KR20020074914A - Method for data flow separation on network and apparatus therefor - Google Patents

Abstract

PURPOSE: A method and an apparatus for identifying data flows on a network are provided to identify the data flows between local hosts, sharing and using a global IP address, and external hosts for the full access communication between them. CONSTITUTION: An NATFS(Network Address Translation by Flow Separation) router judges whether an IP packet being forwarded is an outgoing packet(S201). In case that the present IP packet is an outgoing packet, the NATFS router judges whether IP address conversion is required(S202). If it is judged that IP address conversion is required, the NATFS router searches a conversion table using the source IP address, destination IP address, source port and destination port of the IP packet(S203). If a suitable search result is obtained from the conversion table, the NATFS router processes the IP packet according to its service type(S204,S206). Then the NATFS router converts the local IP address of the IP packet, or the source IP address, into a global IP address(S207). Afterwards the NATFS router sets time-out(S208), calculates a check sum for the data integrity of each packet's modified contents(S209), and forwards the address-converted IP packet(S210).

Description

Method and data flow identification on network and apparatus therefor}

The present invention relates to a network apparatus and a networking method, and more particularly, to a method and apparatus for distinguishing data flows transmitted and received by a local host sharing and using a global IP address.

Currently, all hosts on the Internet (TCP / IP network) must be assigned a globally unique IP address (IPv4) with a 32-bit addressing system to access the Internet. However, the advent of the world wide web, the exponential quantitative expansion of Internet services, and the inefficient allocation of IP addresses have resulted in rapid depletion of the limited IP address space. As a result, IP addresses are very scarce worldwide.

This is a very serious problem in view of the creation of new large networks, and the need to connect these large networks to the existing Internet. As a long-term solution to address this depletion of IP addresses, IPv6, a next-generation data transfer protocol with 128-bit addressing scheme, has been proposed, but it will take a long time before it is used as a standard. Therefore, various methods such as Classless Inter-Domain Routing (CIDR), Proxy, and Dynamic Host Configuration Protocol (DHCP) have been proposed to solve the IP address shortage problem in IPv4. The most representative one is the network address translation method.

The network address translation method was originally designed to solve the problem of depletion of the IP address space as mentioned above, but it may be used because of the side effects such as security or load balancing. The network address translation method is used for interworking with a local network using a local IP address and an external network (Internet). Briefly described as follows.

Each host in the local network communicates using a different local IP address. Therefore, in order for a host of a local network to communicate with a host of an external network, network address translation technology must convert the local IP address into a global IP address that can be identified by a host of the external network. The network address translation method creates a translation table in the form of a lookup table and references it.

The conventional network address translation method can be divided into two types. The first is a basic network address translation (NAT) that translates the source address (local IP address) of an IP packet into a global IP address. The second is a network address port translation (NAPT) that translates not only an IP address but also a port in the TCP / UDP layer. to be.

In the basic NAT method, data flows are distinguished only by the destination IP address. Therefore, the utilization of the IP address is remarkably reduced because multiple hosts in the local network cannot share a single IP address at the same time. In other words, because different global IPs must be assigned to all concurrent data flows, multiple hosts cannot share an IP address at the same time. As a result, in the worst case, global IPs are required as many as the number of hosts in the local network, resulting in low IP address utilization.

NAPT, a representative address translation method developed to compensate for this disadvantage, distinguishes data flows into ports of the TCP (or UDP) protocol, so that hosts on multiple local networks can use a single global IP address at the same time with different port numbers. Can use IP address is excellent. However, this NAPT method has to consider not only the IP layer but also the TCP layer in order to translate the IP address, which results in a complicated processing, a slow processing speed, and a port number sensitive service.

Therefore, there is an urgent need for an address translation method that can provide both port number-sensitive services while taking advantage of the basic NAT and NAPT methods.

In addition, full access communication cannot be provided in NAPT. The term full access communication means not only communicating with a local network from an external network but also trying to communicate with an external network from a local network. In general, NAT methods are designed considering only communication attempts from the local network to the external network. In the case of NAPT, a new method called port forwarding has emerged as a result of efforts to support full access communication, but there are many limitations because address translation is performed using information of the transport layer. Port forwarding is a method of statically binding a port on NAPT to a host for use as a server in the local network. In this way, only one host can support full access communication for each service port. As a result, it is impossible to operate multiple file servers or web servers in the local network. Therefore, there are inherent limitations in full access communication. Therefore, there is an urgent need for a method of identifying data flows that enables full access communication supporting both data flows from the local host to the external network, as well as data flows from the external network to the local host.

The full access communication described above is particularly closely related to internet appliances and home automation. Nowadays, the rapid spread of high-speed communication networks to each home is creating an environment in which many homes can always use the Internet regardless of time, and this environment activates technologies and markets for Internet home appliances and home automation. The most basic requirement of Internet home appliances is not to be a client accessing a communication network such as the Internet, but to serve as a server that receives access from a remote family member so that the remote family member can control the home appliance. Will be. However, to support this access, each Internet appliance must be assigned a unique global IP address. This adds to the current shortage of IP addresses on the Internet and is the biggest obstacle to the widespread deployment of Internet appliances in the home.

An object of the present invention is to provide a method and apparatus for distinguishing data flow between a local host and an external host for full access communication between a local host and an external host sharing a global IP address.

1 is a schematic diagram illustrating a data flow identification method and apparatus on a network according to a preferred embodiment of the present invention.

2 is a flowchart illustrating a data flow identification method on a network according to a preferred embodiment of the present invention.

3 is an example of a conversion table stored for identification of a data flow.

4A to 4D are examples of packet information formed in each step of FIG. 2.

5 is an example of a conversion table when connecting to the same external host at the same time.

6 is a flowchart illustrating a method of using a local host as a server using DNS.

7 is a schematic diagram illustrating a method of updating a dynamically allocated global IP address using a dynamic DNS server.

In order to achieve the above technical problem, the present invention provides a method for identifying a data flow on a network in which one or more local hosts each having a different local IP address in a local network share a predetermined global IP address and transmit and receive with an external host. And a translation table comprising information of the local IP address, the global IP address, the IP address of the external host, the source port of the packet and the destination port of the packet for the IP packet of the data flow; Translating and transmitting a local IP address of an outgoing IP packet destined for the external host from the local host to the global IP address; And identifying an incoming IP packet received from the external host to the global IP address using at least some of the information recorded in the translation table.

According to another aspect of the present invention, in order to achieve the above technical problem, one or more local hosts each having a different local IP address in the local network share data with the external host by sharing a predetermined global IP address An apparatus for identifying a flow on a network, comprising: the local IP address, the global IP address, the IP address of the external host, the source port of the packet and the destination port information of the packet for an IP packet of the data flow A conversion table for storing an item to be made; And converts and transmits a local IP address of an outgoing IP packet destined for the external host from the local host to the global IP address, and records an incoming IP packet received from the external host to the global IP address in the conversion table. An apparatus for identifying a data flow on a network including a processing unit for identifying using at least a portion of the collected information is provided.

Hereinafter, a method and apparatus for identifying a data flow in a network according to preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a schematic diagram illustrating a data flow identification method and apparatus on a network according to a preferred embodiment of the present invention. Referring to Figure 1, the local network is composed of HOST A (11), HOST B (12), HOST C (13), etc., which have a unique local IP address that can be identified only in the local network. These are connected to external hosts, that is, HOST X (14), HOST Y (15), HOST Z (15), etc. through a NATFS (Network Address Translation by Flow Separation) router 10 according to the present invention. In order to access the Internet from the outside, a unique IP address that can be recognized from the outside is required. Since the local IP address is only recognized within the local network, the NATFS router 10 can recognize the local IP address from the outside. Convert to an IP address, that is, a global IP address. In the local network, a global IP address allocated in advance to access an external network is managed by an IP pool, and when a new global IP is needed, one of the IP pools is selected and used. In order to perform the above-described function, the NATFS router 10 according to the present invention stores local IP addresses, global IP addresses, IP addresses of external hosts, source ports of the packets, and destination port information of the packets. A conversion table 102, and a processing unit 101 for processing the conversion of packets during outgoing and incoming with reference to the conversion cable 102.

Now a method for enabling communication between the local hosts (11, 12, 13, ...) and external hosts (14, 15, 16, ...) in the NATFS router 10 Figures 2 to 4 This will be described with reference to. FIG. 2 is a flowchart illustrating a data flow identification method in a network according to a preferred embodiment of the present invention. FIG. 3 is an example of a conversion table stored for identification of a data flow, and FIGS. 4A to 4D are FIGS. Examples of packet information formed in each step of the.

Referring to FIG. 2, first, it is determined whether outgoing with respect to general IP packet forwarding is performed (S201). If outgoing, it is determined whether IP address translation is necessary (S202). In the case of packet forwarding in the local network, since each host can be sufficiently identified using only the local IP, the IP packet is forwarded at step S210 since it is not necessary to convert the IP. If it is determined that the translation of the IP address is necessary, that is, if the packet is delivered to an external network other than the local network, the IP translation of the packet is required. This is because the local IP address loses meaning in the external network as described above. In this case, the conversion table is searched using the local IP address of the source of the IP packet, the external IP address of the destination, the port of the source, and the port of the destination (S203). The conversion table is a table storing various information for identifying the data flow, an example of which is shown in FIG. 3. Referring to FIG. 3, fields of the table include a local IP address, a global IP address, an external IP address, a source port, and a destination port. The details are described next.

-Local IP Address: Local IP address of packet origin

-Global IP address: Global IP address used for address translation. It is managed in IP pool. Usually, only one IP address is used.

External IP address: the destination IP address in the packet's external network

-Source port: As the source port of the packet, it changes dynamically during connection according to the protocol or application, so it is managed as a linked list by the LRU (Least Recently Used) algorithm.

-Destination port: It is used to distinguish service type by destination port of packet.

It is particularly noteworthy that source port information is used to identify the data flow among the fields of the conversion table.

On the other hand, by searching from the table to determine whether a search result that meets the above conditions (S204), if not found, since this is the first data flow occurs, assign a global IP from the IP pool corresponding to each field of the conversion table The information is bound and stored (S205). Thereafter, processing is performed according to the service type of the IP packet (S206). In this example, Telnet service is selected as the service type. This makes it possible to know all the information to be written in each field of the conversion table. That is, for example, when HOST A (10.1.1.2) of FIG. 1 requests telnet service from HOST X (211.113.146.148), the local IP address includes 10.1.1.2, which is the IP address of HOST A, and the global IP. In the address, 211.113.146.186, which is a global IP address allocated from the IP pool, is written. For the external IP address, 211.113.146.148, the IP address of HOST X, is entered. When a telnet connection is attempted with a domain name, the IP address of the host X can be easily obtained through a general domain name system (DNS) processing routine, and the method is obvious to those skilled in the art, and thus a detailed description thereof will be omitted. In the source port, a randomly generated port number (1200 in this example) is entered for communication. In the destination port, the port number of the service requesting the destination, that is, the HOST X side (in this example, Telnet service is desired. Port number is 23). The packet information generated in the above steps is shown in Fig. 4A. The source IP has a local IP address of 10.1.1.2, the destination IP has 211.113.146.148, and the source and destination ports have 1200 and 23, respectively.

Now the source address of the generated IP packet, that is, local IP address is converted into a global IP address (S207). The information of the converted packet is shown in FIG. 4B. As shown, all of the information is the same as in FIG. 4A, and it can be seen that only the source IP address has been translated from the local IP address 10.1.1.2 to the global IP address 211.113.146.186. Thereafter, a timeout is set for automatic removal of the referenced or newly created table (S208), and a check sum is calculated and reflected in each packet (S209) for data integrity of the changed contents of each packet. The addressed packet is forwarded (S210).

The external host (HOST X in this example) that receives the forwarded packet in step S210 exchanges the source address and the destination address of the received IP packet, and also responds by swapping the source port and the destination port. An example of such a response packet is shown in FIG. 4C. The response packet arrives at the NATFS router 10 through a general routing path.

The packet thus arrived is an incoming packet, and therefore, the packet arrives at the right part of the judgment in step S201 of FIG. 2. After determining whether IP conversion is necessary (S211), if IP conversion is not necessary, that is, if communication is within the local network, the IP packet is forwarded as it is in step S210. When IP conversion is required, that is, a packet received from an external network, the conversion table is searched by the source address, the destination address, the source port, and the destination port of the IP packet (S212), and the matching information is recorded from the outgoing information. Find the item you want to That is, a local IP address having the global IP address, the external host IP address, the source port of the packet, and the destination port of the packet, respectively matching the destination address, source address, destination port, and source port of the incoming IP packet. Is retrieved from the conversion table. It is determined whether the matching item exists in the conversion table (S213). If it does not exist, it is determined that an error has occurred due to a mismatch with information recorded during outgoing (S214). If there is a search item in the conversion table, after processing according to the service type of each IP packet (S215), the destination address of the IP packet is converted according to the local IP address of the conversion table found in step S212. The converted packet information is shown in FIG. 4D. Referring to FIG. 4D, all information is the same as that of FIG. 4C, and only the destination IP is converted from 211.113.146.186, which is a global IP address, to 10.1.1.2, which is a local IP address of HOST A, which is commonly used only within the local network. Next, a timeout is set for automatic removal of the referenced or newly created table (S208), a check sum is calculated for the data integrity of the changed contents of each packet, and reflected in each packet (S209), The addressed packet is forwarded (S210).

As described above, not only the IP address but also port information is recorded in the conversion table, so that several local hosts can simultaneously access a single external host. 5 is an example of a conversion table when connecting to the same external host at the same time. Referring to FIG. 5, it can be seen that internal hosts HOST A and HOST B are simultaneously connected to external hosts HOST X (see FIG. 1). In the translation table of HOST A and HOST B, the global IP address is the same as 211.113.146.186 and the external IP address is the same as 211.113.146.148. In addition, it can be seen that the type of service is 23, that is, a telnet service. However, since source ports stored in IP packets are different from 1200 and 1300, respectively, packet information of HOST A and HOST B can be distinguished. Since the source port number is randomly generated at each local host at the time of connection, unlike the NAPT, the generated port number is not manipulated, so that a service sensitive to the port number can be supported without a problem.

So far, we have described an example of using a local host as a client and an external host as a server. Now, let's take a look at the full access communication that can communicate by trying to connect from the external network to the local network as well as trying to communicate from the local network to the external network. This is made possible by applying DNS technology to NATFS techniques.

6 is a flowchart illustrating a method of using a local host as a server using DNS. As an example, a case in which HOST Y (211.113.146.149) of FIG. 1 makes a telnet connection to HOST C (10.1.1.4) in the local network will be described. First, a host on the external network, HOST Y (211.113.146.149), commands telnetlocal4.natfs.raonet.com on the terminal to telnet to server HOST C (10.1.1.4) on the local network. Query the DNS to get the IP address for (S61). The DNS query (Query: local4.natfs.raonet.com) is processed by the DNS server (not shown) of the HOST Y. After passing through a general DNS processing path, the DNS query is transmitted to a DNS server (not shown) of NATFS. . General DNS processing paths are obvious to those skilled in the art, and thus detailed descriptions are omitted herein for the sake of simplicity.

NATFS's DNS server already knows the address information for local hosts, so the local host's IP address (10.1.1.4) corresponding to the received DNS query (local4.natfs.raonet.com) and the global IP available in the IP pool. Assign and bind an address (211.113.146.186). The binding information is then recorded in the DNS request queue (S62). Thereafter, the bound global IP address (211.113.146.186) is returned to the DNS server of HOST Y in a DNS response, and the DNS server (not shown) returns the global IP address to an external host, that is, HOST Y (211.113). 146.149) (S63). The external host transmits an IP packet using the global IP address 211.113.146.186 as a destination address (S64). When the IP packet is received by the NATFS router, a new item is created in the translation table using the information of the received packet and the bound information of the DNS request queue, and recorded to be used for address translation (S65). As a result, the conversion table has complete information. The reason for the binding process of the DNS request queue is that the IP address information of the external host attempting to connect is not known at the time of DNS request. Therefore, after binding and storing local host's IP address and global IP address in advance, when the first IP packet arrives, not only the IP address information of the external host but also all the items that make up the conversion table can be found. Write to conversion table. When all the information for distinguishing data flows is recorded in the conversion table, the binding information is no longer needed and therefore deleted from the DNS request queue. When the conversion table is completed, the packet is transmitted to the local host local4 (10.1.1.4) (S66). As a result, full access communication is performed, in which not only an attempt is made to communicate from a local network to an external network, but also an attempt is made to communicate from an external network to a local network.

The global IP address may be a static IP address, but may also be a dynamically changing IP address using DHCP. In this case, by dynamically updating the globally assigned global IP address for the domain address of the DNS server in NATFS, full access communication by NATFS is possible even when the global IP address is dynamically allocated. 7 is a schematic diagram illustrating a method of updating a dynamically allocated global IP address using a dynamic DNS server. Referring to FIG. 7, in order for NATFS 70 to operate in a dynamically changing global IP address environment, the DHCP client 71 is assigned a dynamic IP address to be used by the DHCP server 73. The dynamic DNS client 72 sends a dynamic DNS registration request and the allocated dynamic IP address to the dynamic DNS server 74 when the DHCP client 71 receives a change in the dynamically allocated dynamic IP address from the DHCP client 71. do. At this time, it is required to specify "T_NS" in the NS record to specify that the DNS server is not a general user's host. Upon receiving this request, the dynamic DNS server 74 updates the IP address corresponding to the domain name of NATFS with the received dynamic IP address, and when the update is completed, sends a dynamic DNS registration complete message to the dynamic DNS client 72 of NATFS. To send). In other words, the dynamic DNS server 74 updates the IP address dynamically assigned to the NATFS router whenever the IP address changes, thereby always updating the dynamically changed IP address of the NATFS router for DNS queries of external hosts for a specific NATFS router. Return in DNS response. As a result, the NATFS router can always provide full access communication even in a dynamically changing global IP address environment.

Although the present invention has been described with reference to the embodiments shown in the drawings, this is merely exemplary, and it will be understood by those skilled in the art that various modifications and equivalent other embodiments are possible.

As described above, the network address translation method according to an aspect of the present invention distinguishes data flows by using information of <source address, destination address, source port, and destination port>, as compared to the basic NAT, so that one IP address is divided into several. The advantage is that hosts can share at the same time.

Comparing the network address translation method according to an aspect of the present invention with NAPT, address translation occurs only at the IP layer while maximizing the efficiency of IP address utilization, and thus, various port-sensitive Internet services can be accommodated. It also supports full access communication, which NAPT doesn't support, so you can build various servers in your local network.

In addition, by using a port number randomly generated at the source at the time of network connection as an identifier for distinguishing data flows, multiple hosts in the local network can communicate simultaneously with the same host in the external network through only one IP. can do. Moreover, it supports the construction of various Internet servers in the local network by incorporating the DNS technique, and also supports communication from multiple external networks to the local network at the same time using only one global IP address.

The data flow identification method on the network according to the present invention is very suitable for a dynamically changing IP address environment due to the lack of a global IP address by adding a dynamic DNS server address updating function. This is a very useful technology for routers. In particular, the present invention solves the problem of IP address shortage by sharing information of home network with one global IP address and supports server access method from remote site to home network, which is essential for the expansion and promotion of Internet home appliances and home automation. Technology.

Claims (9)

A method for identifying, on a network, data flows in which one or more local hosts, each having a different local IP address in a local network, share a predetermined global IP address and transmit and receive with an external host. (a) providing a conversion table including the local IP address, the global IP address, the IP address of the external host, the source port of the packet and the destination port of the packet for the IP packet of the data flow; (b) converting and transmitting a local IP address of an outgoing IP packet destined for the external host from the local host to the global IP address; And (c) identifying an incoming IP packet received from the external host to the global IP address using at least some of the information recorded in the translation table. The method of claim 1, wherein step (c) (c1) a local IP having the global IP address, the external host IP address, the source port of the packet, and the destination port of the packet, respectively matching the destination address, source address, destination port, and source port of the incoming IP packet. Retrieving an address from the translation table; And (c2) converting the destination address (the global IP address) of the incoming IP packet to the retrieved local IP address and transmitting the incoming IP packet to a local host owning the local IP address. A data flow identification method on a network. The method of claim 1, wherein step (a) (a1) providing a DNS server having information about the local IP address and a corresponding domain name; (a2) The DNS server returns a predetermined assigned global IP with respect to the received DNS query, binds a local IP address corresponding to the received domain name and the assigned global IP address to a predetermined binding queue. Storing at); (a3) Upon receiving the IP packet destined for the global IP address, the external host IP address recorded in the IP packet, the source port of the packet, and the destination port of the packet are stored in the binding queue; Storing in the translation table together with the local IP address. The method of claim 3, (a4) if the local IP address and the global IP address stored in the binding queue are stored in the conversion table, further comprising deleting the local IP address and the global IP address from the binding queue. How to identify data flow on the network. The method of claim 3, (a5) if the global IP address is dynamically changed and allocated, requesting a higher DNS server managing the IP of the DNS server to change the IP address of the DNS server to the dynamically allocated global IP address. And a data flow identification method on the network. The method of claim 3, wherein in step (a2) When the DNS server continuously receives a DNS query, the DNS server binds the local IP address and the assigned global IP address corresponding to the received domain name to each of the DNS queries and stores them in the binding queue. How to Identify Data Flow on Windows. An apparatus for identifying a data flow on a network in which one or more local hosts, each having a different local IP address in a local network, share a predetermined global IP address and transmit and receive with an external host. A conversion table for storing an item including the local IP address, the global IP address, the IP address of the external host, the source port of the packet, and the destination port information of the packet for the IP packet of the data flow; And The local IP address of the outgoing IP packet destined for the external host from the local host is converted into the global IP address, and the incoming IP packet received from the external host to the global IP address is recorded in the conversion table. An apparatus for identifying a data flow on a network, comprising a processing unit for identifying using at least some of the information. The method of claim 7, wherein A DNS server having information on the local IP address and a corresponding domain name, and returning a predetermined assigned global IP when receiving a DNS query; And Further comprising a binding storage unit for binding and storing the local IP address and the global IP address corresponding to the received domain name, When the processing unit receives an IP packet destined for the global IP address, the global IP stored in the binding storage unit may include information about an external host IP address recorded in the IP packet, a source port of the packet, and a destination port of the packet. And an address and the local IP address in the conversion table. The method of claim 7, wherein A DHCP client that detects a change in a dynamically assigned global IP address and sends this fact; And And further comprising a dynamic DNS client that receives the change notification of the global IP address from the DHCP client and requests the upper DNS server managing the IP of the DNS server to change the IP address of the DNS server to the global IP address. An apparatus for identifying data flow on a network, characterized by the above-mentioned.