4 address. There may be a plurality of global IPv4 addresses stored in the address information storage unit 433S. The address information storage unit 433S is stored in the memory 402, for example.

  In the first embodiment, the global IPv4 address stored in the address information storage unit 433S is an IPv4 address calculated by 4rd from the IPv6 address acquired from the DHCP server in the carrier network. In the first embodiment, since the IPv4 address and the port number are calculated by 4rd, in addition to the global IPv4 address, the corresponding port number is also stored in the address information storage unit 433S. The process of acquiring the IPv6 address from the DHCP server is performed by a DHCP application (not shown). The process for calculating the IPv4 address from the IPv6 address may be performed by the address information processing unit 433 or a DHCP application, for example.

  The IPv6 address is not limited to being acquired from the DHCP server, and may be set in advance for the IPv6 interface unit 413 by the administrator of the GW apparatus 4, for example. In this case, the address information processing unit 433 may calculate an IPv4 address from the IPv6 address set in the IPv6 interface unit 413 and store it in the address information storage unit 433S.

  Further, the IPv6 address may be stored in the address information storage unit 433S, and the address information processing unit 433 may calculate the global IPv4 address from the IPv6 address stored in the address information storage unit 433S at the time of address conversion by NAPT. .

  FIG. 5 is an example of the NAPT table 433T. An entry is recorded in the NAPT table 433T at the first time when the IPv4 address conversion by the address information processing unit 433 is performed. The entry of the NAPT table 433T includes a private IPv4 address (“local IPv4 address” in the figure), a port number before translation (“local port number” in the figure), and a global IPv4 address calculated by 4rd (“4rd IPv4 in the figure). Global address ") The port number calculated in 4rd (" 4rd port number "in the figure) is associated and registered.

  When performing NAPT, the address information processing unit 433 searches the NAPT table 433T and determines whether there is an entry that matches the destination or source address of the IPv4 packet. If there is no matching entry, the address information processing unit 433 selects an unused global IPv4 address from the address information storage unit 433S, creates an entry, registers it in the NAPT table 433T, and sets the IPv4 address according to the entry. Perform conversion. If there is a matching entry, the address information processing unit 433 converts the IPv4 address according to the entry of the NAPT table 433T.

  For example, each entry in the NAPT table 433T is provided with a survival timer, and when no entry is referred to for a predetermined time, the entry is deleted. The NAPT table 433T is stored in the memory 402, for example. When the GW apparatus 4 performs NAT, a NAT table that holds the association between the private IPv4 address and the global IPv4 address as an entry is held instead of the NAPT table 433T.

  Also, the address information processing unit 433 receives the request from the encapsulation processing unit 431 and notifies the encapsulation processing unit 431 of the IPv6 address corresponding to the global IPv4 address of the NAPT entry corresponding to the traffic.

  When the global IPv4 address is stored in the address information storage unit 433S, the address information processing unit 433 calculates the IPv6 address by 4rd from the global IPv4 address of the NAPT entry corresponding to the traffic and sends it to the encapsulation processing unit 431. Notice. When the IPv6 address is stored in the address information storage unit 433S, the address information processing unit 433 reads the IPv6 address used for calculating the global IPv4 address of the NAPT entry corresponding to the traffic, and sends it to the encapsulation processing unit 431. Notice.

  The encapsulation processing unit 431 performs the encapsulation of the IPv4 packet with the IPv6 capsule header, and the decapsulation for removing the IPv6 capsule header from the IPv4 over IPv6 packet and extracting the IPv4 packet. The encapsulation processing unit 431 holds a tunnel end point address (TEPA) information table 431T.

  The TEPA information table 431T holds a correspondence between user identification information and TEPA corresponding to the user identification information. In the first embodiment, the user indicates a user who makes a carrier network usage contract. The user identification information is information that can specify a user such as a combination of a user ID and a password determined at the time of contract with a carrier, a contract number, and an IPv6 address assigned to the user from the carrier. TEPA is the destination IPv6 address of the IPv6 capsule header, that is, the IPv6 address to which the traffic is transferred.

  The initial state of the TEPA information table 431T is empty, and an entry is created by an inquiry to the system management node 1 by the encapsulation notification processing unit 432 described later. The entry in the TEPA information table 43 is deleted when a predetermined time elapses without being referred to, for example. The TEPA information table 431T is stored in the storage area of the memory 402, for example.

  When one contract (one user) is made for one GW apparatus 4, only the TEPA may be held in the TEPA information table 431T. When the presence / absence of transfer to the value-added system apparatus 2 is set not in units of users but in units of traffic, the TEPA information table 431T stores the association between traffic identification information and TEPA. You may do it.

  When receiving an IPv4 packet from the IPv4 routing unit 421, the encapsulation processing unit 431 performs an encapsulation process using the IPv6 capsule header of the IPv4 packet. The packet is input from the IPv4 routing unit 421 to the encapsulation processing unit 431 when the setting for enabling the encapsulation is made in either the input or output interface of the packet ((2) above) Because.

  The encapsulation process using the IPv6 capsule header of the IPv4 packet is as follows. The encapsulation processing unit 431 refers to the TEPA information table 431T and determines whether there is an entry corresponding to the source IPv4 address of the IPv4 packet. When there is a corresponding entry in the TEPA information table 431T, the encapsulation processing date 431 uses the TEPA of the entry as the destination IPv6 address of the IPv6 capsule header.

If there is no corresponding entry in the TEPA information table 431T, the encapsulation processing unit 4
31 requests the encapsulation notification processing unit 432 to inquire about the presence / absence of transfer of traffic to the value-added system device 2. As a result of the inquiry, when the encapsulation processing unit 431 is notified that traffic is to be transferred to the value-added system device 2, TEPA is also notified. The encapsulation processing unit 431 creates an entry in the TEPA information table 431 and sets the notified TEPA as the destination IPv6 address of the IPv6 capsule header.

  As a result of the inquiry, when it is notified that traffic forwarding to the value-added system device 2 is not performed, the encapsulation processing unit 431 uses the IPv6 address of the router 3 as the destination IPv6 of the IPv6 capsule header as an initial value. Address.

  The source IPv6 address of the IPv6 header is an IPv6 address corresponding to the global IPv4 address of NAPT, which is acquired by the encapsulation processing unit 431 requesting the address information processing unit 433. The encapsulation processing unit 431 encapsulates the IPv4 packet with the IPv6 capsule header including the determined destination and the source IPv6 address, and outputs it to the IPv6 routing unit 422. The IPv4 over IPv6 packet is routed by the IPv6 routing unit 422 and sent to the carrier network.

  When receiving the IPv6 packet from the IPv6 routing unit 422, the encapsulation processing unit 431 performs decapsulation because the IPv6 packet is an IPv4 over IPv6 packet. The IPv4 packet obtained by the decapsulation is subjected to NAPT address conversion by the address information processing unit 433 and then output to the IPv4 routing unit 421. The IPv4 packet is routed by the IPv4 routing unit 421, and is sent to the user's home network in the first embodiment.

  In response to the request from the encapsulation processing unit 431, the encapsulation notification processing unit 432 inquires of the system management node 1 about whether or not the traffic is transferred to the value-added system device 2. The inquiry request to the system management node 1 includes, for example, user identification information.

  The encapsulation notification processing unit 432 holds a user information table 432T. The user information table 432T includes, for example, user identification information. In the user information table 432T, for example, user identification information is stored in advance by a user who owns the GW apparatus 4 or by a carrier via a carrier network. The user information table 432T is stored in the auxiliary storage device 405, for example.

  When the presence / absence of transfer to the value-added system device 2 is set not in units of users but in units of traffic, the inquiry request to the system management node 1 is included in the traffic identification information in addition to the user identification information. May also be included.

  When receiving a response to the inquiry request from the system management node 1, the encapsulation notification processing unit 432 notifies the encapsulation processing unit 431 of the response content. The response includes presence / absence of transfer of the corresponding traffic to the value-added system device 2 and TEPA when the traffic is transferred to the value-added system device 2.

  The inquiry request and response to the system management node 1 may be performed using a protocol such as RADIUS (Remote Authentication Dial In User Service), or a unique protocol for performing the inquiry is used. May be. The IPv6 address of the GW device 4 is used for the inquiry request and response to the node 1, and the response from the system management node 1 is transferred to the encapsulation notification processing unit 432 by the IPv6 routing unit 422.

Note that the path control unit 42 and the packet processing unit 43 are not limited to being realized by execution of a predetermined program by the CPU, for example, an FPGA (Field-Programmable)
(Gate Array) or the like.

(Configuration of value-added system)
FIG. 6 is a diagram illustrating an example of a functional configuration of the value-added system device 2. The value-added system device 2 is, for example, a firewall device, a bandwidth control device, an L4 to L7 switch, or the like. The hardware configuration of the value-added system device 2 is a configuration including a CPU, a memory, an auxiliary storage device, a packet transfer engine, and a line interface, for example, like the GW device 4 shown in FIG.

  The value-added system device 2 includes a transfer control unit 21, a path control unit 22, and a capsule control unit 23 as functional blocks. The transfer control unit 21 includes a packet transfer processing unit 211, an IPv4 interface unit 212A, and an IPv6 interface unit 212B. For example, the IPv6 interface unit 212B is set to enable encapsulation. The packet transfer processing unit 211, the IPv4 interface unit 212A, and the IPv6 interface unit 212B have substantially the same functions as the packet transfer processing unit 411, the IPv4 interface unit 412, and the IPv6 interface unit 413 of the GW device 4, respectively, and thus description thereof is omitted. .

  Note that the IPv4 interface unit 212A and the IPv6 interface unit 212B may be logical interfaces corresponding to different line interfaces. In this case, the value-added system device 2 and the router 3 are physically connected by two lines. Alternatively, the IPv4 interface unit 212A and the IPv6 interface unit 212B may be logical interfaces corresponding to the same line interface. That is, the IPv4 interface unit 212A and the IPv6 interface unit 212B may correspond to subinterfaces in which one physical interface is logically divided. In this case, the value-added system device 2 and the router 3 are physically connected by a single line.

  The route control unit 22 includes an IPv4 routing unit 221, an IPv6 routing unit 222, and a value added system processing unit 223. Since the IPv4 routing unit 221 and the IPv6 routing unit 222 have substantially the same functions as the IPv4 routing unit 421 and the IPv6 routing unit 422 of the GW apparatus 4 except for the processing related to NAPT, description thereof will be omitted.

  The value-added system processing unit 223 is a function realized, for example, when the CPU of the value-added system device 2 executes a predetermined value-added system processing program stored in the auxiliary storage device. The value added processing unit 223 performs value added processing on the IPv4 packet. The value-added processing unit 223 extracts a processing target packet from packets flowing through the IPv4 routing unit 221 using, for example, an access list.

  The encapsulation control unit 23 includes an encapsulation processing unit 231 and an address information processing unit 232. The encapsulation processing unit 231 is a function realized by executing a BR encapsulation processing program stored in the auxiliary storage device, for example.

  The encapsulation processing unit 231 performs encapsulation and decapsulation of packets input from the IPv6 routing unit 222 and the IPv4 routing unit 221. Specifically, the encapsulation processing unit 231 performs decapsulation on the IP over IPv6 packet input from the IPv6 routing unit 222, extracts the IPv4 packet, and outputs the IPv4 packet to the IPv4 routing unit 221. .

The encapsulation processing unit 231 encapsulates the IPv4 packet input from the IPv4 routing unit 221 with an IPv6 capsule header. The destination IPv6 address of the IPv6 capsule header is an IPv6 address calculated from the destination IPv4 address of the IPv4 packet according to 4rd by the address information processing unit 232. The source IPv6 address of the IPv6 capsule header is, for example, an IPv6 address assigned to the IPv6 interface unit 212B of the value-added system device 2.

  Further, when the encapsulation processing unit 231 obtains an IPv4 packet by decapsulating the IPv4 over IPv6 packet at the head of the traffic flow, the encapsulation processing unit 231 sends a route advertisement regarding the source IPv4 address of the packet to the IPv4 routing unit 221. Instruct to do. In response to this instruction, the IPv4 routing unit 221 advertises a route regarding the source IPv4 address of the IPv4 packet to the router 3.

  The address information processing unit 232 calculates an IPv6 address by 4rd from the IPv4 address. More specifically, the address information processing unit 232 calculates an IPv6 address by 4rd from the destination IPv4 address of the IPv4 packet according to an instruction from the encapsulation processing unit 231, and returns it to the encapsulation processing unit 231.

(System management node configuration)
FIG. 7 is a diagram illustrating an example of a functional configuration of the system management node 1. The system management node 1 is a server-dedicated computer or a general-purpose computer, for example. The hardware configuration of the system management node 1 is, for example, a configuration including a CPU, a memory, an auxiliary storage device, a packet transfer engine, and a line interface like the GW device 4 shown in FIG.

  The system management node 1 includes a transfer control unit 11 and a user information management unit 12 as functional blocks. The transfer control unit 11 includes a packet transfer processing unit 111 and an IPv6 interface unit 112. The IPv6 interface unit 112 is a logical interface corresponding to the line interface. The packet transfer processing unit 111 corresponds to a packet transfer engine. The packet transfer processing unit 111 relays packets between the IPv6 interface unit 112 and the user information management unit 12.

  The user information management unit 12 responds to an inquiry about whether or not there is traffic transfer from the GW apparatus 4 to the value-added system apparatus 2. The user information management unit 12 is a function realized by, for example, the CPU executing a predetermined program stored in the auxiliary storage device.

  The user information management unit 12 includes a notification generation processing unit 121, a user information processing unit 122, and a terminal user information management table 123. The terminal user information management table 123 stores, for each user, presence / absence of traffic transfer to the value-added system 2 and TEPA. The user information processing unit 122 manages the terminal user information management table 123.

  The notification generation processing unit 121 generates a response to an inquiry as to whether or not traffic is transferred from the GW device 4 to the value-added system device 2 and transmits the response to the GW device 4. More specifically, when receiving a query from the GW device 4, the notification generation processing unit 121 causes the user information processing unit 122 to manage terminal user information that matches the source IPv6 address of the query request and the user identification information. Requests reading of entries in table 123. When the notification generation processing unit 121 receives a matching entry in the terminal user information management table 123 from the user information processing unit 122, the notification generation processing unit 121 includes the presence / absence of traffic transfer to the value-added system device 2 and TEPA ( Response is generated including (if transfer is available).

  In response to the request from the notification generation processing unit 121, the user information processing unit 122 reads an entry in the terminal user information management table 123 that matches the source IPv6 address and the user identification information included in the inquiry request. If there is a matching entry, the entry is notified to the notification generation processing unit 121. If there is no matching entry, for example, the user information processing unit 122 creates an entry in the terminal user information management table 123 with respect to the user identification information of the inquiry request as no transfer to the value-added system device 2. The created entry is notified to the notification generation processing unit 121.

  FIG. 8 is a diagram illustrating an example of the terminal user information management table 123. The entry of the terminal user information management table 123 includes user identification information, an IPv6 address for user use, presence / absence of transfer to the value-added system device 2, and TEPA. In the TEPA of the entry of the terminal user information management table 123, the IPv6 address of the value-added system device 2 is stored. In the entry, when there is no transfer of the traffic of the corresponding user to the value-added system device 2 (OFF), the TEPA value is empty.

  Entries in the terminal user information management table 123 are registered, changed, deleted, etc. by the administrator of the network system 100. Also, the user information processing unit 122 refers to the terminal user information management table 123 by receiving an inquiry request from the GW device 4, and if there is no corresponding entry, the user information is sent to the value-added system device 2. Create an entry with no forwarding.

(Process flow)
Hereinafter, processing performed by each device will be described with reference to flowcharts shown in FIGS.

(Process flow of GW device)
FIG. 9 is an example of a flowchart of processing when a packet is received from the user terminal 5 of the GW apparatus 4. The flowchart shown in FIG. 9 is started, for example, when the GW apparatus 4 is activated, and is repeatedly executed while the GW apparatus 4 is activated.

  In S <b> 1, the IPv4 interface unit 412 receives an IPv4 packet from the user terminal 5. The IPv4 packet is transferred to the IPv4 routing unit 421 by the packet transfer processing unit 411. Next, the process proceeds to S2.

  In S2, when the IPv4 packet is addressed to the IPv4 Internet (S2: YES), the IPv4 routing unit 421 transfers the IPv4 packet to the encapsulation processing unit 431. In this case, for example, the encapsulation processor 431 is recorded in the IPv4 routing table 421T as an output interface for packets addressed to the IPv4 Internet. Next, the process proceeds to S3.

  If the IPv4 packet is not addressed to the IPv4 Internet (S2: NO), the process proceeds to S9. In S9, the IPv4 routing unit 421 transfers the IPv4 packet to the packet transfer processing unit 411 according to the IPv4 routing table 421T. The IPv4 packet is sent to the IPv4 network through the packet transfer processing unit 411 and the IPv4 interface unit 412. If there is no entry corresponding to the destination of the IPv4 packet in the IPv4 routing table 421T, for example, the IPv4 packet may be discarded because the destination is unknown. Thereafter, the process shown in FIG. 9 ends.

In S3, when an IPv4 packet addressed to the IPv4 Internet is received, the encapsulation processing unit 431 determines whether or not TEPA as a transfer destination of the IPv4 packet is stored in the TEPA information table 431T. If TEPA is stored in the TEPA information table 431T (S3: YES), the process proceeds to S5.

  If TEPA is not stored in the TEPA information table 431T (S3: NO), the encapsulation processing unit 431 requests the encapsulation notification processing unit 432 to inquire whether or not the traffic is transferred to the value-added system device 2. To do. Next, the process proceeds to S4.

  In S <b> 4, the encapsulation notification processing unit 432 performs a TEPA acquisition process that is a process for inquiring whether the traffic is transferred to the value-added system device 2 to the system management node 1. Details of the TEPA acquisition process are as follows. The encapsulation notification processing unit 432 generates an inquiry request including user identification information stored in the user information table 432T, and transmits the inquiry request to the system management node 1. When receiving the response from the system management node 1, the encapsulation notification processing unit 432 notifies the encapsulation processing unit 431 of the presence / absence of transfer of the traffic included in the response to the value-added system device 2 and TEPA. Thereafter, the TEPA acquisition process ends, and the process proceeds to S5.

  In S5, the address information processing unit 433 performs NAPT, and converts the source IPv4 address of the IPv4 packet from the private IPv4 address to the global IPv4 address. More specifically, the address information processing unit 433 selects an unused global IPv4 address from the address information storage unit 433S, and rewrites the source IPv4 address of the IPv4 packet with the selected global IPv4 address. Next, the process proceeds to S6.

  In S6, the address information processing unit 433 adds the entry for the address conversion performed in S5 to the NAPT table 433T. However, if an entry for the private IPv4 address of the user terminal 5 already exists in the NAPT table 433T, in S5, the NAPT address conversion is performed with reference to the entry, and the process of S6 is not performed. Next, the process proceeds to S7.

  In S7, the encapsulation processing unit 431 encapsulates the IPv4 packet that has undergone the NAPT conversion in S5, with an IPv6 capsule header. More specifically, it is as follows. The encapsulation processing unit 431 acquires an IPv6 address corresponding to the global IPv4 address of the source of the IPv4 packet from the address information processing unit 433. The encapsulation processing unit 431 encapsulates the IPv4 packet with an IPv6 capsule header having the acquired IPv6 address as the source IPv6 address and TEPA as the destination IPv6 address. Next, the process proceeds to S8.

  When the traffic of the user terminal 5 is traffic that is not transferred to the value-added system device 2, TEPA is the IPv6 address of the router 3. When the traffic of the user terminal 5 is traffic that is transferred to the value-added system device 2, TEPA is the IPv6 address of the value-added system device 2 notified from the system management node 1.

  In S <b> 8, the encapsulation processing unit 431 outputs the encapsulated IPv6 packet (IPv4 over IPv6 packet) to the IPv6 routing unit 422. The IPv4 over IPv6 packet is sent to the carrier network (IPv6 network) through the packet transfer processing unit 411 and the IPv6 interface unit 413 according to the IPv6 routing table 422T by the IPv6 routing unit 422. Thereafter, the process shown in FIG. 9 ends.

FIG. 10 is an example of a flowchart of processing of the GW apparatus 4 when an IPv6 packet is received from the carrier network. The flowchart shown in FIG.
It is started when the apparatus 4 is activated, and is repeatedly executed while the GW apparatus 4 is activated.

  In S11, the IPv6 interface unit 413 receives an IPv6 packet from the carrier network. The IPv6 packet is transferred to the IPv6 routing unit 422 by the packet transfer processing unit 411. Next, the process proceeds to S12.

  In S12, when the IPv6 packet is addressed to the IPv6 address of the GW apparatus 4 (S12: YES), the IPv6 packet is an IPv4 over IPv6 packet. The IPv6 routing unit 422 transfers the IPv6 packet to the encapsulation processing unit 431. Next, the process proceeds to S13. If the IPv6 packet is not addressed to the IPv6 address of the GW apparatus 4 (S12: NO), the process proceeds to S17. In S17, the IPv6 routing unit 422 sends the IPv6 packet to the packet transfer processing unit 411 according to the IPv6 routing table 422T. Forward. Thereafter, the process shown in FIG. 10 ends.

  In S13, the encapsulation processing unit 431 removes the IPv6 capsule header from the IPv4 over IPv6 packet and performs decapsulation. Next, the process proceeds to S14.

  In S14, when the packet acquired by decapsulation is an IPv4 packet (S14: YES), the process proceeds to S15. When the packet acquired by the decapsulation is not an IPv4 packet (S14: NO), in the first embodiment, the process illustrated in FIG. 10 ends. In FIG. 10, when the packet acquired by the decapsulation is not an IPv4 packet (S14: NO), the process proceeds to the process of S17, but the process of S17 is not performed in the first embodiment. It is not implemented, but is implemented in a second embodiment described later.

  In S15, the address information processing unit 433 determines whether there is an entry in the NAPT table 433T that matches the destination IPv4 address of the IPv4 packet. If there is a matching NAPT table 433 entry (S15: YES), the process proceeds to S16.

  If there is no matching entry in the NAPT table 433 (S15: NO), the processing shown in FIG. 10 ends. Note that an IPv4 packet obtained by decapsulation from an IPv6 packet received from the carrier network is a return packet, and normally there is an entry for the return packet in the NAPT table 433T. Therefore, if there is no entry in the corresponding NAPT table 433T, it is determined as an error.

  In S16, the address information processing unit 433 converts the destination IPv4 address of the IPv4 packet according to the entry of the matching NAPT table 433T. The address information processing unit 433 outputs the IPv4 packet to the IPv4 routing unit 421, and the IPv4 routing unit 421 outputs the IPv4 packet to the packet forwarding processing unit 411 according to the IPv4 routing table 421T. Thereafter, the IPv4 packet is output from the IPv4 interface unit 412 and the process shown in FIG.

(Processing of value-added equipment)
FIG. 11 is an example of a flowchart of processing when the IPv6 packet of the value-added system device 2 is received. The flowchart shown in FIG. 11 is started, for example, when the value-added system device 2 is activated, and is repeatedly executed while the value-added system device 2 is activated.

In S21, the IPv6 interface unit 212B receives an IPv6 packet from the router 3. The IPv6 packet is transferred to the IPv6 routing unit 222 by the packet transfer processing unit 211. Next, the process proceeds to S22.

  In S22, when the IPv6 packet is addressed to the IPv6 address of the value-added system device 2 (S22: YES), the IPv6 packet is an IPv4 over IPv6 packet, and the IPv6 routing unit 222 sends it to the encapsulation processing unit 231. Forward IPv6 packets. Next, the process proceeds to S23.

  In S23, the encapsulation processing unit 231 removes the IPv6 capsule header from the IPv6 packet and performs decapsulation. The encapsulation processor 231 transfers the decapsulated packet to the value-added processor 223, and the value-added processor 223 performs value-added processing on the packet. Next, the process proceeds to S24.

  In S24, when the packet acquired by decapsulation is an IPv4 packet (S24: YES), the process proceeds to S25. When the packet acquired by the decapsulation is not an IPv4 packet (S24: NO), the processing shown in FIG. 11 is finished in the first embodiment. In FIG. 11, when the packet acquired by the decapsulation is not an IPv4 packet (S24: NO), the process proceeds to S32. However, the process of S32 and S33 is the first implementation. This process is not performed in the form, and is performed in the second embodiment described later.

  In S25, the IPv4 routing unit 221 transfers the IPv4 packet to the packet transfer processing unit 211 according to the IPv4 routing table. Thereafter, the IPv4 packet is output from the IPv4 interface unit 212A. Next, the process proceeds to S26.

  In S26, the encapsulation processing unit 231 instructs the IPv4 routing unit 221 to advertise a route to the router 3 with respect to the source IPv4 address of the IPv4 packet obtained by the decapsulation in S23. The IPv4 routing unit 221 performs route advertisement of the source IPv4 address of the IPv4 packet transferred in S25 to the router 3 in accordance with the instruction. The IPv4 routing unit 221 records the IPv4 address advertised in the route in the memory. Thereafter, the process shown in FIG. 11 ends. Note that the route advertised IPv4 address recorded in the memory may be deleted from the memory if it is not referenced for a predetermined time.

  In S22, when the IPv6 packet is not addressed to the IPv6 address of the value added system device 2 (S22: NO), the process proceeds to S27. In S27, the IPv6 routing unit 222 determines whether the IPv6 packet is a packet addressed to the address advertised by the route. In the first embodiment, since the value-added system device 2 does not advertise the IPv6 address to the router 3 (S27: NO), the process proceeds to S28. In FIG. 11, there is a branch when the IPv6 packet is a packet addressed to the address advertised (S27: YES), but this branch does not occur in the first embodiment. The processes of S29 to S31 are processes that occur in the second embodiment described later.

  In S28, the value-added processing unit 223 performs value-added processing on the IPv6 packet, and the IPv6 routing unit 222 transfers the IPv6 packet to the packet transfer processing unit 211 according to the IPv6 routing table. Thereafter, the process shown in FIG. 11 ends.

FIG. 12 is an example of a flowchart of processing when the value-added system device 2 receives an IPv4 packet. In the first embodiment, the IPv4 packet received by the value-added system device 2 is a return packet from the IPv4 Internet. The flowchart illustrated in FIG. 12 is started, for example, when the value-added system device 2 is activated, and is repeatedly executed while the value-added system device 2 is activated.

  In S41, the IPv4 interface unit 212A receives an IPv4 packet from the router 3. The IPv4 packet is transferred to the IPv4 routing unit 221 by the packet transfer processing unit 211. Next, the process proceeds to S42.

  In S <b> 42, the IPv4 routing unit 221 determines whether the destination IPv4 address of the received IPv4 packet is the IPv4 address advertised to the router 3. More specifically, the IPv4 routing unit 221 determines whether or not there is a destination IPv4 address of the IPv4 packet in the memory that records the IPv4 address advertised to the router 3.

  When the destination IPv4 address of the received IPv4 packet is the IPv4 address advertised to the router 3 (S42: YES), the IPv4 routing unit 221 transfers the IPv4 packet to the value-added system processing unit 223, and the processing is performed. Proceed to S43.

  In S43, the value added processing unit 223 performs value added processing on the IPv4 packet. The value added processing unit 223 outputs the IPv4 packet to the IPv4 routing unit 221, and the IPv4 routing unit 221 outputs the IPv4 packet to the encapsulation processing unit 231. Next, the process proceeds to S44.

  In S <b> 44, the encapsulation processing unit 231 requests the address information processing unit 232 to convert the destination IPv4 address of the IPv4 packet to the IPv6 address. The address information processing unit 232 calculates an IPv6 address from the destination IPv4 address of the IPv4 packet according to 4rd. Next, the process proceeds to S45.

  In S45, the encapsulation processing unit 231 encapsulates the IPv4 packet with the IPv6 capsule header. The destination IPv6 address of the IPv6 capsule header is the IPv6 address calculated by the address information processing unit 232, and the source IPv6 address is the IPv6 address of the value-added system device 2. The encapsulation processing unit 231 outputs the encapsulated IPv6 packet to the IPv6 routing unit 222. Next, the process proceeds to S46.

  In S46, the IPv6 routing unit 222 transfers the IPv6 packet according to the IPv6 routing table. The IPv6 packet is output to the router 3 through the packet transfer processing unit 211 and the IPv6 interface unit 212B, and is transferred by the router 3 to the destination device. Thereafter, the process shown in FIG. 12 ends.

  In S42, when the destination IPv4 address of the received IPv4 packet is not the IPv4 address advertised to the router 3 (S42: NO), the process proceeds to S47. In S 47, the IPv4 routing unit 221 performs routing of the IPv4 packet according to the IPv4 routing table, and outputs it to the packet transfer processing unit 211. The IPv4 packet is transferred to the router 3 through the packet transfer processing unit 211 and the IPv4 interface unit, and is transferred to the destination device by the router 3. Thereafter, the process shown in FIG. 12 ends.

(Processing flow of system management node)
FIG. 13 is an example of a flowchart of processing of the system management node 1 when an inquiry request for the presence / absence of traffic transfer from the GW apparatus 4 to the value added system apparatus 2 is received. The process shown in FIG. 13 is started when the system management node 1 is activated, and is repeatedly executed while the system management node 1 is activated.

  In S51, the IPv6 interface unit 112 receives an inquiry request from the GW apparatus 4. The IPv6 interface unit 112 outputs an inquiry request to the packet transfer processing unit 111. The inquiry request is transferred to the notification generation processing unit 121 by the packet transfer processing unit 111. Next, the process proceeds to S52.

  In S <b> 52, the notification generation processing unit 121 requests the user information processing unit 122 to read the entry in the terminal user information management table 123 of the source IPv6 address of the inquiry request. When the terminal user information management table 123 includes an entry corresponding to the source IPv6 address of the inquiry request (S52: YES), the user information processing unit 122 reads the entry and notifies the notification generation processing unit 121 of the entry. . Next, the process proceeds to S53.

  In S <b> 53, the notification generation unit 121 determines based on the entry in the terminal user information management table 123 whether or not the inquiry requesting user is a user with transfer of traffic to the value-added system device 2. If the inquiry requesting user is a user with transfer of traffic to the value-added system device 2 (S53: YES), the process proceeds to S54.

  In S54, the notification generation unit 121 determines that the request is a query request from a user with transfer of traffic to the value-added system device 2, and the transfer of the traffic to the value-added system device 2 and the value-added system device 2 serving as TEPA. A response including the IPv6 address is generated. The response is sent to the IPv6 network through the packet transfer processing unit 111 and the IPv6 interface unit 112 and transmitted to the inquiry request source. Thereafter, the process shown in FIG. 13 ends.

  In S53, when the inquiry requesting user is a user who does not transfer traffic to the value-added system device 2 (S53: NO), the process proceeds to S55. In S55, the notification generation unit 121 determines that the request is an inquiry request from a user who does not transfer traffic to the value-added system device 2, and generates a response including no transfer to the value-added system device 2. The response is sent to the IPv6 network through the packet transfer processing unit 111 and the IPv6 interface unit 112 and transmitted to the inquiry request source. Thereafter, the process shown in FIG. 13 ends.

  In S52, when there is no entry corresponding to the source IPv6 address of the inquiry request in the terminal user information management table 123 (S52: NO), the user information processing unit 122 notifies that there is no entry. 121 is notified. Next, the process proceeds to S56.

  In S <b> 56, the notification generation processing unit 121 determines that it is an inquiry request from a user who does not transfer traffic to the value-added system device 2, and generates a response including no transfer to the value-added system device 2. The response is sent to the IPv6 network through the packet transfer processing unit 111 and the IPv6 interface unit 112 and transmitted to the inquiry request source. Next, the process proceeds to S57.

  In S57, the notification generation processing unit 121 notifies the user information processing unit 122 that the user of the inquiry request source does not transfer traffic to the value-added system device 2, and the user information processing unit 122 An entry is added to the information management table 123. The added entry includes user identification information included in the inquiry request, the source IPv6 address of the inquiry request, no forwarding of traffic to the value-added system device 2, and no TEPA. Thereafter, the process shown in FIG. 13 ends.

FIG. 14 is an example of a flowchart of the update process of the terminal user information management table 123 of the system management node 1. The flowchart shown in FIG. 14 shows, for example, when the administrator of the system management node 1 performs a predetermined start operation for updating the terminal user information management table 123 or when the system management node 1 is updated via the network. Triggered when a request is received.

  In S <b> 61, the user information processing unit 122 receives information addition to the terminal user information management table 123. For example, when an information addition request to the terminal user information management table 123 is input by an operation of a predetermined application by the administrator, the information addition request is input from the predetermined application to the user information processing unit 122. Next, the process proceeds to S62.

  In S <b> 62, the user information processing unit 122 determines whether or not an entry that matches the IPv6 address included in the added information already exists in the terminal user information management table 123. If there is an entry that matches the IPv6 address included in the added information (S62: YES), the process proceeds to S63.

  In S <b> 63, the user information processing unit 122 determines whether there is a transfer to the value-added system device 2 in the matching entry of the terminal user information management table 123 due to the added information, or whether there is a change in TEPA. Determine whether. If there is presence / absence of transfer to the value-added system device 2 in the entry or there is a change in TEPA (S63: YES), the process proceeds to S64.

  In S64, the user information processing unit 122 updates the entry with the added information, and whether or not there is a transfer to the value-added system device 2 in the entry, or there is a change in TEPA. It is determined to notify the user of the notification. The user information processing unit 122 requests the notification generation processing unit 121 to generate an information update notification, and the notification generation processing unit 121 generates and transmits an information update notification. The information update notification includes the presence or absence of transfer to the value-added system device 2 with the IPv6 address in the entry as the destination. The information update notification includes TEPA when transfer to the value-added system device 2 is present. Thereafter, the process shown in FIG. 14 ends.

  In S63, if there is a transfer to the value-added system device 2 in the matching entry or TEPA is not changed (S63: NO), the process proceeds to S65. In S65, the user information processing unit 122 updates the entry with the added information, and determines that the update is an overwriting without a change and does not notify the user of the information update. Thereafter, the information update notification to the corresponding user is not performed, and the processing shown in FIG. 14 ends.

  In S62, if there is no entry in the terminal user information management table 123 that matches the IPv6 address included in the added information (S62: NO), the process proceeds to S66. In S <b> 66, the user information processing unit 122 adds the added information as a new entry to the terminal user information management table 123, determines that the communication of the corresponding user is not started, and does not perform the information update notification to the corresponding user. Determine. At this point, for example, the item “IPv6 address” in the entry of the terminal user information management table 123 shown in FIG. 8 may be empty. The item “IPv6 address” of the entry of the terminal user information management table 123 may be recorded, for example, when an inquiry request including the user identification information of the entry is received (FIG. 13, S54). Good. Thereafter, the process shown in FIG. 14 ends.

(Process flow between devices)
FIG. 15 is an example of a sequence diagram of processing relating to traffic transferred to the value-added system device 2. In the example illustrated in FIG. 15, it is assumed that the traffic of the user terminal 5 is traffic with transfer to the value-added system device 2. Further, it is assumed that the GW apparatus 4 does not recognize whether or not the traffic of the user terminal 5 is transferred to the value-added system apparatus 2, that is, the TEPA information table 431T is in an initial state (no TEPA entry).

  In OP1, the user terminal 5 transmits a packet addressed to the IPv4 Internet. This packet is an IPv4 packet and reaches the GW apparatus 4.

  In OP2, the GW apparatus 4 receives an IPv4 packet addressed to the IPv4 Internet from the user terminal 5 (FIG. 9, S1, S2: YES). Since the TEPA information table 431T is in an initial state (FIG. 9, S3: NO), the GW apparatus 4 transmits an inquiry request for the presence / absence of traffic transfer to the value added system apparatus 2 to the system management node 1 (FIG. 9). 9, S4).

  In OP3, the system management node 1 receives an inquiry request from the GW apparatus 4 (FIG. 13, S51). The system management node 1 generates a response including transfer to the value-added system device 2 and TEPA, and transmits the response to the GW device 4 (FIGS. 13, S52, S53, and S54). The TEPA notified to the GW apparatus 4 is the IPv6 address of the value added system apparatus 2.

  In OP4, the GW apparatus 4 receives the response to the inquiry request, and addresses the IPv4 packet from the user terminal 5 using NAPT address translation (FIG. 9, S5, S6) and encapsulation using the IPv6 capsule header (FIG. 9). , S7). The destination of the IPv6 capsule header is the IPv6 address of the value added device 2. The source of the IPv6 capsule header is the IPv6 address of the GW apparatus 4.

  In OP5, the GW apparatus 4 transmits an IPv4 over IPv6 packet to the IPv6 network (carrier network) (FIG. 9, S8). This IPv4 over IPv6 packet first reaches the router 3.

  In OP6, the router 3 transfers the packet to the value-added system device 2 that is the destination according to the IPv6 capsule header of the IPv4 over IPv6 packet.

  In OP7, the value-added system device 2 receives the IPv4 over IPv6 packet (FIGS. 11, S21, and S22), performs decapsulation, acquires the IPv4 packet, and performs value-added processing (FIG. 11, S23). .

  In OP8, the value-added system device 2 transmits the IPv4 packet acquired by decapsulation to the destination IPv4 Internet (FIG. 11, S24). The IPv4 packet reaches the router 3 from the value-added system device 2.

  In OP9, the value-added device 2 sends the IPv4 packet source IPv4 acquired by the decapsulation to the router 3 in order to have the return packet for the decapsulated packet transferred to the value-added device 2. A route advertisement is performed for the address (FIG. 11, S26).

  In OP10, the router 3 receives the IPv4 packet from the value-added system device 2, and transfers the packet to the IPv4 Internet according to the destination IPv4 address of the IPv4 packet.

In OP11, a return packet as a response arrives at the router 3 from the destination device in the IPv4 Internet. In OP12, the router 3 transfers the return packet according to the destination IPv4 address of the return packet. The destination IPv4 address of the return packet is the IPv4 address advertised to the router 3 from the value-added system device 2 in OP9. Therefore, in OP12, the router 3 transfers the return packet to the value-added system device 2.

  In OP13, the value-added system device 2 receives the return packet (FIG. 12, S41, S42: YES), and performs value-added processing and encapsulation (FIG. 12, S43 to S45). In OP14, the value-added system device 2 transmits an IPv4 over IPv6 packet. The destination address and the source address of the IPv6 capsule header of the IPv4 over IPv6 packet are the IPv6 address of the GW apparatus 4 and the IPv6 address of the value-added system apparatus 2, respectively. Further, the destination address and the source address of the IPv4 header are the global IPv4 address of the GW apparatus 4 and the IPv4 address of the destination apparatus in the IPv4 Internet, respectively.

  In OP15, the router 3 receives the IPv4 over IPv6 packet from the value-added system device 2, and transfers it to the GW device 4 according to the IPv6 capsule header.

  In OP16, the GW apparatus 4 receives the IPv4 over IPv6 packet (FIG. 10, S11, S12), removes the IPv6 capsule header, performs decapsulation, and acquires the IPv4 packet (FIG. 10, S13).

  In OP17, the GW apparatus 4 converts the global IPv4 address, which is the destination of the IPv4 packet acquired by decapsulation, into a private IPv4 address by NAPT and transmits it to the user terminal 5 (FIG. 10, S14: YES, S15: YES). , S16).

<Operational effects of the first embodiment>
In the first embodiment, when the upstream traffic is transferred to the value-added system device 2, the GW device 4 uses the IPv4 packet of the traffic as the destination IPv6 address and the IPv6 address of the value-added system device 2. Encapsulate with IPv6 header to be used. When the upstream traffic is not transferred to the value-added system device 2, the IPv4 packet of the traffic is encapsulated with an IPv6 header using the IPv6 address of the router 3 as the destination IPv6 address. As a result, the target traffic for value-added processing can be transferred to the value-added system device 2, and other traffic does not have to go through the value-added system device 2. Therefore, the traffic transferred to the value added system device 2 can be suppressed to the target traffic of the value added system processing. As a result, the number of expensive devices used as the value-added system device 2 can be reduced, and the cost of the entire system can be reduced. Further, for example, when there is a difference in packet transfer capability between the router 3 and the value-added system device 2 such that the packet transfer capability of the router 3 is 1 Gbps and the packet transfer capability of the value-added system device 2 is 100 Mbps. However, the possibility of congestion due to bottlenecks can be reduced.

  Further, in the first embodiment, the value-added system device 2 is connected to the router 3 on the inline, and is itself located on the outline. As a result, even when a failure occurs in the value-added system device 2, the range of influence due to the failure can be suppressed between the router 3 and the value-added system device 2.

  In addition, according to the first embodiment, the inline router 3 routes the encapsulated IPv6 packet according to the IPv6 header and forwards it to the value-added system device 2 by performing a normal process. Traffic that is subject to value processing can be transferred. That is, according to the first embodiment, it is possible to transfer target traffic for value-added processing to the value-added system device 2 without changing the configuration of the router 3 that is a device in the carrier network on the inline. .

  In the first embodiment, since the IPv6 address and the IPv4 address are converted using 4rd, the GW apparatus 4, the router 3, and the value-added system apparatus 2 can encapsulate the IPv4 packet without using a predetermined table. Can be made. As a result, the resources of each device can be saved, and the load related to encapsulation can be reduced. In addition, since the processing for searching the table has a higher processing load than the arithmetic processing, the value-added system device 2 can reduce the load related to traffic encapsulation by not using the table for encapsulation. it can.

  In the first embodiment, the GW apparatus 4 performs NAPT for conversion between the private IPv4 address used by the user terminal 5 and the global IPv4 address. However, when there is one user terminal subordinate to the GW apparatus 4, NAT may be performed.

Second Embodiment
FIG. 16 is a diagram illustrating an example of a configuration of a network system 100B according to the second embodiment. In the network system 100B according to the second embodiment, the network between the user terminal 5 and the GW apparatus 4 and the Internet are also IPv6 networks.

  Therefore, in the second embodiment, the GW apparatus 4 does not perform NAT or NAPT address conversion. In the first embodiment, the GW apparatus 4 switches the destination IPv6 address between the router 3 or the value-added system apparatus 2 according to traffic, but encapsulates all IPv4 packets from the user terminal 5 with the IPv6 capsule header. It was converted. In the second embodiment, the GW device 4 encapsulates the IPv6 packet from the user terminal 5 with the IPv6 capsule header destined for the IPv6 address of the value-added system device 2 regarding the traffic to be processed by the value-added system device 2. Turn into. In the second embodiment, a packet that is not a processing target of the value-added system device 2 is not encapsulated. Hereinafter, descriptions overlapping with those of the first embodiment are omitted.

  FIG. 17 is a diagram illustrating an example of packet address transition in the network system 100B according to the second embodiment. FIG. 17 shows a flow of a packet that is a processing target of the value-added system device 2.

In the example shown in FIG. 17, the IPv6 address prefix is “2001: db8 :: / 40”. Further, the IPv6 address of the value added system device 2 is “2001: db8 :: 1”. It is assumed that the GW apparatus 4 has already acquired the IPv6 address of the value-added system device 2 as TEPA, and that traffic from the user terminal 5 is a processing target of the value-added system device 2.

First, the packet address transition in the upstream will be described. When the user terminal 5 transmits an IPv6 packet to a destination device in the Internet, the IPv6 packet arrives at the GW device 4. At this time, the destination IPv6 address of the IPv6 packet is “2001: db8: 0012e :: f”, and the source IPv6 address is “2001: db8: 0012: f :: 1”.

Next, since the received IPv6 packet is a processing target of the value-added system device 2, the GW device 4 further encapsulates the received IPv6 packet with an IPv6 capsule header. The destination IPv6 address of the IPv6 capsule header is the IPv6 address “2001: db8 :: 1” of the value-added system device 2 that is TEPA. The source IPv6 address of the IPv6 capsule header is calculated from the source IPv6 address of the received IPv6 packet. In the example shown in FIG. 17, the IPv6 address used by the GW apparatus 4 in the IPv6 capsule header uses the upper 48 bits of the source IPv6 address of the received IPv6 packet as it is, and the lower 80 bits are calculated as “2 :: 1”. Is done. That is, the IPv6 address used in the IPv6 capsule header is “2001: db8: 0012: 2 :: 1”. Hereinafter, a packet that is encapsulated with an IPv6 capsule header added is referred to as an original packet.

  When the packet encapsulated with the IPv6 capsule header arrives at the router 3, the packet is transferred by the router 3 to the value-added system device 2 according to the destination IPv6 address of the IPv6 capsule header. The value-added system device 2 decapsulates the encapsulated IPv6 packet to obtain the original IPv6 packet. The value-added system device 2 performs value-added processing on the original IPv6 packet and then transmits the original IPv6 packet. The original IPv6 packet arrives at the destination device in the IPv6 Internet via the router 3.

  Also in the second embodiment, the value-added system device 2 performs route advertisement regarding the source address of the original IPv6 packet to the router 3. As a result, a return packet from a destination device in the IPv6 Internet can be routed through the value-added system device 2.

  Next, address transition of the return packet in the downstream from the destination device in the IPv6 Internet will be described. The IPv6 packet that is a return packet first arrives at the router 3. Since the destination IPv6 address of the return packet is advertised to the router 3 from the value-added system device 2, the return packet is transferred to the value-added system device 2 by the router 3.

  Upon receiving the return packet, the value-added device 2 performs value-added processing and encapsulates the return packet with an IPv6 capsule header. The IPv6 capsule header destination IPv6 address “2001: db8: 0012: 2 :: 1” is calculated from the return packet destination IPv6 address “2001: db8: 0012: f :: 1” using the same rules as the GW device 4 Is done. The source IPv6 address of the IPv6 capsule header is the IPv6 address “2001: db8 :: 1” of the value-added device 2 that is TEPA.

  The encapsulated packet arrives at the GW apparatus 4 that is the destination of the IPv6 capsule header. The GW apparatus 4 removes the IPv6 capsule header and decapsulates it to obtain a return packet. Next, the GW apparatus 4 transmits a return packet to the user terminal 5.

  In the second embodiment, the GW device 4 and the value-added system device 2 that perform encapsulation calculate the source or destination IPv6 address in the IPv6 capsule header from the source or destination IPv6 address of the original IPv6 packet according to the same rule. To do. As a result, the GW apparatus 4 and the value-added system apparatus 2 do not need to hold a table to perform encapsulation, and can save resources and reduce processing load. The rule for calculating the source or destination IPv6 address in the IPv6 capsule header from the source or destination IPv6 address of the IPv6 packet is not limited to a predetermined method.

  It should be noted that traffic that is not a processing target of the value-added system device 2 is not encapsulated, and is forwarded as usual via the GW device 4 and the router 3 without passing through the value-added system device 2.

(Device configuration)
The hardware configuration and functional configuration of each device in the network system 100B are substantially the same as those in the first embodiment, for example, except that the components related to IPv4 are not included or the components related to IPv4 are not activated.

(Process flow)
(Processing flow in GW device)
FIG. 18 is an example of a flowchart of processing when an IPv6 packet is received from the user terminal 5 of the GW apparatus 4 in the second embodiment. The flowchart shown in FIG. 18 is started, for example, when the GW apparatus 4 is activated, and is repeatedly executed while the GW apparatus 4 is activated.

  In S <b> 71, the IPv6 interface unit 413 receives an IPv6 packet from the user terminal 5. The IPv6 packet is transferred to the IPv6 routing unit 422 by the packet transfer processing unit 411. Next, the process proceeds to S72.

  In S72, when the IPv6 packet is addressed to the IPv6 Internet (S72: YES), the IPv6 routing unit 422 transfers the IPv6 packet to the encapsulation processing unit 431. Next, the process proceeds to S73. If the IPv6 packet is not addressed to the IPv6 Internet (S72: NO), the process proceeds to S77. In S77, the IPv6 routing unit 422 transfers the IPv6 packet to the packet transfer processing unit 411 according to the IPv6 routing table 422T. Thereafter, the process shown in FIG. 18 ends.

  In S73, when receiving the IPv6 packet addressed to the IPv6 Internet, the encapsulation processing unit 431 determines whether or not the TEPA information table 431T stores TEPA as the transfer destination of the IPv6 packet. If TEPA is stored in the TEPA information table 431T (S73: YES), the process proceeds to S75.

  When TEPA is not stored in the TEPA information table 431T (S73: NO), the encapsulation processing unit 431 requests the encapsulation notification processing unit 432 to inquire about the presence or absence of traffic transfer to the value-added system device 2. To do. Next, the process proceeds to S74.

  In S <b> 74, the encapsulation notification processing unit 432 performs a TEPA acquisition process that is a process for inquiring whether the traffic is transferred to the value-added system device 2 to the system management node 1. Details of the TEPA acquisition process are as follows. The encapsulation notification processing unit 432 generates an inquiry request including user identification information stored in the user information table 432T, and transmits the inquiry request to the system management node 1. When receiving the response from the system management node 1, the encapsulation notification processing unit 432 notifies the encapsulation processing unit 431 of the presence / absence of transfer of the traffic included in the response to the value-added system device 2 and TEPA. Thereafter, the TEPA acquisition process ends, and the process proceeds to S75.

  In S75, the encapsulation processing unit 431 encapsulates an IPv6 packet addressed to the IPv6 Internet with an IPv6 capsule header. The destination IPv6 address of the IPv6 capsule header is TEPA stored in the TEPA information table 431T. The source IPv6 address of the IPv6 capsule header is an IPv6 address calculated according to a predetermined rule. Next, the process proceeds to S76.

  In S76, the encapsulation processing unit 431 outputs the encapsulated IPv6 packet to the IPv6 routing unit 422. The IPv6 packet is sent to the carrier network (IPv6 network) by the IPv6 routing unit 422 through the packet transfer processing unit 411 and the IPv6 interface unit 413 according to the IPv6 routing table 422T. Thereafter, the process shown in FIG. 18 ends.

Note that the processing when the GW apparatus 4 receives an IPv6 packet from the carrier network is as described in FIG. However, in the second embodiment, the network system 100B does not include an IPv4 network, and NAT or NAPT is not performed. Therefore, the processes of S15 and S16 in FIG. 10 are not performed.

(Processing in value-added equipment)
In the second embodiment, the processing when the value-added system device 2 receives an IPv6 packet is shown in FIG. The flowchart shown in FIG. 11 includes the processing of the first embodiment. In the second embodiment, S25 and S26 of FIG. 11 relating to the IPv4 packet are not performed.

  In S21, the IPv6 interface unit 212B receives an IPv6 packet from the router 3. The IPv6 packet is transferred to the IPv6 routing unit 222 by the packet transfer processing unit 211. In the second embodiment, the value-added system device 2 receives the upstream IPv6 packet transmitted from the user terminal 5 and the downstream IPv6 packet transmitted from the destination device in the IPv6 Internet. Next, the process proceeds to S22.

  In S22, when the IPv6 packet is addressed to the TEPA IPv6 address of the value-added device 2 (S22: YES), the IPv6 packet is an upstream IPv6 packet transmitted from the user terminal 5. In this case, the IPv6 routing unit 222 transfers the IPv6 packet to the encapsulation processing unit 231. Next, the process proceeds to S23.

  In S23, the encapsulation processing unit 231 removes the IPv6 capsule header from the IPv6 packet and performs decapsulation. The encapsulation processor 231 transfers the decapsulated packet to the value-added processor 223, and the value-added processor 223 performs value-added processing on the packet. Next, the process proceeds to S24.

  In S24, when the packet acquired by decapsulation is an IPv6 packet (S24: NO), the process proceeds to S32. In the second embodiment, since no device transmits an IPv4 packet, if the packet acquired by decapsulation is an IPv4 packet (S24: YES), the processing shown in FIG. 11 is performed in the second embodiment. Ends. In FIG. 11, when the packet acquired by the decapsulation is an IPv4 packet (S24: YES), the process is shown to proceed to S25. However, the process of S25 and S26 is the second process. This is not done in the embodiment.

  In S32, since the IPv6 packet is an upstream packet from the user terminal 5 to the destination device in the IPv6 Internet, the IPv6 routing unit 222 transfers the IPv6 packet to the packet transfer processing unit 211 according to the IPv6 routing table. Thereafter, the IPv6 packet is output from the IPv6 interface unit 212B. Next, the process proceeds to S33.

  In S33, the encapsulation processing unit 231 instructs the IPv6 routing unit 222 to advertise a route to the router 3 with respect to the source IPv6 address of the IPv6 packet obtained by the decapsulation in S23. The IPv6 routing unit 222 performs route advertisement of the source IPv6 address of the IPv6 packet transferred in S32 to the router 3 in accordance with the instruction. The IPv6 routing unit 222 records the IPv6 address advertised in the route in the memory. Thereafter, the process shown in FIG. 11 ends. The route advertised IPv6 address recorded in the memory may be deleted from the memory if it is not referenced for a predetermined time.

  In S22, when the received IPv6 packet is addressed to an IPv6 address that is not TEPA of the value-added system 2 (S22: NO), the process proceeds to S27. In S27, the IPv6 routing unit 222 determines whether the received IPv6 packet is a packet addressed to the address advertised by the route. If the received IPv6 packet is not a packet addressed to the address advertised by the route (S27: NO), the process proceeds to S28.

  In S28, the value-added processing unit 223 performs value-added processing on the IPv6 packet, and the IPv6 routing unit 222 outputs the IPv6 packet to the packet transfer processing unit 211 according to the IPv6 routing table. Thereafter, the process shown in FIG. 11 ends.

  If the received IPv6 packet is a packet addressed to the address advertised in S27 (S27: YES), the process proceeds to S29. The received IPv6 packet in this case is a return packet from the destination device in the IPv6 Internet.

  In S <b> 29, the value added processing unit 223 performs value added processing on the IPv6 packet and outputs the result to the encapsulation processing unit 231. The encapsulation processing unit 231 requests the address information processing unit 232 to calculate the destination IPv6 address of the IPv6 capsule header. The address information processing unit 232 calculates an IPv6 address according to the same predetermined rule as that of the GW device 4. Next, the process proceeds to S30.

  In S30, the encapsulation processing unit 231 encapsulates the received IPv6 packet with an IPv6 capsule header. The destination IPv6 address of the IPv6 capsule header is the IPv6 address calculated by the address information processing unit 232. Since this IPv6 address is calculated according to the same rule as the IPv6 capsule header transmission source IPv6 address used by the GW device 4 at the time of encapsulation, the IPv6 capsule header transmission source used by the GW device 4 at the time of encapsulation. Same as IPv6 address. The source IPv6 address of the IPv6 capsule header is the TEPA address of the value-added system device 2. The encapsulation processing unit 231 outputs the encapsulated IPv6 packet to the IPv6 routing unit 222. Next, the process proceeds to S31.

  In S31, the IPv6 routing unit 222 transfers the packet according to the destination of the IPv6 capsule header and the IPv6 routing table. The packet is transferred to the router 3 through the packet transfer processing unit 211 and the IPv6 interface unit 212B. Thereafter, the process shown in FIG. 11 ends. The router 3 transfers the packet to the destination of the IPv6 capsule header, and the packet arrives at the GW apparatus 4. In the GW apparatus 4, the process shown in FIG. 10 is performed, and the packet is transferred to the user terminal 5.

(Process flow between devices)
FIG. 19 is an example of a sequence diagram of processing relating to traffic transferred to the value-added system device 2 in the network system 100B. In the example shown in FIG. 19, it is assumed that the traffic of the user terminal 5 is traffic with transfer to the value-added system device 2. Further, it is assumed that the GW apparatus 4 does not recognize whether or not the traffic of the user terminal 5 is transferred to the value-added system apparatus 2, that is, the TEPA information table 431T is in an initial state (no TEPA entry).

  In OP21, the user terminal 5 transmits an IPv6 packet addressed to a destination device in the IPv6 Internet. This IPv6 packet reaches the GW apparatus 4.

In OP22, the GW apparatus 4 sends an IPv6 address from the user terminal 5 to the IPv6 Internet.
6 packets are received (FIG. 18, S71, S72: YES). Since the TEPA information table 431T is in the initial state (FIG. 18, S73: NO), the GW apparatus 4 transmits an inquiry request for the presence / absence of traffic transfer to the value added system apparatus 2 to the system management node 1 (FIG. 18). 18, S74).

  In OP23, the system management node 1 receives the inquiry request from the GW apparatus 4 (FIG. 13, S51). The system management node 1 generates a response including transfer to the value-added system device 2 and TEPA, and transmits the response to the GW device 4 (FIGS. 13, S52, S53, and S54). The TEPA notified to the GW apparatus 4 is the IPv6 address of the value added system apparatus 2.

  In OP24, the GW apparatus 4 receives a response to the inquiry request, and performs encapsulation using the IPv6 header on the IPv6 packet from the user terminal 5 (S75 in FIG. 18). The destination of the IPv6 capsule header is the IPv6 address of the value added device 2. The source of the IPv6 capsule header is an IPv6 address calculated according to a predetermined rule.

  In OP25, the GW apparatus 4 transmits the packet encapsulated with the IPv6 capsule header to the carrier network (FIG. 17, S76). The encapsulated IPv6 packet first reaches the router 3.

  In OP26, the router 3 transfers the packet to the value-added system device 2 as the destination according to the IPv6 capsule header.

  In OP27, the value-added system device 2 receives the IPv6 packet encapsulated with the IPv6 header (FIGS. 11, S21, and S22), acquires the original IPv6 packet by decapsulation, and performs value-added processing ( FIG. 11, S23).

  In OP28, the value-added system device 2 transmits the original IPv6 packet acquired by decapsulation to the destination device in the IPv6 Internet that is the destination of the original IPv6 packet (FIG. 11, S32). The original IPv6 packet reaches the router 3 from the value-added system device 2.

  In OP29, the value-added device 2 sends a route advertisement for the source IPv6 address of the original IPv6 packet to the router 3 in order to have the return packet for the original IPv6 packet transferred to the value-added device 2. It performs (FIG. 11, S33).

  In OP30, the router 3 receives the IPv6 packet from the value-added system device 2, and transfers the IPv6 packet to the IPv6 Internet according to the destination IPv6 address of the IPv6 packet.

  In OP31, a return packet as a response arrives at the router 3 from the destination device in the IPv6 Internet. In OP32, the router 3 transfers the return packet according to the destination IPv6 address of the return packet. The destination IPv6 address of the return packet is the IPv6 address advertised by the route from the value-added system device 2 to the router 3 in OP29. Therefore, in OP32, the router 3 transfers the return packet to the value-added system device 2.

In OP33, the value-added system device 2 receives the return packet (FIG. 11, S21, S22: NO), and the return packet is a destination packet advertised to the router 3 (FIG. 11, S27: YES). ), Value-added processing and encapsulation are performed (FIG. 11, S29, S30).

  In OP34, the value-added system device 2 transmits the encapsulated IPv6 packet (FIG. 11, S31). The destination address and source address of this IPv6 capsule header are the calculated IPv6 address and the IPv6 address of TEPA of the value-added system device 2, respectively. The destination address and the source address of the original IPv6 packet are the IPv6 address of the user terminal 5 and the IPv6 address of the destination device in the IPv6 Internet, respectively.

  In OP35, the router 3 receives the encapsulated IPv6 packet from the value-added system device 2, and transfers it to the GW device 4 according to the IPv6 capsule header.

  In OP36, the GW apparatus 4 receives the encapsulated IPv6 packet (FIG. 10, S11, S12), and performs decapsulation to remove the IPv6 capsule header and obtain the original return packet (FIG. 10, S13). .

  In OP37, the GW apparatus 4 transmits the return packet acquired by decapsulation to the user terminal 5 that is the destination (FIG. 10, S14: NO, S17).

<Effects of Second Embodiment>
According to the second embodiment, even when the entire network system 100B is constructed with IPv6 addresses, the GW device 4 encapsulates the value-added system device 2 as the destination, thereby passing traffic to the value-added system device 2. Can be transferred. Also in the case of the second embodiment, traffic other than the traffic to be processed by the value-added system device 2 does not pass through the value-added system device 2, so that the processing load on the value-added system device 2 can be reduced.

  Also in the second embodiment, since the GW device 4 (CE) on the user side can control the transfer of traffic to the value-added system device 2, there is a change in the presence / absence of the transfer to the value-added system device 2. However, it is not necessary to change the configuration in the carrier network.

  In the second embodiment, since the address used for the capsule header is calculated using a rule unified by the GW device 4 that performs encapsulation and the value-added system device 2, the GW device 4 and the value-added system device 2 It is not necessary to maintain a table for conversion. Therefore, it is possible to save resources of the GW device 3 and the value-added system device 2 and reduce the processing load.

<Modification>
In the first embodiment, the IPv4 address and the IPv6 address are converted using 4rd, but the invention is not limited to 4rd. Any IPv4 address / IPv6 address conversion method may be used as long as it is common between the devices that perform the encapsulation.

  In the first and second embodiments, the presence / absence of transfer to the value-added system 2 is set for each user (see the terminal user information management table 123 in FIG. 8), but is not limited thereto. For example, the presence / absence of transfer to the value-added system device 2 may be set depending on the type of traffic such as TCP or HTTP. The conditions for transfer to the value-added system device 2 can be changed, for example, by changing the entry item in the terminal user information management table 123 of the system management node 1.

  In the first and second embodiments, the GW apparatus 4 inquires the system management node to obtain whether or not the traffic is transferred to the value-added system apparatus 2. Instead of this, the GW apparatus 4 holds in advance a condition for transferring traffic to the value-added system apparatus 2 in the memory, and the GW apparatus 4 determines whether or not the traffic is transferred to the value-added system apparatus 2 according to the condition. May be.

  In the first and second embodiments, there is one value-added system device 2 connected to the router 3, but since the configuration of the router 3 does not change due to the connection of the value-added system device 2, the router 3 A plurality of value-added system devices 2 connected to 3 may be provided. Since the value-added system device 2 is positioned on the outline, a plurality of value-added system devices 2 can be connected to the router 3 through the network. By arranging a plurality of value-added systems 2, value-added processes can be distributed.

  When a plurality of value-added devices 2 are arranged, the TEPA settings of entries in the terminal user information management table 123 of the system management node 1 are distributed within the IPv6 addresses of the plurality of value-added devices 2. , Value added processing can be distributed. For example, in the terminal user information management table 123 shown in FIG. 8, as the TEPA, IPv6-X is set for the users A and B, and IPv6-Y is set for the user C. The load is distributed by making the system devices 2 different.

  In the first and second embodiments, the value-added system device 2 advertises the route of the source address of the packet obtained by the decapsulation to the router 3, but the present invention is not limited to this. For example, when the system management node 1 responds to an inquiry request for presence / absence of transfer to the value-added system device 2, a route advertisement related to the address of the inquiry request source GW device 4 is sent to the router 3. Also good.

  Further, in the case where value-added processing is not performed on a return packet of traffic, route advertisement for the router 3 may be omitted.

  In the second embodiment, the GW apparatus 4 encapsulates the upstream packet from the user terminal 5, but an apparatus other than the GW apparatus 4 may encapsulate the packet. For example, when the user terminal 5 holds conditions for transfer to the value-added system device 2 and TEPA and transmits a packet that matches the condition, the user terminal 5 may encapsulate the packet. If there is a relay device (not shown) between the in-line GW device 4 and the router 3 other than the user terminal 5, the relay device is a condition for transfer to the value-added system device 2. And TEPA are stored, and when a packet matching the condition is received, the packet may be encapsulated.

DESCRIPTION OF SYMBOLS 1 System management node 2 Value added system apparatus 3 Router 4 Gateway apparatus 5 User terminal 121 Notification production | generation process part 122 User information processing part 123 Terminal user information management table 221, 422 IPv6 routing part 222, 421 IPv4 routing part 223 Value added system Processing units 231 and 431 Encapsulation processing units 232 and 433 Address information processing unit 432 Encapsulation notification processing unit

Claims (5)

A packet processing system including a communication device and a relay device located on a packet path,
The packet processing system includes:
A packet processing device that connects to the relay device outside the path and performs predetermined processing on the packet;
Further including
The communication device calculates an address from a source address of the packet by a predetermined calculation method according to whether or not the packet is a target of the predetermined processing, and sets the packet processing device as a destination for the packet. Then, a header with the calculated address as a source address is added and transmitted,
When the packet processing device receives the packet with the header attached, the packet processing device removes the header, performs the predetermined processing, forwards the packet with the header removed to the relay device, and removes the header. A route advertisement related to a source address of the received packet is transmitted to the relay device, and when a packet whose destination is the address for which the route advertisement is performed is received, the predetermined calculation method is calculated from the destination address of the received packet. The address is calculated with, and the received packet is encapsulated and transmitted with the header addressed to the calculated address .
Packet processing system. The address of the packet processing device and the transfer condition of the packet to the packet processing device are stored in the storage unit, and the packet that matches the transfer condition is transferred to the packet processing device and the address of the packet processing device. And a management device that notifies the communication device,
The communication device gives a packet a header destined for the packet processing device according to the notification.
The packet processing system according to claim 1 .   Including a communication device and a relay device located on the path of the packet;
  The network connecting the communication device and the user terminal, and the network between the relay device and the destination device are constructed with an IPv4 address system,
  The network between the communication device and the relay device is constructed with an IPv6 address system.
A packet processing system,
  The packet processing system includes:
  A packet processing device that connects to the relay device outside the path and performs predetermined processing on the packet;
Further including
  The relay device and the packet processing device are located at a boundary between a network constructed with the IPv4 address system and a network constructed with the IPv6 address system,
  When the packet from the user terminal is a processing target of the packet processing device, the communication device calculates an address obtained by converting the source address of the packet from an IPv4 address to an IPv6 address according to 4rd. The header is sent to the packet with the address as the source address and the address of the packet processing device that is an IPv6 address as the destination address.
  The packet processing device, when receiving a packet with the header attached, removes the header, performs the predetermined processing, and forwards the packet with the header removed to the relay device.
Packet processing system. A packet processing method executed in a packet processing system including a communication device and a relay device located on a packet path,
The packet processing system includes:
A packet processing device that connects to the relay device outside the path and performs predetermined processing on the packet;
Further including
The communication device calculates an address from a source address of the packet by a predetermined calculation method according to whether or not the packet is a target of the predetermined processing, and sets the packet processing device as a destination for the packet. Then, a header with the calculated address as a source address is added and transmitted,
When the packet processing device receives the packet with the header attached, the packet processing device removes the header, performs the predetermined processing, forwards the packet with the header removed to the relay device, and removes the header. A route advertisement related to a source address of the received packet is transmitted to the relay device, and when a packet whose destination is the address for which the route advertisement is performed is received, the predetermined calculation method is calculated from the destination address of the received packet. The address is calculated with, and the received packet is encapsulated and transmitted with the header addressed to the calculated address .
Packet processing method.   Including a communication device and a relay device located on the path of the packet;
  The network connecting the communication device and the user terminal, and the network between the relay device and the destination device are constructed with an IPv4 address system,
  The network between the communication device and the relay device is constructed with an IPv6 address system.
A packet processing method executed in a packet processing system,
  The packet processing system includes:
  A packet processing device that connects to the relay device outside the path and performs predetermined processing on the packet;
Further including
  The relay device and the packet processing device are located at a boundary between a network constructed with the IPv4 address system and a network constructed with the IPv6 address system.
,
  When the packet from the user terminal is a processing target of the packet processing device, the communication device calculates an address obtained by converting the source address of the packet from an IPv4 address to an IPv6 address according to 4rd. The header is sent to the packet with the address as the source address and the address of the packet processing device that is an IPv6 address as the destination address.
  The packet processing device, when receiving a packet with the header attached, removes the header, performs the predetermined processing, and forwards the packet with the header removed to the relay device.
Packet processing method.

Images