WO2007108124A1 - Packet relay device - Google Patents

Abstract

Upon reception of an encrypted packet from the packet relay device of the preceding hop, a packet relay device decodes the packet and then searches an internal management number corresponding to a destination identification number given to the packet in a first table. Subsequently, the packet relay device searches routing information corresponding to the internal management number in a second table, sets a new destination identification number included in the routing information to an IP packet, encrypts the IP packet, and sends out the IP packet from an output port specified by the routing information to the packet relay device of the next hop.

Description

 Specification

 Packet relay device

 Technical field

 TECHNICAL FIELD [0001] The present invention relates to a packet relay apparatus in a technique for virtually grouping arbitrary hosts connected via a communication network and providing a closed network.

 Background art

 [0002] Recently, hosts (for example, devices such as home appliances capable of IP communication) other than a personal computer (PC) are connected to an IP (Internet Protocol) network. The use of IP networks has started, such as controlling home appliances from IP networks and sending and receiving content between IP-compatible home appliances. The number and types of devices capable of IP communication (hereinafter referred to as “hosts”) are increasing, and hosts with lower functionality than PCs are connected to the IP network.

 As the number of hosts increases, a large number of hosts need to be managed easily by virtually grouping a plurality of hosts. In addition, considering low-function hosts, it is necessary to realize communication between groups using a simple method with less burden on the hosts.

 [0004] Here, a method of establishing a group of hosts with a general VPN (Virtual Private Network) and realizing communication is assumed. In this case, a tunnel connection that takes security into consideration is set up between networks that have set up a VPN. For example, in a network connection configuration such as PC1—GW (gateway) 1—GW2—PC1, when a VPN is built between PC1 and PC2, between GW1 and GW2 A tunnel is built. In this tunnel, temporary IP addresses (virtual IP addresses) are assigned to IP packets exchanged between GWs, and VPN communication is realized by IP routing processing using the virtual IP addresses.

 [0005] In addition, when the unit of the group is configured in units of hosts (IP addresses) that are not in units of subnetworks (local networks) such as general VPNs, gateway devices that serve as gateways for the subnetworks The (GW device) manages the hosts (IP) under the subnetwork belonging to the group. For this reason, depending on the group configuration, problems may arise in the management load and communication path.

[0006] As an example, a server's client group structure (web server, browser terminal, etc. Configuration), the server-side GW device needs to manage a huge number of client hosts (IP). Also, it is assumed that clients want to suppress communication between clients

[0007] Furthermore, with current TCPZlP (Transmission Control Protocol / Internet Protocol), QoS (Quality of Service) control for packets transferred between GWs cannot be executed.

 Non-Patent Document 1: RFC1631

 Non-Patent Document 2: RFC2391

 Non-Patent Document 3: NS2001-263 (Information Systems Research Group) 2002.3 Distributed VPN Design Suitable for Multiple Network Connection Yoshitake Tajima (NTT)

 Non-Patent Document 4: NS2001-262 Information Systems Study Group NS) 2002.3 Virtual VPN Service Platform (VNSP) Multi VPN Service Service Provision Method Daisuke Oka (NTT) etc.

 Disclosure of the invention

 Problems to be solved by the invention

An object of the present invention is to provide a technique capable of reducing the load on a packet relay device that relays packets for communication between group members that are transmitted and received between terminal devices belonging to the same group.

 Means for solving the problem

In order to achieve the above object, the present invention employs the following configuration.

[0010] That is, the present invention is a packet relay device arranged on a transmission route of an IP packet for communication between group members, transmitted and received between terminal devices belonging to the same group,

 A storage unit storing a destination identification number and an internal management number corresponding to a destination of an IP packet, each different from an IP address, the first table storing an internal management number corresponding to the destination identification number, and the internal table A storage unit storing a second table storing routing information of the IP packet corresponding to the management number;

A packet receiver; A decryption unit that decrypts the received IP packet when the IP packet received by the reception unit is encrypted from a previous-hop packet relay device arranged on the transmission route;

 A search unit for searching the first table for an internal management number corresponding to a destination identification number assigned to the IP packet;

 A forwarding control unit that searches the routing information corresponding to the internal management number in the second table and assigns a new destination identification number included in the searched routing information to the IP packet;

 An encryption unit for encrypting the IP packet in which a new destination identification number is set; and a next-hop packet relay in which the encrypted IP packet is arranged on the transmission route based on the transfer information A transmitter to transfer to the device

 including.

 [0011] According to the present invention, routing information is searched with a destination identification number and an internal management number different from the IP address. For this reason, the time and load required for searching routing information can be reduced, and the load of routing processing can be reduced. Therefore, the load on the packet relay device can be reduced.

 The invention's effect

 [0012] According to the present invention, it is possible to reduce the load on a packet relay device that relays packets for communication between group members transmitted and received between terminal devices belonging to the same group. Brief Description of Drawings

 FIG. 1 is a diagram for explaining a configuration example and an operation example of a network system in a first embodiment of the present invention.

 FIG. 2 is a diagram showing a configuration example of a packet relay device (gateway device) according to the embodiment of the present invention.

 FIG. 3 is a diagram showing an example of the data structure of a local table constituting the management table shown in FIG.

[FIG. 4] A diagram showing an example of the data structure of a global table constituting the management table shown in FIG. FIG. 5 is a diagram showing an example of the data structure of a reception transfer table constituting the transfer sequence number table shown in FIG. 2.

 6 is a diagram showing an example of a data structure of a reception transfer table constituting the transfer sequence number table shown in FIG.

 FIG. 7 is a diagram showing stored contents of a local table, a global table, a reception transfer table, and a transmission transfer table held by GW-A in the first embodiment shown in FIG. 1.

 FIG. 8 is a flowchart showing processing of GW-A in the first embodiment.

 FIG. 9 is a diagram showing stored contents of a local table, a global table, a reception transfer table, and a transmission transfer table held by GW-B in the first embodiment shown in FIG. 1.

 FIG. 10 is a flowchart showing a GW-B process in the first embodiment.

 FIG. 11 is a diagram showing stored contents of a local table, a global table, a reception transfer table, and a transmission transfer table held by the GW-C in the first embodiment shown in FIG.

 FIG. 12 is a flowchart showing a GW-C process in the first embodiment.

[13] FIG. 13 is a sequence diagram showing an example of synchronization processing in the second embodiment of the present invention.

FIG. 14 is a diagram showing an example of a data structure of a transmission transfer table applied in the third embodiment of the present invention.

[15] FIG. 15 is a diagram for explaining an operation example of the network system of the third embodiment.

FIG. 16 is a diagram showing stored contents of a local table, a global table, a reception transfer table, and a transmission transfer table held by GW-A in the third embodiment shown in FIG.

 FIG. 17 is a flowchart showing processing of GW-A in the third embodiment.

FIG. 18 is a diagram showing stored contents of a local table, a global table, a reception transfer table, and a transmission transfer table held by GW-B in the third embodiment shown in FIG.

FIG. 19 is a flowchart showing processing of GW-B in the third embodiment. 20 is a diagram showing stored contents of a local table, a global table, a reception transfer table, and a transmission transfer table held by the GW-C in the third embodiment shown in FIG.

 FIG. 21 is a flowchart showing a GW-C process in the first embodiment.

 FIG. 22 is an explanatory diagram of an operation example in the third embodiment, and shows how a return packet is transferred from a server to a terminal device.

 FIG. 23 is a flowchart showing processing when the GW-C transmits a return packet in the third embodiment.

 FIG. 24 is a flowchart showing processing when the GW-C transmits a return packet in the third embodiment.

 FIG. 25 is a diagram showing a configuration example relating to priority control in the fourth embodiment of the present invention.

FIG. 26 is a diagram showing an example of a reception transfer table and a transmission transfer table in the fourth embodiment.

 FIG. 27 is a diagram illustrating a configuration example of a terminal device according to a fifth embodiment of the present invention.

Explanation of symbols

a, b, c '"terminal equipment

 GW-A, GW-B, GW-C ... Gateway device

 Ql <32 ··· Send queue

 S '· Server (terminal equipment)

 10. Gateway device

 13 · • 'GW header & trap processing part

 14 ··· Transfer serial number processing section

 16 ··· Tunnel processing section

 17 ··· Packet transceiver

 23 · · · Low force tape

 24 •• · Crono

25 ··· Receive transfer table 26 ... Transmission transfer table

 28 · · · Read control section

 BEST MODE FOR CARRYING OUT THE INVENTION

[Summary of the Invention]

 A network system according to the present invention includes a plurality of gateway devices (packet relay devices) arranged on an IP network and a plurality of hosts (terminal devices: “client terminals”) respectively accommodated in any of the plurality of gateway devices. Also called). The gateway device has a function of grouping a plurality of hosts through cooperation between the gateway devices, and a function of managing hosts belonging to each of the duplications. Furthermore, a plurality of gateway devices construct a virtual closed network that is closed within the group through cooperation, and realizes multicasting, broadcasting, and mano-casting of the knot within this virtual closed network.

 [0016] The virtual closed network is composed of hosts (group members) belonging to a group and a plurality of gateway devices located on the transmission route of packets transmitted and received between the hosts. Some gateway devices have (accommodates) the host under their control, while others do not have the host under their control but relay packets from the gateway device as the previous hop to the gateway device as the next hop. Some gateway devices have both functions.

 [0017] The host is managed as a host having a virtual IP address different from the real IP address on the virtual closed network. The virtual IP address is managed by the gateway device. When a host sends an IP packet to a destination host belonging to the same group as a host as a source host (intra-group communication), the virtual IP address assigned to the destination host is the destination IP. Set to an IP packet as an address. IP packets arrive at the destination host through multiple gateway devices. A tunnel using VPN technology is established between gateway devices, and IP packets are encrypted and transmitted between gateway devices.

 [0018] The gateway device performs route search (routing) when transferring an IP packet.

The applicant of this application has already applied for a technology that performs routing using the destination IP address (virtual IP address) set in the IP packet (PCTZJP2005Z003788, filing date 20 March 4, 2005).

 [0019] If a virtual IP address is applied as information applied to routing in the virtual closed network, the routing technology and management technology using the IP address already proposed can be diverted. However, in this case, the inefficient part of the routing and management technology using the IP address will be included.

 [0020] For example, when routing by IP address is performed, a large number of entries in consideration of values that can be taken as IP addresses must be prepared in the IP routing table. For this reason, it takes time to search for a desired entry, and as a result, routing takes time. Therefore, when the number of transmitted packets increases, a great load is applied to the gateway device.

 An object of the present invention is to eliminate such an inefficient part and to reduce the load related to the packet transfer in the virtual closed network.

[First Embodiment]

 General configuration>

 FIG. 1 is a diagram showing an example of the overall configuration of a network system according to the present invention. In the example shown in FIG. 1, the network system includes a gateway device GW-A as a packet relay device, and a gateway device GW-B connected to the gateway device GW-A via a network X (global network). And gateway device GW-C connected to gateway device GW-B via network Y (global network)!

The gateway device GW-A accommodates the local network LN1, and accommodates the terminal device (host) a connected to the local network LN1. The gateway device GW-B accommodates the local network LN2 and the terminal device (host) b connected to the local network LN2. The gateway device GW-C accommodates the local network LN3 and accommodates a terminal device (host) c connected to the local network LN3.

[0024] The gateway devices GW-A, GW-B, and GW-C group terminal devices a, b, and c (group 1), and within the group, packets are multicast, broadcast, and Establish a virtual closed network that can be casted.

 [0025] The virtual closed network is constructed as follows. Hosts that belong to the group are assigned IP addresses (virtual IP addresses) that apply to packet communications within the group.

 [0026] The virtual IP address is different from the actual IP address used when the host performs normal IP packet communication, and functions effectively only in communication between group members.

The virtual IP address is managed by a plurality of gateway devices that relay packets in a virtual closed network. The gateway devices are directly connected by a tunnel using VPN tunneling technology such as IPsec.

[0028] When IP packet transmission / reception (intra-group communication) is performed between two or more gateway devices between hosts in the same group connected to different gateway devices, the following operations are performed.

 [0029] The gateway device that accommodates the transmission source host sets the information (routing information) used for route search in the inter-gateway communication (inter-GW communication) for the IP packet received from the transmission source host. Processing (encapsulation) is performed to attach the header (referred to as “GW header” or “intra-group communication header”) to the IP packet.

 [0030] Also, encryption applied to tunnel communication is performed on an IP packet with a GW header (IP packet with GW header: also called "encapsulated packet"), and a destination host is set. Transmit to the gateway device to be accommodated. The gateway device that relays the IP packet to the gateway device that accommodates the destination host performs decryption of the capsule packet, performs routing with reference to the GW header, and sends the capsule packet to the gateway device that accommodates the destination host. Send. The gateway device that accommodates the destination host decrypts the encapsulated packet, decapsulates it (deletes the GW header), and forwards it to the destination host.

[0031] In this manner, a virtual closed network is constructed on the network, in which the gateway device serves as a relay node and the tunnel force S link connecting the gateway devices. As a result, communication between hosts within a group is realized with a VPN built for each host. Ma In addition, broadcast or multicast for a group is realized by specifying a broadcast address or multicast address as a destination virtual IP address within the group.

 In the example shown in FIG. 1, terminal devices a, b, and c belong to the same group (group 1), and gateway devices GW-A, GWHX3GW-C that accommodate terminal devices a, b, and c Manages information related to groups. The information related to the group includes information on the hosts belonging to the group, and the host information includes the virtual IP address assigned to the host. In addition, the information related to group 1 includes routing information used for route search in communication between gateway devices.

 <Configuration Example of Gateway Device>

 FIG. 2 is a diagram illustrating a configuration example of the gateway device applied to the gateway devices GW-A, GW-B, and GW-C. In FIG. 2, the gateway device (hereinafter referred to as “GW device”) 10 includes a local interface 11 connected to a terminal device (local network), a different GW device, and a global network (for example, network X, It is equipped with a glosser side interface 12 connected via Y). In the following description, “serial number” may be expressed as “serial number”.

 The local side interface 11 is connected to a GW header and a NAT (Network Address Translation) processing unit 13 (hereinafter referred to as “header processing unit 13”). The header processing unit 13 is connected to the transfer sequence number processing unit 14 and the IP routing processing unit 15. The transfer sequence number processing unit 14 and the IP routing processing unit 15 are connected to the tunnel processing unit 16. The tunnel processing unit 16 is connected to the packet transmitting / receiving unit 17. The packet transmitting / receiving unit 17 is connected to the global side interface 12.

 The GW apparatus 10 is also referred to by the virtual IP, group and transfer sequence number management table 18 (hereinafter referred to as “management table 18”) referred to by the header processing unit 11 and the transfer sequence number processing unit 14. A transfer sequence number table 19 (hereinafter referred to as “sequence number table 19”) and an IP routing table 20 referred to by the IP routing processing unit 15 are provided.

The management table 18 and the serial number table 19 are created on a storage unit 21 configured using a storage device (memory or the like), and the IP routing table 20 is the same as or similar to the storage unit 21. Are created on different storage units.

 [0037] The header processing unit 13 determines whether the IP packet received from the local interface 11 is a normal IP packet or an IP packet transmitted / received between group members. If the IP bucket is a normal IP packet, the IP packet is forwarded to the IP routing processing unit 15.

 [0038] On the other hand, if the IP packet is an IP packet transmitted / received between group members, refer to the management table 18 for NAT processing (global address (virtual IP address) and local address (real IP address)). Conversion processing), GW header assignment for IP packets, source IP address (SA) and destination IP address (DA) corresponding to source IP address (SN) and destination IP address (DN), and Specify the internal management transfer sequence number (L TN) for the transfer sequence number processing unit 14.

 [0039] When the header processing unit 13 receives an IP packet (capsule packet) having a GW header from the transfer sequence number processing unit 14, the DA and SA settings for the IP packet (NAT processing), GW Delete the header and transfer to the local network. Furthermore, when receiving an IP packet from the IP routing processing unit 15, the header processing unit 13 transfers the IP packet to the local network in accordance with an instruction from the IP routing processing unit 15.

 [0040] When the transfer sequence number processing unit 14 receives an IP packet from the header processing unit 13, the transfer sequence number processing unit 14 refers to the sequence number table 19 based on the LTN specified by the header processing unit 13, and performs routing information for the GW header. (Transfer sequence number (TN) and group sequence number (GN) corresponding to LTN) and output port are specified, and the capsule packet is transferred to the tunnel processing unit 16.

In addition, when the transfer sequence number processing unit 14 receives a capsule packet from the tunnel processing unit 16, the transfer sequence number processing unit 14 refers to the GW header and the sequence number table 19, and transfers the packet to the local side network. Decide whether it is a global network. When the packet is transferred to the local side network, the transfer sequence number processing unit 14 transfers this packet to the header processing unit 13. When the packet is transferred to the global side network, the transfer sequence number processing unit 14 sets the routing information in the GW header of this packet. Update (rewrite) is performed and transferred to the tunnel processing unit 16.

[0042] When receiving an IP bucket from the header processing unit 13 or the tunnel processing unit 16, the IP routing processing unit 15 refers to the IP routing table 20 and determines an output port corresponding to the DA of the IP packet, With this output port designation, tunnel the IP packet 1

6 or header processing unit 13

The tunnel processing unit 16 performs encryption processing for tunneling on the packet from the transfer sequence number processing unit 14 and transfers the packet to the packet transmitting / receiving unit 17. In addition, the tunnel processing section 1

6 passes the packet from the IP routing processing unit 15 to the packet transmission / reception unit 17 together with the designation of the output port.

 [0044] Also, the tunnel processing unit 16 decodes the packet received from the packet transmitting / receiving unit 17, determines the presence or absence of the GW header for this packet, and if the packet has the GW header, Transfer to transfer sequence number processing unit 14. When the packet does not have a GW header, the tunnel processing unit 16 transfers this packet to the IP routing processing unit 15. The packet transmission / reception unit 17 performs IP packet transmission / reception processing.

 In the configuration of the GW apparatus 10 shown in FIG. 2, the route between the local side and the global side passes through the first route passing through the transfer sequence number processing unit 14 and the IP routing processing unit 15. And a second route is provided. The second route is a route for normal IP packet processing, and is used, for example, when browsing a web page on the Internet on the global terminal device side on the global side. On the other hand, the first route is used to process the GW header attached to the IP packet when intra-group communication is performed between GWs.

 [0046] For this reason, the header processing unit 13 and the tunnel processing unit 16 have a function of referring to the header of the received packet and determining whether the packet is transferred in a gap between the first and second routes. Yes.

Note that the header processing unit 13 corresponds to the transfer control unit of the present invention. The packet transmitting / receiving unit 17 corresponds to the receiving unit and transmitting unit of the present invention. The transfer sequence number processing unit 14 corresponds to the search unit of the present invention. The tunnel processing unit 16 corresponds to the encryption key unit and the decryption key unit of the present invention. However, instead of the packet transmission / reception unit 17, a transmission unit and a reception unit are provided. May be. Alternatively, an encryption key unit and a decryption key unit may be provided instead of the tunnel processing unit 16.

 <Data structure of table>

 Next, an example of the data structure of the management table 18 and the serial number table 19 shown in FIG. 2 will be described. FIG. 3 is a diagram showing an example of the data structure of the local table 23 provided in the management table 18, and FIG. 4 is a diagram showing an example of the data structure of the global table 24 provided in the management table 18. FIG. 5 is a diagram showing an example of the data structure of the reception transfer table 25 provided in the sequence number table 19, and FIG. 6 is a diagram showing an example of the data structure of the transmission transfer table 26 provided in the sequence number table 19.

 [0049] As shown in Fig. 3, the local table 23 includes the real IP address (Real IP address: R-IP), the source serial number (SN), and the gnoleop serial number (GN). One or more entry forces with and as elements.

 [0050] The real IP address is an IP address assigned to a host (terminal device) and used for normal IP communication, and is managed as a local address. SN indicates the serial number assigned to the source host used in inter-GW communication during intra-group communication. Each host computer is pre-assigned a serial number used for intra-group communication (host serial number: also expressed as “terminal serial number”). The terminal sequence number is uniquely defined within the group. GN indicates the serial number assigned to each group used in inter-GW communication. A GN is uniquely defined for each GW device. The value assigned to the group by the GW device is stored as the GN value.

 [0051] As shown in FIG. 4, the global table 24 includes a virtual IP address (Virtual IP address: V-IP), a destination serial number (DN), a GN, an internal management transfer serial number (Loc al management transmission serial number (LTN).

[0052] The virtual IP address is an IP address of a host in the virtual closed network, and is managed as a global address. The DN indicates the terminal sequence number assigned to the destination host. As the GN value, the value assigned to the group by its own GW device is set. LTN is a serial number for searching routing information (internal) managed in GW device 10 (local). Control number) and used as a search key (pointer) in the transmission transfer table 26 (Fig. 6).

[0053] As shown in FIG. 5, the reception transfer table 25 includes a transmission serial number (Transmission serial Number:

 TN) and LTN are one or more entry forces. The TN is a serial number that functions as a packet destination identification number. The LTN functions as a search key (pointer) for routing information stored in the transmission transfer table 26.

 As shown in FIG. 6, the transmission transfer table 26 includes one or more entries including LTN and routing information (TN, GN, and output port value (Outport)) corresponding to the LTN. As the TN value, a value serving as a search key for the reception transfer table 25 in the next-hop GW device is set. In addition, the GN value assigned to the group in the GW device at the next hop is set as the GN. The output port value indicates the output port value of the packet.

 The local table 23, global table 24, reception transfer table 25, and transmission transfer table 26 described above are prepared for each group managed by the GW apparatus 10.

 Note that the reception transfer table 25 corresponds to the first table of the present invention, the transmission transfer table 25 corresponds to the second table of the present invention, and the global table 24 corresponds to the third table of the present invention. Furthermore, a local table can be defined as the fourth table of the present invention.

 <Example of operation>

 Next, an operation example in the network system in the first embodiment will be described. As an operation example, an example of performing packet transfer related to intra-group communication from the terminal device a to the terminal device c shown in FIG. 1 will be described.

As shown in FIG. 1, terminal devices a, b and c participate in group 1. The terminal device a has a real IP address “a”. Further, the virtual IP address “aD” is assigned to the terminal device a, and the terminal sequence number “101” is assigned to the group 1. Terminal device b has a real IP address “b”. The terminal device b is assigned the virtual IP address “bD” and the terminal sequence number “102” in group 1. The terminal device c has a real IP address “c”. The terminal device b is assigned the virtual IP address “cD” and the terminal sequence number “103” in group 1. Further, GW apparatus GW-A assigns GN “1” to group 1. GW device GW-B assigns GN "10" to group 1. GW device GW-C assigns GN “20” to group 1! /.

 [0060] The terminal device a transmits a packet (IP packet) in which a TCP / IP header is added to data to the GW device GW-A. In this IP packet, the real IP address “a” of the terminal device a is set as the source IP address (SA), and the virtual IP address “cD () of the terminal device c is set as the destination IP address (DA). c-dash) "is set.

 [0061] When the GW-A receives the IP packet at the local side interface 11 (Fig. 2), the GW-A executes a transfer process for the IP packet. FIG. 7 is a diagram showing a local table 23A, a global table 24A, a reception transfer table 25A, and a transmission transfer table 26A for the group 1 stored in the management table 18 and the serial number table 19 of the GW device GW-A. FIG. 8 is a flowchart showing processing in the GW apparatus GW-A.

 In FIG. 8, when an IP packet is received by the local side interface 11 (step SO 1), the IP packet is transferred to the header processing unit 13. The header processing unit 13 extracts the destination IP address (DA) as well as the IP packet power and refers to the global table 24 (Fig. 4) in the management table 18 to determine whether the DA exists in the global table 24. Determine (step S02).

 [0063] When the DA does not exist in the global table 24 (that is, when the DA is not a virtual IP address; S02; NO), it is determined that the IP packet is a normal IP packet, and the IP routing processing unit The IP packet is transferred to 15 (step S03).

 [0064] On the other hand, when the DA exists in the global table 24 (that is, when the DA is a virtual IP address; S02; YES), the header processing unit 13 identifies the GN corresponding to the DA. Take out from the table 24. Subsequently, the header processing unit 13 extracts the SA from the IP packet and refers to the local table 23 (Fig. 3) in the management table 18 to determine the GN extracted from the GN force global table 24 corresponding to the SA. Determine whether they are the same (step S04).

[0065] At this time, if the GNs are not the same (S04; NO), the header processing unit 13 determines that the IP packet is an IP packet outside the transfer target group, and discards the IP packet (STEP P05). On the other hand, when the GN is the same (S04; YES), the header processing unit 13 advances the process to step S06.

[0066] In this way, by determining whether or not the GN corresponding to the SA and the GN corresponding to the DA match, it is determined whether or not the transmission source host and the destination host belong to the same group. Judged.

 In this operation example, the header processing unit 13 of the GW apparatus GW-A determines whether the DA “cD” of the IP packet exists in the global table 24A (FIG. 7) (S02). Since DA “cD” exists in global table 24A, the corresponding GN “1” is extracted from global table 24A. Subsequently, the header processing unit 13 extracts GN “1” corresponding to SA “a” of the IP packet from the local table 23A (FIG. 7). Since both GNs match, the header processing unit 13 determines that the IP packet is an IP packet of the transfer target group, and proceeds to step S 06.

 [0068] In step S06, the header processing unit 13 adds a GW header (inter-GW header) to the IP packet, and sets DN and SN corresponding to DA and SA for the GW header. The GW header is a header used for transfer processing of packets transmitted / received between GW devices for intra-group communication (that is, communication between group members). As shown in FIG. 1, TN, GN, It has fields for setting DN and SN respectively.

 [0069] The header processing unit 13 extracts the SN “101” corresponding to SA “a” from the local table 23A (FIG. 7), and the DN corresponding to DA “cD” from the global table 24A (FIG. 7). “103” is extracted and SN “101” and DN “103” are set in the inter-GW header.

 Subsequently, the header processing unit 13 extracts LTN “2” corresponding to DN “103” from the global table 24A (FIG. 7). The header processing unit 13 transfers LTN “2” (designated LTN) and the IP packet (encapsulated packet) having the GW header to the transfer sequence number processing unit 14 (step S 07).

 [0071] The transfer sequence number processing unit 14 refers to the transmission transfer table 26A (Fig. 7), extracts TN "2" and GN "10" corresponding to the specified LTN "2", and sets them in the GW header (step S08).

[0072] Subsequently, the transfer sequence number processing unit 14 designates an output port value (here, "AB") corresponding to the designated LTN, and forwards this designation to the tunnel processing unit 16 together with the capsule packet (STEP). S09).

 The tunnel processing unit 16 performs an encryption process on the encapsulated packet received from the transfer sequence number processing unit 14. The packet transmitting / receiving unit 17 transmits the encapsulated packet from the designated output port “AB”. The encapsulated packet is sent from the global side interface 12 to the global side network X. In the network X, this IP packet is transferred through a tunnel established between the GW apparatus GW-A and the GW apparatus GW-B.

 [0074] Thus, in the case of transferring an IP packet to a terminal device c accommodated in a different GW device GW-C, the transmitting-side GW device GW-A (the GW device accommodating the transmission source host) This IP packet is given a GW header (IP packet is encapsulated) used for packet transfer in a virtual closed network (within a group).

 [0075] At this time, in the GW header, not the SA and DA using the virtual IP address, but the SN and DN power prepared for communication between group members is set as a host identifier that can be recognized only by the GW device. The Also, GN and TN are set as routing information for routing in the next hop GW. The GN functions as an identifier for identifying the group in the next-hop GW device. The TN also functions as a destination identification number for searching routing information in the next-hop GW device.

 GW apparatus GW-B (FIG. 1) receives the encapsulated packet at global-side interface 12 (FIG. 2). Then, the GW apparatus GW-B executes a transfer process for the capsule packet.

 [0077] FIG. 9 is a diagram showing a local table 23B, a global table 24B, a reception transfer table 25B, and a transmission transfer table 26B for the group 1 stored in the management table 18 and the serial number table 19 of the GW apparatus GW-B. FIG. 10 is a flowchart showing processing in the GW apparatus GW-B.

 As shown in FIG. 10, in the GW apparatus GW-B, the encapsulated packet is received by the global interface 12 and the packet transmitting / receiving unit 17 (step S 21) and given to the tunnel processing unit 16.

[0079] The tunnel processing unit 16 performs processing such as decryption of the received packet, and then receives the received packet as G. It is determined whether or not it has a W header (step S22). At this time, if the received packet does not have a GW header (S22; NO), the tunnel processing unit determines that the received packet is a normal IP packet, and the packet is sent to the IP routing processing unit 15 (Step S23) o On the other hand, if the received packet has a GW header (S22; YES), the process proceeds to step S24.

 [0080] In this operation example, the received packet is an encapsulated packet having a GW header. For this reason, the tunnel processing unit 16 can detect the GW header. In this case, the tunnel processing unit 16 transfers the encapsulated packet to the transfer sequence number processing unit 14, and the process proceeds to step S24.

 [0081] In step S24, the transfer sequence number processing unit 14 extracts TN "2" from the GW header and corresponds to TN "2" by referring to the reception transfer table 25B (Fig. 9) in the sequence number table 19. Get LTN "2".

 [0082] Next, the transfer sequence number processing unit 14 refers to the transmission transfer table 26B (Fig. 9), extracts TN "1" and GN "20" corresponding to LTN "2", and sets them in the GW header ( (Rewrite the values of TN and GN in the GW header) (Step S25).

 Next, the transfer sequence number processing unit 14 extracts the output port value “BC” corresponding to LTN “2” from the transmission transfer table 26B (FIG. 9), and outputs this output port value “BC” (designated output port). Is transferred to the tunnel processing unit 16 together with the capsule packet (step S26).

 In tunnel processing unit 16, after encryption processing or the like is performed on the capsule IP packet, packet transmission / reception unit 17 transmits the capsule packet from output board “BC” (step S 27). The packet is sent to the network Y on the global side and transferred through the tunnel established between the GW device GW-B and the GW device GW-C.

 [0085] In this way, in the GW device GW-B that performs the relay, the transfer processing (routing) of the encapsulated packet uses the TN (destination identification number) set in the GW header, unlike normal IP routing. Was done by routing.

[0086] The GW apparatus GW-C (FIG. 1) receives the encapsulated packet at the global side interface 12 (FIG. 2). Then, the GW apparatus GW-C executes a transfer process for the capsule IP packet. FIG. 11 shows a local table 23C, a global table 24C, a reception transfer table 25C, and a transmission transfer table 26C for group 1 stored in the management table 18 and serial number table 19 of the GW apparatus GW-C. FIG. 12 is a flowchart showing processing in the GW apparatus GW-C.

 As shown in FIG. 12, in the GW apparatus GW-C, the packet transmitting / receiving unit 17 receives the encapsulated packet (step S 31) and transfers it to the tunnel processing unit 16.

 The tunnel processing unit 16 performs a decoding process on the received packet and the like, and determines whether or not this packet includes a GW header (step S32). At this time, if the received packet does not include a GW header (S32; NO), the tunnel processing unit 16 determines that the received packet is a normal IP packet, and determines that the received packet is an IP routing processing unit 15 (Step S33). On the other hand, if the GW header is included in the received packet (S32; YES), the process proceeds to step S34. In this operation example, since the received packet includes the GW header, the tunnel processing unit 16 transfers the received packet (encapsulated packet) to the transfer sequence number processing unit 14.

 [0090] The transfer sequence number processing unit 14 refers to the reception transfer table 25C (Fig. 11) in the sequence number table 19, and the LTN corresponding to TN "1" set in the GW header of the encapsulated packet (in this example, Get “LOCA” (Step S34).

 [0091] The transfer sequence number processing unit 14 transfers the encapsulated packet to the header processing unit 13 because the obtained LTN designation is "LOCA" (step S35). If it is not 'CA', the transmission number table search based on the LTN is executed in the same way as the processing in the GW device GW-B.

 [0092] Upon receiving the encapsulated packet from the transfer sequence number processing unit 14, the header processing unit 13 extracts the DN from the GW header of the encapsulated packet, and refers to the global table 24C in the management table 18 (Fig. 11). And obtain the virtual IP address (V-IP) "aD (a-dash)" corresponding to the DN. The virtual IP address “aD” is V—IP of the terminal device a that is the transmission source of the IP packet.

In addition, the header processing unit 13 extracts the SN from the GW header and obtains a real address (R-IP) “c” corresponding to the SN with reference to the local table 23C (FIG. 11). Real IP address " c "is the R-IP of the terminal device c that is the destination of the IP packet. The header processing unit 13 writes the values of DA and SA in the TCPZIP header in the encapsulated packet to" c "and" aD ", respectively. Change (step S36).

 [0094] After that, the header processing unit 13 deletes the GW header from the encapsulated packet (decapsulation) and transfers it to the local side network via the local side interface 11 (step S37). Thereafter, the IP packet reaches the destination terminal device c accommodated in the GW device GW-C.

 <Effects of First Embodiment>

 According to the network system in the first embodiment, each of the GW devices GW-A, GW-B, and GW-C that are subordinate to the terminal devices a, b, and c belonging to the same group (group 1) is the terminal device. As a management table in GW for a, b, and c to communicate in group 1, local table 23 that manages terminal information (R—IP, SN, and GN) under the control of GW equipment, Global table 24 for managing terminal information, etc. (V—IP, DN, GN, LTN), reception transfer table 25 referred to when receiving packets of different GW device power, and local network (host) —to GW, and It has a transmission transfer table 26 that is referenced when sending buckets between GWs.

 [0096] According to such a GW device, an IP address based on an IP address is used as a reference table for determining a relay destination (transfer destination) in a GW device (GW-B in FIG. 1) that performs packet relay. The reception transfer table 25 and the transmission transfer table 26 managed by a unique serial number (TN or LTN) are applied.

 That is, by referring to the reception transfer table 25 based on TN in the GW header, LTN that functions as a pointer for searching routing information (pointer of the transmission transfer table 26) is determined. Subsequently, by referring to the transmission transfer table 26 based on the LTN, routing information (TN, GN and output port value) necessary for the transfer process can be directly searched.

[0098] The number of entries (number of TNZLTNs) in the reception transfer table 25 can be limited to the number of destinations of the packet. Therefore, the number of entries in the reception transfer table 25 is very small compared to the IP routing table. Therefore, the time required for searching the reception transfer table 25 is short. Yes. On the other hand, with respect to the transmission transfer table 26, only the entry corresponding to the LTN searched from the reception transfer table 25 has to be referred to, so that the information search from the transmission transfer table 26 is completed in a short time.

 Therefore, using the reception transfer table 25 and the transmission transfer table 26, the process of obtaining information necessary for packet relay in the GW apparatus is significantly simplified and shortened as compared with IP routing. This reduces the load of packet transfer processing by the GW device (GW-B in Fig. 1) where packet relays are concentrated.

 [0100] Also, serial numbers such as TN, LTN, GN, SN, and DN need only be prepared for the number required for communication between group members, and are therefore less than the number that can be used as IP addresses. Therefore, it can be expressed in a size smaller than the IP address. Therefore, the management table 18 and the serial number table 19 can be created with a small storage capacity.

 [0101] In the first embodiment, a configuration in which a unique GW header is added to an IP packet is employed. Instead of this configuration, TN, GN, SN, and DN may be set for the TCPZIP header. In the GW device that accommodates the destination terminal device (host), the DA and SA of the packet to be transmitted to the local network are determined based on the DN and SN. The 26 configurations can be applied as they are.

 [0102] [Second Embodiment]

 Next, a second embodiment of the present invention will be described. Since the second embodiment includes the same configuration as that of the first embodiment, different configurations will be mainly described, and description of the same configurations will be omitted.

[0103] <Configuration>

 The stored contents of the tables 23 to 26 described in the first embodiment can be defined by manual setting (static setting) by the network administrator. However, the stored contents can be set dynamically.

[0104] In the second embodiment, the GW devices GW-A, GW-B, and GW-C in the network system shown in FIG. 1 perform group status changes (group addition Z deletion, terminal device addition Z deletion, (Multicast address addition Z deletion) The function of updating (synchronizing processing) with ~ 26 synchronization will be described.

FIG. 13 is a sequence diagram showing an example of synchronization processing in the second embodiment. In FIG. 13, a tunnel for group 1 communication is established between GW device GW-B and GW device GW-C. For example, between terminal device b and terminal device c shown in FIG. In Group 1, communication is possible (SQ1). At the time of SQ1, only terminal devices b and c belong to group 1! /.

In this state, for example, when a terminal device (for example, terminal device a) under the control of GW device GW-A is added (joins) to group 1, the following processing is performed between GWs. Is executed.

 [0107] First, inter-GW authentication is performed between GW device GW-A (hereinafter referred to as "GW-A") and GW device GW-B (hereinafter referred to as "GW-B"). (SQ2). When the mutual authentication is completed, the tunnel establishment procedure used for communication between GW-A and GW-B is executed, and the tunnel is established (SQ3). After that, communication between GW-A and GW-B is performed using this tunnel.

 [0108] GW-A sends a host list request to GW-B (SQ4). Then, GW-B belongs to group 1 and returns information on the terminal devices (terminal devices b and c) as a response to GW-A (SQ5). As the terminal device information, for example, the real IP addresses and virtual IP addresses of the terminal devices b and c can be notified.

 [0109] Next, GW-A transmits a registration request (gl: a) for terminal device a to group 1 to GW-B (SQ6). The group registration request includes identification information (for example, a real IP address) of the terminal device a and identification information (for example, “Group 1”) of the group to participate in. When GW-B receives the group registration request, it sends back a confirmation message (ACK) to GW-A (SQ7).

[0110] Next, virtual IPZ terminal serial number synchronization processing is performed between GW-A and GW-B and between GW-B and GW device GW-C (hereinafter referred to as "GW-C"). Executed (SQ8, SQ9). That is, a virtual IP address (for example, “aD”) is assigned to the terminal device a, a terminal sequence number (for example, “101”) is allocated to the terminal device a, and a terminal sequence number ( For example, “102”) is assigned, and a terminal sequence number (eg, “103”) is assigned to the terminal device c. For real and virtual IP addresses for terminal device a and terminal devices a, b, and c The terminal serial number is exchanged between GW-A and GW-B and between GW-B and GW-C and shared.

[0111] Next, GW-A, —BlX ^ N— C (in D arrows, setting (update) processing of management table 18 (low power table 23 (Fig. 3) and global table 24 (Fig. 4)) (SQ10, SQ11, SQ12) _{0, that} is, R-IP, SN, V-IP, GN, DN, and LTN are set for each table 23 and 24.

[0112] Next. Between ¹ ^ over eight and 0 ¹ ^ -8, and between the GW-B and GW-C, transfer sequence number synchronization process is executed (SQ13, SQ14). In other words, the LTN and TN used by each GW device are exchanged so that there is no contradiction between GWs.

[0113] Next, in each of GW-A, GW-B, and GW-C, serial number table 19 (reception transfer table 25 (Fig. 5) and transmission transfer table 26 (Fig. 6) are set (updated). Executed (SQ15, SQ16, SQ17) _0, ie, TN, LTN, GN and output port (Outport) settings for each table 25 and 26 are executed.

 [0114] When the setting of the serial number table 19 is completed, the terminal device a belongs to the group 1 and can communicate with the terminal device b or c (SQ18).

 [0115] The above-described processing has been described for adding a terminal device (host) to a certain group. When deleting terminal device a, GW-B and GW-C are notified of the deletion of terminal device a (duplication deletion request), and then the same processing as SQ8 to SQ17 is executed, and each GW device is The management table 18 and serial number table 19 in the device are updated (deletion of information related to the terminal device a). After that, the tunnel established between GW-A and GW-B is deleted.

 [0116] In addition of multicast address addition Z and group addition Z deletion, the same procedure as terminal device addition Z deletion is executed, and the contents stored in management table 18 and sequence number table 19 are changed between GW devices. Synchronization is achieved.

[0117] Note that the sequence shown in FIG. 13 is started when, for example, GW-A receives an instruction to add terminal device a from the control terminal. Alternatively, the terminal device a may be started when the GW-A announces participation in the group 1 through a procedure similar to the procedure for participating in the multicast group. [0118] <Effect>

 According to the second embodiment, it is possible to synchronize the management table 18 and the serial number table 19 between the GWs, and it is possible to appropriately cope with the state change related to the group.

[Third Embodiment]

 Next, a third embodiment of the present invention will be described. Since the third embodiment includes the same configuration as that of the first embodiment, different configurations will be mainly described, and description of the same configurations will be omitted.

[0120] <Configuration>

 In the first and second embodiments, the collaboration configuration assuming the many-to-many communication within the group has been described. However, when grouping hosts, it is necessary to consider not only collaboration configurations but also server-client configurations. That is, the host belonging to the group consists of a server and one or more clients accessing the server.

[0121] In this case, the GW device is burdened with managing terminal device information. For example, let us consider a case in which the head office and each branch office are grouped together in a server / client configuration such as a web server (Web server) at the head office and a terminal device at each branch office in the company structure! In this case, the GW device that manages the Web server side (having the Web server under its control) must manage information on all terminal devices in each branch office using the global table 24. In addition, GW devices under the control of terminal devices at each branch office must manage terminal information of other branch offices in the global table 24 with almost no communication. As a method for reducing such unnecessary host management, the network system in the third embodiment further includes the following three configurations added to the configuration described in the first embodiment.

 <1> The return transfer serial number (RTN (corresponding to the return destination identification number)) corresponding to the TN is managed in the transmission transfer table 26 (see the transmission transfer table 26-1 shown in FIG. 14). As the RTN value, the same value as the TN value set for the packet in the reverse direction (folding direction) with the packet source as the destination is set.

<2> An RTN and a return group serial number (RGN) are additionally set in the GW header of an IP packet sent to a different GW device. At this time, as RGN The GN corresponding to the own device (own GN) is set (Fig. 15).

 <3> GW device power under the server When transferring a packet from the client to the server, the input port value (InPort) is used as the client address (virtual IP address) notified to this GW device power server. ), Notify the combination of RGN, RTN, and SN. This makes it possible to return (turn back) packets from Sano to the sending client.

[0122] <Operation example>

 FIG. 15 is a diagram for explaining an operation example in the third embodiment. The configuration of the network system shown in FIG. 15 is almost the same as the configuration shown in FIG. However, server s participates in group 1 as a terminal device instead of terminal device c. Terminal devices a and b correspond to clients for Sano s.

[0123] Server s belongs to GW-C, and has real IP address "s". A virtual IP address “sD (s-dash)” and a terminal sequence number “200” are assigned to the server s.

The GW apparatus 10 shown in FIG. 2 is applied to each of GW-A, GW-B, and GW-C. However, the transmission transfer tables of GW-A, GW-B, and GW-C have a data structure such as the transmission transfer table 26-1 shown in FIG.

In the following, the operation in the case where the terminal device a serving as the client transfers an IP packet to the server (client to server communication) will be described with reference to FIG. The terminal device a transmits an IP packet (DA = sD, SA = a) addressed to Sano s toward GW-A. GW—A

When an IP packet is received, the forwarding process for the IP packet is performed.

FIG. 16 is a diagram showing the stored contents of the local table 23A, the global table 24A, the reception transfer table 25A, and the transmission transfer table 26-1A that GW-A has, and FIG. It is a flowchart which shows a process.

The processing shown in FIG. 17 includes processing steps similar to the processing steps in GW-A shown in FIG. 8, and the same processing steps are assigned the same step numbers.

. The third embodiment is different from the processing (step S08A, S09A) force S in the transfer sequence number processing unit 14 (FIG. 2) S in the first embodiment.

[0128] In step S08A, the transfer sequence number processing unit 14 performs the LTN specified by the header processing unit 13. Based on "1" (table 24A power in Fig. 16 is also obtained), TN "2", GN "10" and RTN corresponding to LTN "1" with reference to transmission transfer table 26-1A (Fig. 16) Get “1” and set to GW header.

 [0129] In step S09A, the transfer sequence number processing unit 14 obtains the output port value "AB" corresponding to LTN "1", and sets GN (own GN) "1" in GW-A as RGN in the GW header. Set. Thus, the values set as TN and GN in the capsule packet in the direction opposite to the transmission direction of the encapsulated packet are set as the values of RTN and RGN.

 [0130] After that, as shown in Fig. 15, TN "2", GN "10", DN "200, (Sano s terminal serial number), SN" 101 ", RTN" 1 "and RGN" 1 " IP packet with encapsulated GW header (encapsulated packet) sent from output board 'AB' to network X as the global network.

 [0131] The encapsulated packet arrives at GW-B through the tunnel. Then, GW-B executes the transfer process for the encapsulated packet. FIG. 18 is a diagram showing the stored contents of the low power table 23B, the global table 24B, the reception transfer table 25B, and the transmission transfer table 26-1B that the GW-B has, and FIG. 19 shows the processing by the GW-B. It is a flow chart.

The process shown in FIG. 19 includes the same process steps as the GW-B process steps in the first embodiment shown in FIG. 10, and the same process steps are assigned the same step numbers. ing. In the third embodiment, in the processing by the transfer sequence number processing unit 14 (FIG. 2), step S25A is provided instead of step S25 (FIG. 10), and between step S25A and step S26 (FIG. 10), Additional step S25B is provided.

 [0133] In step S25A, the transfer sequence number processing unit 14 transmits the transmission transfer table 26-1B (Fig. 18) based on the LTN "1" specified by the header processing unit 13 (the table 24B of Fig. 18 is also obtained). TN "1", GN "20" and RTN "3" corresponding to LTN "1" are acquired and set to the GW header.

 In step S26A, the transfer sequence number processing unit 14 sets GN (own GN) “10” in GW-B.

Set to RGN and set to GW header.

[0135] After that, as shown in Figure 15, the contents of the GW header are TN "1", GN "20", RTN "3" and The capsule packet rewritten to RGN “10” is sent to the network Y, which is the global side network, from the output port “BC” specified by the LTN.

 [0136] The encapsulated packet is received by the input board 'CB' in GW-C. Then, GW-C executes the transfer process for the encapsulated packet. Fig. 20 shows the locality of GW-C. FIG. 21 is a diagram showing the contents stored in the table 23C, the global table 24C, the reception transfer table 25C, and the transmission transfer table 26-1C, and FIG. 21 is a flowchart showing the processing by the GW-C.

 As shown in FIG. 20, unlike the first embodiment, the global table 24C in the third embodiment does not store entries for hosts (terminal devices) under the GW-C.

 The processing shown in FIG. 21 includes the same processing steps as the processing steps of GW-C in the first embodiment shown in FIG. 12, and the same processing steps are given the same step numbers. ing. In the third embodiment, step S35A instead of step S35 (FIG. 12) is provided in the processing by the transfer sequence number processing unit 14 (FIG. 2). In addition, in the processing by the header processing unit 13 (FIG. 2), step S36A and step S36B are provided instead of step S36 (FIG. 12).

 [0139] In step S34 of Fig. 21, the transfer sequence number processing unit 14 also obtains the LTN "LOCA same" corresponding to the TN of the GW header, as well as the reception transfer table 25C (Fig. 20). Then, extract GN "10" and output port value "CB (example value: 203 (0xCB))" from the transmission transfer table 26, and set them as RGN and output port specification information. Is transferred to the header processing unit 13 together with the capsule packet (step S35A), where the output port value “CB” corresponds to the input port value of the encapsulated packet.

[0140] The header processing unit 13 automatically generates the SA of the IP packet (step S36A). That is, the header processing unit 13 extracts SN “101” and RTN “3” from the GW header of the encapsulated packet. Subsequently, the header processing unit 13 outputs the output port value (input port value of the capsule packet) “CB”, RGN “10”, RTN “3”, and SN “101” as the “output port” as the designation information. R GN. RTN. SN Value obtained when arranged in the order of "203 (0xCB) .10.3.101" (in the case of IPv4: 32 bit) is set to the global for the sending client (terminal device a). Address (virtual IP address “aD”), and this “aD” is included in the TCP / IP header of the encapsulated packet. Set (store) in the SA field. In order to perform such automatic SA generation, the output port value, RGN (GN), RTN (TN), and SN (DN) values are each preferably represented by 8 bits (in the case of IPv4).

[0141] Subsequently, the header processing unit 13 retrieves the R—IP “s” corresponding to the SN “200” of the GW header from the local table 23C (FIG. 20), and stores it in the DA field of the TCP / IP header. Set (store) (step S36B).

 [0142] Thereafter, the GW header is deleted, and the IP packet is sent to the local network LN3. After that, the IP packet is received by Sano s.

 [0143] FIG. 22 is a diagram illustrating an operation example when the server s transmits an IP packet (for example, a response packet to a request from the client) to the terminal device a (when the server communicates with the client). . FIG. 23 is a flowchart showing processing when an IP packet addressed to the terminal device a (client) is received from the server s.

 As shown in FIG. 22, when the server s sends an IP packet to the terminal device a, the virtual IP address “aD” notified to the GW-C force is set in the SA, and the server in the DA Send an IP packet with the real IP address “s” of s set in the TCP / IP header to GW-C.

 [0145] In GW-C, when the IP packet from server s is received by local-side interface 11 (step S301), header processing unit 13 refers to the DA of the IP packet, and DA is global table 24C ( It is determined whether it exists in FIG. 20) (step S302). At this time, if the DA does not exist in the global table 24C (S302; NO), the process proceeds to step S303 (Fig. 24). If the DA exists in the global table 24C (S302; YES), the process proceeds. Advances to step S308.

 In this operation example, DA “aD” in the IP packet does not exist in global table 24C. For this reason, the header processing unit 13 proceeds with the process to step S303.

In step S303, the header processing unit 13 determines whether or not DA can be converted into an output port, GN, TN, and DN. For example, if DA (IPv4) is decomposed every 8 bits, it is determined whether the first value is the same as the output port value ("CB"). The header processing unit 13 knows the output port value “CB” in advance (stores it in a storage area accessible by itself). [0148] If the first value is not the same as the output port value (S303; NO), the header processing unit 13 determines that the IP packet is a normal IP packet, and performs IP routing processing on the IP packet. Transfer to part 15 (step S304).

 In this operation example, DA “aD” is a value obtained by defining the values of the output port, RGN, RTN, and SN with 8 bits, and combining them in series. For this reason, if “aD” is subjected to the reverse decomposition process, the respective values can be obtained. Therefore, the header processing unit 13 can obtain the same value as the output port value “CD”, assuming that the leading force of “aD” is a value of up to 8 bits. Therefore, the header processing unit 13 determines “YES” in step S303, and advances the process to step S305.

 [0150] In step S305, the header processing unit 13 adds a GW header to the IP packet, extracts the values of GN, TN, and DN from the DA and sets them in the GW header (step S305). That is, the header processing unit 13 sets the values of RGN “10”, RTN “3”, and SN “101” obtained by the decomposition processing as GN “10”, ΤΝ′ΊΟ ”, and DN“ 101 ”, respectively. Set in GW header.

 [0151] Next, the header processing unit 13 searches the local table 23C (Fig. 20) for the SN corresponding to SA “s” (R—IP) in the IP header, and sets it in the GW header (step S306). .

 [0152] Next, the header processing unit 13 sets the output port value "CD" obtained from DA "aD" in the output port specification information, and the IP packet (capsule packet bucket) having the specification information and the GW header. To the tunnel processing unit 16 (step S307).

 [0153] In this case, the transfer sequence number processing unit 14 is conditional on at least one of the fact that TN or GN is set in the encapsulated packet and that the designation information of the output port is received together with the encapsulated packet. It is determined that it is not necessary to perform its own processing. In this case, the transfer number processing unit 14 transfers the encapsulated packet and the specified information to the tunnel processing unit 16 without performing processing on the encapsulated packet (GW header).

 [0154] Thereafter, the process proceeds to step S314, and after the encryption processing or the like is performed on the encapsulated packet in the tunnel processing unit 16, the encapsulated packet is received from the output board 'CD' specified by the specified information. Sent to network Y, the global network.

[0155] Note that, in the communication from the terminal device a to Sano s, the GW-A can set the corresponding TN and GN by the above method without receiving the RTN or RGN. For this reason, the server s When a capsule packet (turnback packet) is transmitted to the client (terminal device a), RGN and RTN are not set in the GW header. Therefore, the RGN and RTN storage fields in the GW header of the return packet can be omitted.

Note that the processing in steps S308 to S314 shown in FIG. 23 is the same as that in steps S04 to S314 shown in FIG.

 The process is the same as 10. The processing of these steps S308 to S314 is prepared for packet transfer processing for a group different from group 1 having a collaboration configuration.

 [0157] As shown in Fig. 22, the encapsulated packet is received by GW-B through the tunnel constructed on network Y. In GW-B, the processing shown in FIG. 19 is executed using the tables 23B, 24B, 25B and 26-1B shown in FIG. As a result, the encapsulated packet in which TN "3" and GN "10" set in the received encapsulated packet are rewritten to TN "1" and GN "1" is sent from the output port BA of GW-B. Sent to network X.

 [0158] When GW-A receives the encapsulated packet, GW-A executes the same processing as the processing of GW-C shown in FIG. As a result, the IP packet in which the GW header is deleted and DA “a” and SA “sD” are set is transferred from GW-A to terminal device a.

 [0159] <Function and effect>

 In the third embodiment, for intra-group communication in group 1 having a client-server configuration, for client (terminal device a) power, for IP packet transfer to Sano s, and for GW header, server s to client ( The GN and TN set in the reverse bucket (return packet) sent to the terminal device a) are set as RGN and RTN.

[0160] Also, in the third embodiment, in the GW device (GW-C) under the control of Sano s, the input values of the encapsulated packet (output port of the return packet), the values of RGN, RTN, and SN are serially connected. The value connected (synthesized) to is automatically generated as the virtual IP address “aD” of the client, set in the SA of the IP packet, and given to Sano s.

[0161] Therefore, if server s sends a return packet in which SA "aD" is set to DA to GW-C, GW-C sets the return packet in the GW header from DA "aD". Should GN, TN, DN and output port values can be obtained. Thereby, the processing of the transfer sequence number processing unit 14 is omitted.

 [0162] With the above, it is not necessary to have an entry for each client in the global table 24C of GW-C that has Sano s under its control. In other words, the management burden of client information in GW-C is reduced. Further, the processing of the transfer sequence number processing unit 14 is omitted, so that the processing load of GW-C is reduced.

 That is, according to the third embodiment, the virtual IP address and host information managed in the GW device can be reduced, and the management load of the GW device can be reduced.

 [0164] Furthermore, the global table 24A of GW-A and the global table 24B of GW-B are configured so as not to have an entry (client terminal information) of a group member corresponding to the client (Fig. 16, Fig. 16). 18). That is, unlike the first embodiment, the third embodiment does not manage the V-IP of the terminal device corresponding to the client. For this reason, in the third embodiment, intra-group communication cannot be performed between clients.

 [0165] Therefore, for example, when a certain group is composed of a large number of home appliances and a powerful server that manages the home appliances, a home appliance different from a home appliance is used. It is possible to suppress communication with a device.

 [0166] Also, with the above configuration, the management burden of the GW device that has the client under control is reduced. Also, since there is no need for management in the GW device, it is not necessary to assign a virtual IP address to the terminal device as a client.

 [Fourth Embodiment]

 Next, a fourth embodiment of the present invention will be described. Since the fourth embodiment includes the same configuration as that of the first embodiment, different configurations will be mainly described, and description of the same configurations will be omitted.

 [0168] In the network system shown in the first embodiment, packet transfer processing between GW devices is executed using unique tables (reception transfer table 25 and transmission transfer table 26) different from the IP routing table. In the fourth embodiment, a method for enabling QoS setting by a transfer sequence number (TN / L TN) will be described.

[0169] For example, in the network system shown in FIG. 1, the terminal device a and the terminal device c It is assumed that communication is performed using the voice multicast address “Multil”, while the terminal device a and the terminal device b are communicating by FTP (File Transfer Protocol).

[0170] In this case, in the GW device that performs relay processing such as GW-B, the FTP packet to terminal device b and the voice packet to terminal device c may stay and be stacked in GW-B. Can happen. At this time, if GW-B performs simple sequential processing for packet transmission (transfer processing is performed in the order of packet arrival), a delay occurs in the voice packet ("Multil") and the call quality deteriorates. There is a fear. Therefore, the GW device has the following configuration.

 [0171] <Configuration>

 FIG. 25 is a diagram illustrating a configuration example for performing priority control based on QoS. In the example shown in FIG. 25, transmission queues Q1 and Q2 and a read control unit 28 as a priority control unit are provided between the transfer sequence number processing unit 14, the header processing unit 13, and the packet transmitting / receiving unit 17. .

 That is, the transfer sequence number processing unit 14 assigns a packet to one of a plurality of transmission queues according to the destination of the packet that can be identified by referring to the reception transfer table (in FIG. 25, as the transmission queue Q1). Accumulate in one of Q2). The packet is read at an appropriate timing by the read control unit 28, and transferred to one of the header processing unit 13 and the tunnel processing unit 16 (packet transmission / reception unit 17) according to the destination.

 [0173] The transmission queue Q1 accumulates packets with a high priority, and the transmission queue Q2 accumulates packets with a low priority. However, the number of queues for transmission can be determined according to the number of priority levels.

[0174] In the fourth embodiment, the priority is defined in association with TN (LTN). FIG. 26 is a diagram illustrating the contents stored in the reception transfer table 25B and the transmission transfer table 26B of the GW-B according to the fourth embodiment. The storage contents of the tables of 0 ¹ \ ^ — 8 and 0 ¹ \ ^ — are the same as in the first embodiment (FIGS. 7 and 11).

As shown in FIG. 26, the reception transfer table 25B is provided with a field for setting ON / OFF of the priority control flag. The flag “ON” is set for the entry with the priority “high”, and the flag “OFF” is set for the entry with the priority “low”. [0176] In the assumed situation described above, depending on the contents stored in the reception transfer table 25B and transmission transfer table 26B of GW-B (Fig. 26), for example, LTN "LOCA ji '(TN" 1 ") is LTN “5” or “6” (TN “4” or “7”) is associated with priority “high”.

 [0177] On the other hand, GW-A has a global table so that TN "4" is set for V-IP "MULTI1" and TN "1" is set for V-IP "bD". The contents stored in 24 and the transmission transfer table 25 are specified (Fig. 7).

 [0178] The transfer sequence number processing unit 14 of GW-B obtains the LTN corresponding to the reception transfer table 25 B force based on the TN of the received packet. At this time, the transfer sequence number processing unit 14 determines whether the priority control flag is on or off. If it is on, the packet is input to the transmission queue Q1, and if it is off, the packet is transmitted to the transmission queue Q2. input.

 Accordingly, the voice packet (TN “5”) addressed to the terminal device c transmitted from GW-A is stored in the transmission waiting queue Q1. On the other hand, the FTP packet (TN “1”) addressed to the terminal device “b” transmitted from the GW-A power is stored in the transmission waiting queue Q2.

 [0180] The read control unit 28 reads packets from the transmission queues Q1 and Q2 according to a predetermined read rule. For example, when the packet is stored in the transmission queue Q1 as a rule, the read control unit 28 reads the packet preferentially, on the condition that no packet is stored in the transmission queue Q1. Reads the packet from queue Q2 for transmission. Also, the voice packet (TN “7”) transmitted from the terminal device c to the terminal device a is also stored in the transmission queue Q1 having the priority “high”.

 [0181] In this way, LTN (TN) packets for which the priority control flag is set to "ON" are stored in the transmission queue Q1 and thus transferred to the packet processing priority thread.

In the above configuration, although not shown in FIG. 25, the LTN notified from the transfer sequence number processing unit 14 to the header processing unit 13 and the output port value notified to the tunnel processing unit 16 are The packet is read and synchronized with the header processing unit 13 and the tunnel processing unit 16. Alternatively, the LTN and output port values are entered into the transmission queue along with the packet. Thus, the voice packet transmitted / received between the terminal device a and the terminal device c has priority over the FTP packet transmitted / received between the terminal device a and the terminal device b. Sent from. In this way, priority control according to QoS can be realized in intra-group communication.

 [0184] <Effect>

 According to the fourth embodiment, priority control can be performed according to the packet transfer destination (TN, LTN), and intra-group communication satisfying the QoS required by the communication service can be realized. That is, according to the fourth embodiment, it is possible to realize QoS control for packets transferred between GWs.

 [Fifth Embodiment]

 Next, a fifth embodiment of the present invention will be described. Since the fifth embodiment includes the same configuration as that of the first embodiment, mainly the different configuration will be described, and the description of the same configuration will be omitted.

 [0186] In the first embodiment, an example in which a terminal device or server having a normal IP communication function is applied as a host has been described. In the fifth embodiment, a configuration is described in which a tunnel is constructed between a GW apparatus and a host under the GW apparatus, and virtual closed network communication can be realized between the host and the GW apparatus.

 [0187] <Configuration>

 FIG. 27 is a diagram illustrating a configuration example of the host 40 according to the fifth embodiment. As shown in FIG. 27, the host 40 has a user area and a kernel area, and a real LAN interface (real LAN—IF) 41 and a virtual LAN interface (virtual LAN—IF) 42 are located at the boundary between them. And are provided.

 [0188] In the user area, an application 43 used by the user is arranged. On the other hand, a physical LAN dryer 4 connected to the real LAN IF 42 and a LAN card 45 connected to the physical LAN dryer 4 are arranged in the kernel area.

[0189] In addition, a virtual LAN driver 46 connected to the virtual LAN IF 41, a header processing unit 13, a transfer sequence number processing unit 14, and a tunnel processing unit 16 are provided in the kernel area. The tunnel processing unit 16 is a physical LAN. Connected to Dryno 44. In addition, the kernel area A management table 18 referred to in the header processing unit 13 and a sequence number table 19 referred to in the transfer sequence number processing unit 14 are provided.

 [0190] The header processing unit 13, the transfer sequence number processing unit 14, the tunnel processing unit 16, the management table 18 and the sequence number table 19 are substantially the same as the configurations and functions (FIGS. 2 to 6) described in the first embodiment. The management table 18 (specifically, the global table 24 in the management table 18) corresponds to the first management table of the present invention, and the serial number table 19 (specifically, the transmission transfer table 26 in the serial number table 19) is the present invention. Corresponds to the second management table.

 [0191] When the host 40 transmits a packet, the application 43 generates an IP packet including data to be transmitted. At this time, if the IP packet is a normal IP packet due to the routing setting of the host, the IP packet is given to the real LAN IF 42, and if it is an IP packet related to intra-group communication, the virtual LAN IF 41 Given to. For example, if the normal corporate environment LAN is set to B class (10.xx.xx.xx) in the host routing settings, IP packets for intra-group communication use C class (192.xx.xx.xx). As a routing setting, set C class IP packets to be forwarded to virtual LAN—IF41. As a result, the virtual IP address of the DA is assigned within the C class.

 A normal IP packet is sent via the physical LAN driver 44 and the LAN card 41.

 In contrast, IP packets related to intra-group communication are processed by the virtual LAN router 6 and then processed by the header processing unit 13, the transfer sequence number processing unit 14, and the tunnel processing unit 16 in the GW-A described in the first embodiment. The same processing as in Fig. 8 (Fig. 8) is performed, and the capsule packet having the GW header (intra-group communication header) is transferred to the physical LAN driver 44. The encapsulated packet is then transferred to the GW device connected via the tunnel via the physical LAN driver 44 and the LAN card. In the GW device, packet transfer processing (global → global transfer: Fig. 10) executed in GW-B in the first embodiment and packet transfer processing (global → local transfer: Fig. 12) executed in GW-C A similar transfer process is executed and arrives at the other host.

[0193] The host 40 receives a normal IP packet and an encapsulated packet from the GW apparatus. When the packet is received, the packet received by the LAN card 41 is transferred to the physical LAN dryer 44. For example, the physical LAN dryer 44 determines whether a packet passes through a tunnel and If it is via a tunnel, the packet is forwarded to the tunnel processing unit 16; otherwise, the packet is forwarded to the real LAN—IF42. Real LAN—IF 42 passes the packet from physical LAN driver 44 to application 43.

 [0194] The packet transferred to the tunnel processing unit 16 is processed by the tunnel processing unit 16, the transfer sequence number processing unit 14, and the header processing unit 13 with the processing of the GW-3 described in the first embodiment (Fig. 12). After almost the same processing, the virtual LAN driver 46 and the virtual LAN—IF 41 are passed to the application 43 through processing.

 [0195] <Effect>

 In the fifth embodiment, not only tunneling between GW devices but also GW device hosts are tunneled. As a result, the security between the GW device and the host can be improved. Therefore, for example, when the outside power is connected to the in-house LAN, intra-group communication with communication security can be performed.

 Note that the terminal device described in the fifth embodiment can be applied to the network system of the third embodiment.

 [0197] [Others]

 The configurations described in the first to fifth embodiments can be appropriately combined without departing from the object of the present invention.

Claims

The scope of the claims

 [1] A packet relay device arranged on a transmission route of IP packets for communication between group members transmitted and received between terminal devices belonging to the same group,

 A storage unit storing a destination identification number and an internal management number corresponding to a destination of an IP packet, each different from an IP address, the first table storing an internal management number corresponding to the destination identification number, and the internal table A storage unit storing a second table storing routing information of the IP packet corresponding to the management number;

 A packet receiver;

 A decryption unit that decrypts the received IP packet when the IP packet received by the reception unit is encrypted from the packet relay device of the previous hop arranged on the transmission route;

 A search unit for searching the first table for an internal management number corresponding to a destination identification number assigned to the IP packet;

 A forwarding control unit that searches the routing information corresponding to the internal management number in the second table and assigns a new destination identification number included in the searched routing information to the IP packet;

 An encryption unit for encrypting the IP packet in which a new destination identification number is set; and a next-hop packet relay in which the encrypted IP packet is arranged on the transmission route based on the transfer information A transmitter to transfer to the device

 A packet relay device.

 [2] The number of entries in the first table is equal to the number of destinations of packets relayed by the packet relay device.

 The packet relay device according to claim 1.

[3] The storage unit is a virtual IP address different from a real IP address of a terminal device applied to the communication between group members, and a virtual IP address of a terminal device that is a destination in the communication between group members A third table storing the internal control number corresponding to

The receiving unit receives a destination IP address from a terminal device under the packet relay device. When receiving the IP packet in which the virtual IP address is set, the transfer control unit searches the third table for the routing information corresponding to the internal management number corresponding to the destination IP address of the IP packet. The second table is searched, and a destination identification number included in the searched routing information is assigned to the IP packet.

 The encryption unit encrypts the IP packet to which a destination identification number is assigned, and the transmission unit is encrypted to the next-hop packet relay device based on the searched routing information! Forward the IP packet

 The packet relay device according to claim 1.

[4] The first table stores transfer information indicating that the IP packet received by the receiving unit is transferred to a terminal device under the packet relay device in association with the destination identification number,

 When the search unit searches for the transfer information from the first table, the transfer control unit sends the source terminal device as the source IP address for the IP packet to be transferred to the subordinate terminal device. Set the virtual IP address, set the real IP address of the subordinate terminal device as the destination IP address, delete the destination identification number set in the IP packet,

 4. The packet relay device according to claim 3, wherein the IP packet from which the destination identification number has been deleted is transferred to the terminal device under its control.

5. The packet relay device according to claim 4, wherein a virtual IP address of the transmission source terminal device is searched from the third table.

[6] The IP packet to be transferred to the terminal device under the control includes a return destination identification number as a destination identification number to be set for an IP packet in the reverse direction with the source of the IP packet as the destination,

 When the retrieval unit retrieves the forwarding information from the first table, the forwarding control unit obtains a virtual IP address generated using at least the input port value of the IP packet and the return destination identification number. Set the IP packet as the virtual IP address of the source terminal device,

Thereafter, the IP packet in the reverse direction having the terminal device under the transmission as a transmission source is received. The transfer control unit extracts the return destination identification number and the input port value from the virtual IP address set as the destination IP address in the reverse IP packet! / The return destination identification number is assigned to the reverse IP bucket as the destination identification number, and the input port value is designated as the output port value of the reverse IP packet.

 The packet relay device according to claim 4.

[7] The third table does not store an entry including a virtual IP address of a terminal device that is a transmission source of an IP packet destined for the subordinate terminal device.

 The packet relay device according to claim 6.

[8] The packet relay device manages the packet relay device when the status of the group changes.

Synchronize the information used in communication between group members that communicates with different packet relay devices located on the transmission route.

 The packet relay device according to claim 1.

[9] A priority control unit that performs priority control based on the destination identification number is further included.

 The packet relay device according to claim 1.

[10] The receiving unit receives the IP packet encrypted from the terminal device under the packet relay device.

 The packet relay device according to claim 1.

[11] A terminal device connected to a packet relay device arranged on a transmission route of an IP packet transmitted / received by communication between group members executed between different terminal devices belonging to the same group,

Stores the internal management number corresponding to the virtual IP address of the terminal device, which is a virtual IP address different from the actual IP address of the terminal device applied to the communication between group members, and is the destination in the communication between group members Storage unit storing the first management table and the second management table storing the routing information corresponding to the internal management number, and the virtual IP address of the destination terminal device as the IP packet for communication between group members. For the IP packet set as the destination IP address, search the routing information corresponding to the internal management number searched for the first management table power in the second management table power search. A transfer control unit for assigning the destination identification number included in the searched routing information to the IP packet;

 An encryption part for encrypting the IP packet to which the destination identification number is assigned;

 A transmission unit for transferring the encrypted IP packet to the packet relay device based on the searched routing information;

A terminal device including

 A packet receiver;

 A decryption unit for decrypting an IP packet encrypted by the packet relay device received by the reception unit;

 The transfer control unit sets the virtual IP address of the source terminal device as the source IP address from the decrypted IP packet, sets the real IP address of the terminal itself as the destination IP address, and Get the IP bucket た with the destination identification number set in the packet removed

The terminal device according to claim 11.