JP2000224217A - Tunneling device and communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow terminals to make communication in a shortest path without need for complicated processing by a user or an application in a user space. SOLUTION: Each of IPTL devices 1251-125n has a virtual IP address and a physical IP address of its own terminal, a virtual IP address and a physical IP address of a server, and a virtual IP address and a physical IP address of other terminal and also a network address/mask of a virtual sub network. The network address/mask of a virtual sub network denotes an address of a virtual sub network to which each of the IPTL devices 1251-125n belongs. Each of the IPTL devices 1251-125n has the address of the virtual sub network to which each of them belongs (sub network address) as the virtual IP address. Each of the IPTL devices 1251-125n, that is, mobile terminals having virtual addresses a, b, c, h, i, j as shown in figure have a function of forming virtual sub addresses among the mobile terminals.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an improvement in a tunneling device and a communication system including the tunneling device. Hereinafter, as a tunneling device, I
A description will be given by taking a P (Internet Protocol) tunneling device as an example.

[0002]

2. Description of the Related Art Conventionally, in networks, IP
(Internet Protocol) Communication between mobile terminals using a tunneling device (IPTL device) is performed. FIG. 1 is an explanatory diagram illustrating a network in which communication between mobile terminals using an IPTL device is performed.

In FIG. 1, a thin broken line 7 indicates a mobile terminal 1.
1 is a specific IP among multiple built-in IPTL devices
3 shows an IP tunnel route established between the mobile terminal 12 and the TL device. Route 7 of this IP tunnel
Reaches the server 5 from the mobile terminal 11 via the router 31 of the subnetwork A and the router 32 of the subnetwork B, and reaches the mobile terminal 12 from the server 5 via the routers 32 and 31. On the other hand, the thick broken line 9 indicates the path of the IP tunnel that the mobile terminal 11 establishes with the mobile terminal 12 using another IPTL device.

[0004]

In the communication between mobile terminals using the IPTL device, only the IP tunnel between each mobile terminal and one specific terminal (terminal for mediating communication) is used. There is a method of performing so-called star-type communication by connecting with the Internet. There is also a method in which each mobile terminal performs direct communication with a partner terminal by making a so-called mesh type connection using a plurality of IP tunnels. Hereinafter, the above two methods will be described.

FIG. 2 is an explanatory diagram showing the processing operation of each module of the mobile terminal 11 when performing star-type communication.

In FIG. 2, first, an application (AP) of a user or a user space (details will be described later)
111 and 11i perform setting of the IPTL device 151. In this case, it is assumed that the user knows the physical IP address of the server 5 in advance. Next, in the routing table (table) 13, "communication with the mobile terminal (the mobile terminal 13 in FIG. 1) in the sub-network before the movement (that is, the sub-network B to which the mobile terminal 11 belonged before the movement). To transfer to the server 5 ", and" to transfer to the server 5 when communicating with the mobile terminal 12 ".

As a result, when transmitting an IP packet to the mobile terminal 13, the IP packet encapsulated by the IPTL device 151
The data is transmitted to the server 5 through the device 17 and the network interface (interface) 19. Also, when transmitting an IP packet to the mobile terminal 12, the IP encapsulated by the IPTL device 151 is also used.
The packet is transmitted to the server 5 via the same route as described above. In this case, the communication speed between the mobile terminals 11 and 12 is 64 kbps.

FIG. 3 is a flowchart showing the processing operation of each module in the mobile terminal 11 when performing star-type communication.

As shown in FIG. 3, when the physical IP address of the server 5 is input on the mobile terminal 11 side (step S31), the IPTL device 151 on the mobile terminal 11 side receives the physical IP address of the server 5 based on the physical IP address. The physical IP address of the mobile terminal 11 is transmitted to the server 5 (Step S32). When the server 5 receives this (step S33), the IPTL device 1 on the server 5 side
51 is activated and the IPTL device 15 on the mobile terminal 11 side
Construct an IP tunnel with 1 (step S34,
S35).

On the other hand, the mobile terminal 12 and the IP address of the server 5 are
The same processing as in steps S33, S34, and S35 described above is also performed between the TL device 152 and the TL device 152 (steps S36 and S37).

Next, on the mobile terminal 11 side, an IP packet to be transmitted to the mobile terminal 12 is encapsulated and transmitted to the server 5 (steps S38 and S3).
9). When the server 5 receives the IP packet,
The PTL device 151 performs decapsulation and identification of a transmission destination (step S40). The IP packet that has been subjected to the above processing is again encapsulated in the IPTL device 152 and then transmitted to the mobile terminal 12 (step S41).

FIG. 4 is an explanatory diagram showing the processing operation of each module in the mobile terminal 11 when a mesh type connection is made.

In FIG. 4, first, the user or the user space APs 11 1 and 11 i are connected to the IPTL device 15.
1 and 152 are set. In this case, it is assumed that the user knows the physical IP address of the server 5 and the physical IP address of the mobile terminal 12 in advance. Next, in the table 13, "when communicating with the mobile terminal (mobile terminal 13 in FIG. 1) in the sub-network before moving (that is, the sub-network B), transfer to the server 5", In the case of communication with the mobile terminal 12, transfer to the physical IP address of the mobile terminal 12 "is performed.

Thus, when transmitting an IP packet to the mobile terminal 13, the IP packet encapsulated in the IPTL device 151 is converted from the physical IP
The data is transmitted to the server 5 through the device 17 and the interface 19. When transmitting an IP packet to the mobile terminal 12, the IP packet encapsulated by the IPTL device 152 is transmitted to the mobile terminal 12 via the same route as described above. In this case, the communication speed between the mobile terminals 11 and 12 is
Since 12 is connected by the shortest path by the IP tunnel, the transmission speed is 10 Mbps.

FIG. 5 is a flowchart showing a processing operation of each module in the mobile terminal 11 when a mesh type connection is made.

As shown in FIG. 5, first, when the physical IP address of the server 5 is input on the mobile terminal 11 side (step S51), the IPTL device 151 receives the physical IP address of the mobile terminal 11 based on the physical IP address. Is transmitted to the server 5 (step S52). When the server 5 receives this (step S53), the IPTL device 151 of the server 5 starts up and establishes an IP tunnel with the IPTL device 151 of the mobile terminal 11 (steps S54 and S55).

On the other hand, the IPTL device 1 of the mobile terminal 12
The same processing as that in steps S51 to S55 described above is also performed between 51 and the IPTL device 152 on the server 5 side (steps S56 to S6).
0).

Next, on the mobile terminal 11 side, the physical IP address of the mobile terminal 12 is input (step S61),
By inputting the physical IP address of the mobile terminal 11 on the mobile terminal 12 side (step S62), the mobile terminal 11
Device 152 on the mobile side and the IP on the mobile terminal 12 side
The TL devices 152 are activated, respectively, to construct an IP tunnel between the two IPTL devices 152 (steps S63 and S64).

Subsequently, in the IPTL device 152 on the mobile terminal 11 side, an IP packet to be transmitted to the mobile terminal 12 is encapsulated and transmitted to the mobile terminal 12 (steps S65 and S66). Upon receiving the IP packet on the mobile terminal 12 side, decapsulation is performed in the IPTL device 152 on the mobile terminal 12 side (step S67).

However, in the method of performing star-type communication,
Since the communication between the mobile terminals 11 and 12 is performed through one specific terminal (that is, the server 5), the mobile terminal 1
There is a problem that the communication path between 1 and 12 does not become the shortest path, and the communication speed may be reduced.

In a method of performing direct communication with a counterpart terminal (in the above example, the mobile terminal 12 for the mobile terminal 11) by making a mesh type connection, the user or the user space APs 111, 11i, etc. Construction of multiple IP tunnels must be performed. In addition, when the physical IP address changes due to the movement of the own terminal (mobile terminal 11) or the like, the setting change of all the built-in IPTL devices (151 to 15n) is performed by the user or the user space AP 111, 11i. Building and managing multiple IPTL devices, such as what must be done, is a tedious task.

Therefore, an object of the present invention is to enable terminals to communicate with each other via the shortest route without a complicated process performed by a user or a user space application.

[0023]

According to a first aspect of the present invention, there is provided a tunneling device for storing a given physical address indicating a subnetwork to which a plurality of terminals on a network actually belong and a subnetwork not actually belonging to the network. Means for holding a virtual address shown, means for extracting a terminal having the same virtual address from among a plurality of terminals, means for forming the same virtual sub-network among these terminals, The physical address and the virtual address of each terminal that performs communication are extracted, and a communication path between the terminals is set between the sub-networks or within the virtual sub-network, and 1 or between the terminals according to the communication path. Means for constructing a plurality of tunnels.

According to the above configuration, the physical address and the virtual address of each terminal performing communication are extracted from the physical address and the virtual address, and the communication path between the terminals is set between the sub-networks or within the virtual sub-network. And one or more tunnels are established between the terminals according to the communication route. Therefore, the terminals can communicate with each other via the shortest route.

In a preferred embodiment according to the first aspect of the present invention, the network is the Internet, and the tunneling device is an IP (Internet Protocol) tunneling device. This IP tunneling device is a virtual device. The physical address is
The physical address is a virtual IP address, and the virtual address is a virtual IP address. A plurality of tunneling devices are provided in a module built in a terminal together with a physical IP device or a network interface which is a physical device, a routing table for distributing IP packets, and a user space application. The terminals described above are, for example, a plurality of mobile terminals and servers excluding relay devices on a network such as a router. Communication data exchanged between the terminals is an IP packet.

[0026] The above-mentioned plurality of tunnels are provided between one terminal that performs communication by a user or an application in a user space and a terminal that mediates communication, and between the other terminal that performs communication and a terminal that mediates communication. A first tunnel respectively constructed, and after the first tunnel is constructed,
A second tunnel automatically established between one terminal and the other terminal. In the second tunnel, the physical address of the other terminal is given to one terminal from the intermediary terminal,
In addition, when the physical address of one terminal is given to the other terminal from the intermediary terminal, the terminal is automatically constructed.

In the communication system according to the second aspect of the present invention, a plurality of mobile terminals communicate on a network through an intermediary terminal, and each terminal has the same virtual address between terminals having the same virtual address. A communication route between terminals is set between sub-networks or within a virtual sub-network based on a physical address and a virtual address of each terminal performing the extracted communication, and the communication route is formed. A tunneling device for establishing one or a plurality of tunnels between the terminals according to the conditions, and when one of the other terminals communicating with one of the terminals moves, the tunneling device of the moved terminal moves. By notifying the physical address of the subsequent terminal to the tunneling device of the intermediary terminal, In after rebuilding the tunnel, so that rebuild the tunnel between both terminals by tunneling device mediated terminal notifies the physical address for tunneling device of the terminal of the person who has not moved.

In a preferred embodiment according to the second aspect of the present invention, when one of the communicating terminals and one of the other communicating terminals belong to two independent virtual sub-networks, Assigning one of each virtual sub-network to any one of the tunneling devices of the other terminal, and assigning the other of each virtual sub-network to another one of the tunneling devices of the other terminal. .

When one of the communication terminals and the other of the communication terminals have a built-in tunneling device having neither the above-mentioned sub-network forming function nor tunnel construction function, the tunneling of the intermediary terminal is performed. The device establishes a tunnel with one terminal by transmitting the physical address from the tunneling device of one terminal, and establishes a tunnel with the other terminal by transmitting the physical address from the tunneling device of the other terminal. Establish a tunnel between the two terminals to mediate communication between both terminals.

Further, the tunneling device exchanges keys between one terminal and the intermediary terminal that perform communication, and between the other terminal and the intermediary terminal that perform communication, respectively. And a first tunnel is constructed between the other terminal and the intermediary terminal respectively, and after the first tunnel is constructed, a second tunnel is constructed between the one terminal and the other terminal. You can also. This is the so-called IPsec
1 is an aspect of the encrypted communication using. In this case, the exchanged key is a key used for performing encrypted communication between one terminal and the other terminal, and the communication performed through the first and second tunnels is the encrypted communication. It is.

In a modification of the above-described embodiment, the encrypted communication performed through the first tunnel and the encrypted communication performed through the second tunnel are performed using different keys.

[0032] A tunneling device according to a third aspect of the present invention is a terminal of a communication system in which a first terminal and a second terminal transmit and receive communication data via a third terminal on a communication network. Means for establishing a first tunnel for connecting between the third terminal and the first terminal, and between the third terminal and the second terminal, respectively,
The first and second terminals are provided to the first and second terminals via the first tunnel, respectively, based on information including a virtual address indicating a virtual subnetwork of the counterpart terminal and a physical address indicating a subnetwork actually belonging to the first terminal. Means for constructing a second tunnel directly connecting the second terminals.

A program medium according to a fourth aspect of the present invention holds a given physical address indicating a subnetwork to which a plurality of terminals on a network actually belong and a virtual address indicating a subnetwork not actually belonging to the terminal. A means for extracting a terminal having the same virtual address from a plurality of terminals, a means for forming the same virtual sub-network among these terminals, and a terminal for communicating from the physical address and the virtual address. Means for extracting a physical address and a virtual address, setting a communication path between each terminal between sub-networks or within a virtual sub-network, and constructing one or more tunnels between the terminals according to the communication path A computer for operating a computer as each of the above-described means in a tunneling device having Readable to carry computer over data program.

[0034]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Before describing the embodiments of the present invention, IP tunneling will be described with reference to FIGS. 6 to 9, a virtual sub-network will be described with reference to FIG. The manner in which the path becomes the shortest path will be described with reference to FIG.

(1) IP Tunneling IP tunneling, which is also called IP encapsulation, is to insert a certain IP packet into another IP packet. The encapsulated IP packet piggybacks on the native IP packet ignoring the network of the native IP packet. As a result, overhead (unnecessary load) increases, but the IP packet piggybacked from one network to another network can be transmitted via a network in the middle of using another IP.

In the example of FIG. 6, the terminal 711 has the address of the sub-network B as a virtual address and the address of the sub-network A as a physical IP address.
Can communicate with the physical IP address. When the terminal 711 communicates with the terminal 713 on the subnetwork B side using a virtual address, as indicated by reference numeral 72, an IP packet (data) to which the virtual address of the terminal 711 is assigned is transmitted to the server 711. 75
Of the terminal 711, the physical IP address of the terminal 711, and the physical IP address of the terminal 713. The encapsulated IP packet is sent to the router 73
After being transmitted to the server 75 through 1 and 732 and decapsulated by the server 75, as shown by reference numeral 74,
It is transmitted from the server 75 to the terminal 713.

As described above, the IP tunneling is realized by the IPTL device. An IPTL device is a virtual device, also called a software device, and more specifically,
Refers to a virtual device in the UNIX kernel.
The virtual device performs encapsulation to add a new IP header to the data received from the user application, and then passes the encapsulated data to a real IP device (hardware device).
It is transmitted in the same way as normal data. The virtual device looks exactly the same to the user (application in the user space) as the physical device such as the physical IP device 97 and the interface 99 shown in FIGS. 7 to 9 respectively.
However, the virtual device performs a process of actually performing the above-described processing on the received data and passing the processed data to another device (the above-described physical device or another virtual device). It is. Here, the user space corresponds to a kernel space (system space) and refers to a memory space in a computer used by a program created by a user. On the other hand, the kernel space refers to a memory space in a computer used by the operating system.

FIG. 7 is a block diagram showing a configuration of a module having the above-described IPTL device, physical IP device, interface, and the like. The module configuration includes a server (for example, server 75 in FIG. 6) on each sub-network connected through the Internet, and a mobile terminal (for example, mobile terminals 711, 712, 7 in FIG. 6).
13) etc. are provided.

In the module configuration 81 shown in FIG.
In order to perform communication using a tunnel, a plurality of APs 91
1, 91i, a table 93, a plurality of IPTL devices 951 to 95n, a physical IP device 97, and an interface 99. In the following description, for convenience, the illustrated module configuration is assumed to be a specific mobile terminal module configuration.

The table 93 indicates that when an own terminal (arbitrary terminal among a plurality of terminals having the module configuration 81 described above; the same applies hereinafter) transmits an IP packet to a partner terminal (not shown), the IP packets from the APs 911 and 91i are transmitted. To determine which of the IPTL devices 951 to 95n should be passed. By this distribution, it is possible to determine to which of the IPTL devices 951 to 95n the destination IP address of the IP packet corresponds to the virtual IP address (note that the IPTL devices 951 to 95n correspond in advance to the respective partner terminals. Is set.) Table 93 passes the IP packet to the relevant IPTL device. The table 93 receives the encapsulated IP packet from the IPTL device and passes it to the physical IP device 97.

The table 93 also indicates to which of the IPTL devices 951 to 95n the IP packet passed from the physical IP device 97 should be sent when the terminal itself receives an IP packet transmitted from the other terminal (not shown). Is determined in order to determine the IP packet. By this distribution, it is possible to determine which of the IPTL devices 951 to 95n the other party (the other party terminal) is the virtual IP address of the source address of the IP packet. Table 93 passes the IP packet to the relevant IPTL device. The table 93 receives the decapsulated IP packet from the IPTL device and passes it to the AP 91i.

Each of the IPTL devices 951 to 95n corresponds to FIG.
Are provided in the server 75, the mobile terminals 711 to 713, and the like, and need not be provided in the repeaters such as the routers 731 and 732. Each IPTL device 951
As shown in the figure, each of .about.95n has its own virtual IP address, its own physical IP address, the other party's virtual IP address, and the other party's physical IP address. Each IP
Each of the TL devices 951 to 95n functions as an IP address conversion module.

In other words, each IPTL device 951-
When the own terminal transmits an IP packet to a counterpart terminal (not shown), an IP address from the table 93 is set to a header having the destination address as the physical IP address of the counterpart.
The IP packet is encapsulated by being added to the packet, and is returned to the table 93 again. Each IPTL device 9
When the own terminal receives an IP packet transmitted from the other terminal (not shown),
The encapsulated IP packet passed from the table 93 is decapsulated and returned to the table 93 again.

When the physical IP device 97 transmits an IP packet to a partner terminal (not shown), the physical IP device 97 receives the encapsulated IP packet from the table 93 and passes it to the interface 99. When receiving the IP packet transmitted from the other terminal (not shown), the physical IP device 97 receives the encapsulated IP packet from the interface 99 and passes it to the table 93.

When the own terminal transmits an IP packet to a partner terminal (not shown),
It receives the encapsulated IP packet from the physical IP device 97 and transmits it to the other terminal (not shown). When the terminal itself receives an IP packet transmitted from a counterpart terminal (not shown), the interface 99 receives the encapsulated IP packet from the counterpart terminal (not shown) and sends it to the physical IP device 97. hand over.

FIG. 8 shows an example in which an IP packet is transmitted from a terminal (mobile terminal or server, etc.) represented by the module configuration shown in FIG. FIG. 8 is an explanatory diagram showing the processing operation of each unit of the module at the time.

In FIG. 8, first, communication data (IP packet) is stored in
The distribution is performed in the table 93 by being passed in exactly the same manner as when transmitting the P packet. As a result of the distribution, the destination address of the IP packet is
Virtual I of the other party of the TL device 952 (the other party's mobile terminal)
Because of the P address, the IP packet is passed from the table 93 to the IPTL device 952. The IP packet is encapsulated in the IPTL device 952 by adding a header with the destination address being the physical IP address of the other party. The IP packet after the encapsulation is returned to the table 93 again from the IPTL device 952. Since the destination address of the encapsulated IP packet is a physical IP address, the IP packet is passed from the table 93 to the interface 99 through the physical IP device 97, and is transmitted from the interface 99 to the partner terminal (not shown). Sent.

FIG. 9 shows an IP packet transmitted by a terminal (mobile terminal or server, etc.) represented by the module configuration shown in FIG. 7 from a partner terminal (mobile terminal or server, etc.) (both not shown) through an IP tunnel. FIG. 8 is an explanatory diagram showing a processing operation of each section of the module when receiving a message.

In FIG. 9, a partner terminal (not shown)
Is received by the interface 99 and transmitted from the interface 99 to the physical IP device 9.
7 to the table 93. Then, in the table 93, the IP packets are sorted.
As a result of the distribution, the IP packet is transferred to the IPTL device 952 from the table 93 because the IP packet is a packet encapsulated by the source address and the physical IP address to the own terminal. The IP packet is decapsulated by extracting the IP packet from the IP packet based on the source address and the physical IP address to the terminal in the IPTL device 952. The above IP packet after decapsulation is IP
The TL device 952 returns to the table 93 again.
The destination address of the IP packet is the virtual IP of the terminal itself.
Because of the address, the IP packet is passed from the table 93 to the AP 91i.

(2) Virtual sub-network A virtual sub-network is virtually configured by terminals having the same sub-network address as a virtual address even though they are not physically connected to the same sub-network. Refers to the sub-network to be performed. Here, the sub-network is a group formed by connecting a server or a plurality of terminals through one router, as is apparent from the above-described contents. It is connected through a router.

FIG. 10 is an explanatory diagram showing an example of the virtual sub-network described above.

In FIG. 10, one server S1 connected to the router R1 and a plurality of mobile terminals (for convenience, only two units denoted by MT1 and MT2 are shown) are physically the same. A sub-network SN1 is formed. A plurality of mobile terminals connected to the router R2 (only three terminals MT3, MT4 and MT5 are shown for convenience of illustration) and the like are physically the same subnetwork different from the subnetwork SN1. SN2.
A plurality of mobile terminals connected to the router R3 (for convenience, only one unit indicated by reference numeral MT6 is shown), etc., use a physically identical subnetwork SN3 different from the above subnetwork SN1, SN2. Has formed. Similarly,
One server S2 connected to the router R4 and a plurality of mobile terminals (not shown) are connected to the sub-networks SN1, S2.
A physically identical sub-network SN4 different from N2 and SN3 is formed.

Here, it is assumed that the mobile terminal MT3 has, as a subnetwork address, the address A2 of the subnetwork SN1 of the server S1 together with the address A2 of the subnetwork SN2 to which the mobile terminal MT3 belongs. Similarly, the mobile terminal MT6 also uses its own subnetwork SN as the subnetwork address.
It is assumed that the sub-network SN1 has the address A1 together with the address A3 of address 3. In this case, the subnetwork address A2 is a physical IP address because it is the address of the subnetwork SN2 to which the mobile terminal MT3 belongs. However, the subnetwork address A1 is a physical IP address for the server S1 because it is the address of the subnetwork SN1 to which the server S1 belongs, but is an address of the subnetwork SN1 to which the mobile terminal MT3 does not belong. It is a virtual IP address, not a physical IP address. The subnetwork address A3 is a physical IP address because it is the address of the subnetwork SN3 to which the mobile terminal MT6 belongs, but the subnetwork address A1 is a subnetwork address of the subnetwork SN1 to which the mobile terminal MT6 does not belong. Since it is an address, it is a virtual IP address.

As is clear from the above description, the mobile terminals MT3 and MT6 are connected to the subnetwork S to which each belongs.
In addition to having the addresses A2 and A3 of N2 and SN3 as physical IP addresses, respectively, the subnetwork address A1 that the server S1 has as a physical IP address
As virtual IP addresses. Therefore,
The mobile terminals MT3 and MT6, together with the server S1, belong to one virtual subnetwork VSN1 surrounded by a thin broken line.

Since the mobile terminal MT6 has, in addition to the above, also the subnetwork address A4 that the server S2 has as a physical IP address, another virtual terminal enclosed by a thick broken line is included with the server S2. Also belongs to the subnetwork VSN2. That is, the mobile terminal MT6
Are the two virtual sub-networks VSN1, VSN2
It belongs to. Note that the above-described virtual sub-network and a VPN (virtual private
Network) means that a virtual subnetwork handles a network in units of subnetworks, whereas a VP
N differ from each other in that networks are handled in units of organizations.

(3) A mode in which the route of the IP tunnel connecting the mobile terminals is the shortest route The route of the IP tunnel connecting the mobile terminals is a communication route using the physical IP address of each mobile terminal. When they match, the route of the IP tunnel is the shortest route.

FIG. 11 is an explanatory diagram showing a route of communication performed between mobile terminals through a network.

In FIG. 11, when the IP tunnel connecting the mobile terminals 71 1 and 71 2 passes through the routers 73 1 and 7 32 and the server 75 as indicated by the thin broken line 76,
The path of the P tunnel does not coincide with the communication path not passing through the server 75 or the like (the communication path using the physical IP addresses of the mobile terminals 711 and 712) indicated by the thick broken line 78. Therefore, in this case, the route of the IP tunnel is not the shortest route. However, when the route of the IP tunnel matches the communication route indicated by the thick broken line 78 described above, the route becomes the shortest route.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 12 is a diagram showing an IP according to an embodiment of the present invention.
FIG. 2 is an explanatory diagram illustrating a communication system including a plurality of terminals including a TL device.

In the above system, two sub-networks C and D are connected through a network having a communication speed of 64 kbps.
mobile terminal 1011, 1012,
And a router 1031. On the other hand, the subnetwork D
Is the mobile terminal 1013, the router 1032, and the server 10
5 is provided.

FIG. 13 is a diagram showing an IP according to an embodiment of the present invention.
FIG. 2 is a block diagram illustrating a configuration of a module including a TL device. The above-described module configuration is realized in a UNIX kernel, and is built in, for example, the mobile terminals 1011, 1012, and 1013 of FIG.

In the module configuration 111 shown in FIG.
As in the module configuration 81 shown in FIG.
In order to perform communication using a tunnel, a plurality of APs 12
11, 121i, the table 123, the plurality of IPTL devices 1251 to 125n, and the physical IP device 127.
And an interface 129.

Table 123 and Physical IP Device 12
7 is originally implemented in the UNIX kernel, the table 123 executes the same processing as in the table 93 shown in FIG. 7, and the physical IP device 127 also
The same processing as that in the physical IP device 97 shown by is performed. Further, the interface 129 also performs the same processing as in the interface 99 shown in FIG.

Each of the IPTL devices 125 1 to 125 n is a portion additionally mounted on the UNIX kernel. Each of the IPTL devices 1251 to 125n is basically the same as the IPTL device 9 shown in FIG.
The same processing as in 51 to 95n is executed. Each IPT
Each of the L devices 1251 to 125n not only includes the virtual IP address and physical IP address of its own terminal, the virtual IP address and physical IP address of the server, and the virtual IP address and physical IP address of another terminal,
It also has the network address / mask of the virtual sub-network. The provision of the network address / mask of this virtual sub-network is a main feature of each of the IPTL devices 1251 to 125n.

Here, the network address / mask (net mask) of the virtual sub-network is
Refers to the address of a virtual sub-network to which the PTL devices 1251 to 125n belong. That is, in the present embodiment, the individual IPTL devices 1251 to 125n
For each case, a virtual sub-network as shown in FIG. 10 is predetermined. Each IPTL device 12
Each of 51 to 125n has a virtual subnetwork address (subnetwork address) to which it belongs as a virtual IP address. The conventional IPTL devices 151 to 15n shown in FIGS. 2 and 4 do not have the concept of a virtual sub-network,
The devices 151 to 15n do not have the network address / mask of the virtual sub-network. Similarly, each of the IPTL devices 951 to 951 shown in FIGS.
95n also does not have the network address / mask of the virtual sub-network. The physical IP address of the server in each of the IPTL devices 1251 to 125n and the physical IP address of the other party in each of the IPTL devices 951 to 95n shown in FIG. 7 often have the same value. Further, each IPTL device 1251 to 125n
For example, as shown in the figure, a mobile terminal having both virtual addresses a, b, and c forms a virtual sub-address among these mobile terminals, and a mobile terminal having both virtual addresses h, i, and j is , Each of these mobile terminals has a function of forming a virtual sub-address.

FIG. 14 is an explanatory diagram of an IP tunnel established between a mobile terminal and a server in the communication system shown in FIG.

As shown in FIG. 14, between the mobile terminal 1011 and the server 105, and between the mobile terminal 1012 and the server 10
The construction of the IP tunnels as shown by the broken lines 102 and 104 between 5 is the same as the conventional method. Communication is performed between the mobile terminals 1011 and 1012 via the IP tunnels 102 and 104 and the server 105.

FIG. 15 is an explanatory diagram showing a mode of communication performed between the mobile terminals 1011 and 1012 using the IP tunnels 102 and 104 shown in FIG.

In FIG. 15, the mobile terminal 1011 has an IP
When the communication data for the first packet is transmitted to the server 105 through the tunnel 102, the server 105 receives the data and transmits the communication data to the mobile terminal 1012 through the IP tunnel 104. At the same time, the server 105 transmits the physical IP address of the mobile terminal 1012 to the mobile terminal 1011 through the IP tunnel 102 as indicated by the thick broken line 106. Upon receiving the physical IP address, the mobile terminal 1011 establishes an IP tunnel with the mobile terminal 1012 based on the physical IP address.

FIG. 16 is an explanatory diagram of an IP tunnel established between mobile terminals 1011 and 1012 in the communication system shown in FIG.

In FIG. 16, a thick broken line 108 is an IP tunnel established between the mobile terminals 1011 and 1012. The mobile terminal 1011 transmits the communication data of the second and subsequent packets directly to the mobile terminal 1012 using the IP tunnel 108.

FIG. 17 shows a case where the mobile terminal 1011 transmits communication data of the second and subsequent packets to the mobile terminal 1012 directly connected by the IP tunnel 108 and the server 105.
FIG. 9 is an explanatory diagram showing a processing operation of each unit of the module 111 when transmitting communication data to the mobile terminal 1013 connected via the.

In FIG. 17, first, the mobile terminal 1012
The IP packet 112, which is the second and subsequent communication data including the virtual IP address of the mobile terminal 1011 and the communication data, is stored in the table 123 from the AP 121i in exactly the same manner as when the normal IP packet is transmitted. Passed by. Thus, the IP packets 112 are sorted in the table 123. As a result of the distribution, the destination address of the IP packet 112 is the virtual IP address of the other party of the IPTL device 1252 (that is, the mobile terminal 1012).
The P packet 112 is passed from the table 123 to the IPTL device 1252. The IP packet 112 is
In the IPTL device 1252, the packet is encapsulated by adding a header in which the destination address is the physical IP address of the mobile terminal 1012 and the source address is the physical IP address of the mobile terminal 1011. The IP packet 112 after the encapsulation is the IPTL device 1252
Is returned to the table 123 again. Since the destination address of the encapsulated IP packet 112 is a physical IP address, the IP packet 112 is passed from the table 123 to the interface 129 through the physical IP device 127, and is transferred from the interface 129 to the other terminal. It is transmitted directly to the terminal 1012.

On the other hand, the IP packet 114 is transmitted from the AP 121 1 to the table 123, the IPTL device 1251, the table 12
3. Physical IP device 127 and interface 129
Is transmitted to the mobile terminal 1013 via the server 105.

FIG. 18 shows that the mobile terminal 1011 is connected to the server 1
Module 111 when transmitting the first packet of communication data to the mobile terminal 1012 via the network 05, and when transmitting the second and subsequent packets of communication data to the mobile terminal 1012 directly connected by the IP tunnel 108. 5 is a flowchart showing the processing operation of the first embodiment.

As shown in FIG. 18, first, the mobile terminal 10
When the physical IP address of the server 105 is input on the side 11 (step S141), the IPTL device 12
51 is the mobile terminal 1011 based on the physical IP address.
Is transmitted to the server 105 (step S142). When the server 105 receives this (step S143), the IPTL device 1251 of the server 105 is activated and the IPTL device 1251 of the mobile terminal 1011 is activated.
The IP tunnel 102 is constructed with the device 1251 (steps S144 and S145).

On the other hand, also on the mobile terminal 1012 side, when the physical IP address of the server 105 is input (step S146), the IPTL device 1251
The physical IP address of the mobile terminal 1012 is transmitted to the server 105 based on the address (step S147). After constructing the IP tunnel 102, the server 105 receives the IP tunnel 102 (step S148).
The IP tunnel 10 between the IPTL device 1251 on the fifth side and the IPTL device 1251 on the mobile terminal 1012 side
4 is constructed (steps S149 and S150).

Next, after the IP packet to be transmitted to the mobile terminal 1012 is encapsulated in the IPTL device 1251 on the mobile terminal 1011 side, the IP packet is transmitted to the server 105 (step S15).
1, S152). Upon receiving the IP packet, the IPTL device 1251 on the server 105 performs decapsulation and recapsulation.
12 (step S153). When the IP packet is received, decapsulation is performed in the IPTL device 1251 of the mobile terminal 1012 (step S154). Next, when the IPTL device 1251 on the server 105 notifies the mobile terminal 1012 of the physical IP address of the mobile terminal 1011 (step S155), the IPTL device 1251 on the mobile terminal 1012 receives this (step S156). Subsequently, when the IPTL device 1251 on the server 105 notifies the mobile terminal 1011 of the physical IP address of the mobile terminal 1012 (step S157), the IPTL device 1
251 receives this (step S158).

Next, the IP tunnel 108 is constructed between the IPTL device 1251 on the mobile terminal 1011 side and the IPTL device 1251 on the mobile terminal 1012 side (steps S159 and S160). Subsequently, the mobile terminal 101
In the IPTL device 1251 on the first side, the mobile terminal 10
12 is encapsulated and transmitted to the mobile terminal 1012 (step S16).
1, S162). Upon receiving the IP packet, decapsulation is performed in the IPTL device 1251 of the mobile terminal 1012 (step S163).

FIG. 19 shows that the mobile terminal 1012 is the first one transmitted from the mobile terminal 1011 via the server 105.
FIG. 9 is an explanatory diagram showing processing operations of each unit of the module 111 when receiving communication data for packets and when receiving communication data for the second and subsequent packets transmitted from the mobile terminal 1011 directly connected by the IP tunnel 108. is there.

In FIG. 19, communication data (IP packet) 116 for the first I packet transmitted from mobile terminal 1011 is transmitted to interface 1 via server 105.
29, and is passed from the interface 129 to the table 123 through the physical IP device 127. Then, in the table 123, the distribution of the IP packets 116 is performed. As a result of the distribution, the IP packet 116 is a packet encapsulated by the physical IP address of the server 105 and the physical IP address of the terminal itself (mobile terminal 1012). Device 12
It is passed to 51. Then, after being decapsulated in the IPTL device 1251, the IPTL device 125
From 1 is returned to the table 123 again, and is passed from the table 123 to the AP 121i.

On the other hand, 2 transmitted from mobile terminal 1011
Communication data after the packet (IP packet) 112
Is directly received by the interface 129 and is passed from the interface 129 to the table 123 through the physical IP device 127. Hereinafter, the above-described IP packet 11
6, the IPTL device 125
Then, the process returns to the table 123 again, and is passed from the table 123 to the AP 121i. Here, the IP packet 11
6 and 112, from the table 123 to the AP 121
In the state passed to i (the state encapsulated as shown in the upper part of FIG. 19), the source address is the virtual IP address of the mobile terminal 1011. Therefore, even if the physical IP address of the mobile terminal 1011 that is the transmission source changes due to the movement of the mobile terminal 1011 or the like,
It does not affect the AP 121i. The mobile terminal 10
When notifying the physical IP addresses 11 and 1012 from the server 105 and receiving the notification at the mobile terminals 1011 and 1012, an address resolution protocol such as neighbor notification of ICMP (Internet Control Message Protocol) V6 is used.

FIG. 20 is a diagram showing an IP address when a mobile terminal moves.
It is a flowchart which shows the reconstruction (setting change) process of a tunnel. That is, in a state where an IP tunnel is established between the mobile terminals 1011 and 1012 (in FIG. 18, the processes shown in steps S159 and S160 have been completed), the mobile terminal 1012 moves (changes the physical IP address). The processing operations of the mobile terminals 1011 and 1012 and the server 105 at the time of (change) are shown. When the mobile terminal moves, its physical IP address also changes.
Packets are not sent. However, when the IP packet is transmitted and received using the virtual IP address using the IPTL device, the transmission of the IP packet is performed by both the own terminal and the other terminal reconstructing the IP tunnel. It will be possible to recover.

In FIG. 20, I on the mobile terminal 1011 side
In the PTL device 1251, the IP packet to be transmitted to the mobile terminal 1012 is encapsulated and transmitted to the mobile terminal 1012 (steps S171 and S1).
72) Since the physical IP address of the mobile terminal 1012 has changed, the IP packet is temporarily lost.
On the mobile terminal 1012 side, the IPTL device 1251
Changes the physical IP address of the mobile terminal 1012 (step S173), and retransmits the changed physical IP address to the server 105 side (step S174). Then, the server 105 side receives it again (step S17).
5). Then, the IPTL device 12 on the server 105 side
51 and the IPTL device 1251 on the mobile terminal 1012 side
Reconstructs the IP tunnel between the server and the server (step S17).
6, S177).

Next, the IPTL device 1251 on the server 105 side is connected to the IPTL device 12 on the mobile terminal 1011 side.
The mobile terminal 101 is notified that the physical IP address of the mobile terminal 1012 has been changed (step S178).
One side receives it (step S179). Thereby, the IPTL device 1251 on the mobile terminal 1011 side,
Reconstruct an IP tunnel with the IPTL device 1251 on the mobile terminal 1012 side (steps S180 and S18)
1). Subsequently, in the IPTL device 1251 on the mobile terminal 1011 side, the ITL to be transmitted to the mobile terminal 1012
The P packet is encapsulated and transmitted to the mobile terminal 1012 (steps S182 and S183). The above IP
Upon receiving the packet, the IPTL of the mobile terminal 1012 side
The decapsulation is performed in the device 1251 (step S184).

Although FIG. 20 shows only a processing operation for notifying the new physical IP address of the mobile terminal 1012 to the mobile terminal 1011,
In addition to 11, all mobile terminals communicating with the mobile terminal 1012 are notified. By this notification, communication on the shortest route between the mobile terminals can be restored.

FIG. 21 is an explanatory diagram when the mobile terminal 1011 belongs to two or more virtual sub-networks in the communication system shown in FIG.

In FIG. 21, since the mobile terminal 1011 currently belongs to the sub-network C, it has the sub-network address of the sub-network C as a physical IP address. On the other hand, the mobile terminal 1011 has two sub-networks as virtual sub-networks,
That is, the sub-network D and the sub-network E
(Router 1033, server 1052 and mobile terminal 1014
Has). Therefore, the mobile terminal 10
11 has the sub-network addresses of these two sub-networks D and E as virtual IP addresses.

FIG. 22 shows the configuration shown in FIG.
The mobile terminal 1011 sends an IP packet (communication data) to each of the mobile terminals 1013 and 1014 directly connected by the IP tunnel.
It is an explanatory view showing the processing operation of each unit of the module 111 when transmitting the data.

Referring to FIG. 22, in mobile terminal 1011,
In advance, the IPTL device 1251 is
Then, IPTL devices 1252 are assigned to subnetwork E, respectively. First, the virtual IP of the mobile terminal 1013
Address and the virtual IP address D of the mobile terminal 1011
And an IP packet 118 including communication data (IP packet) from the AP 121 1 to the table 123. Thus, the IP packets 118 are sorted in the table 123. As a result of the distribution, the destination address of the IP packet 118 is the virtual IP address of the other party of the IPTL device 1251 (that is, the mobile terminal 1013).
Is passed from the table 123 to the IPTL device 1251. In the IP packet 118, in the IPTL device 1251, the destination address is the physical IP address of the server 1051, and the source address is the mobile terminal 1011.
Is encapsulated by adding a header having the physical IP address of. The above IP packet 11 after encapsulation
8 is the table 12 from the IPTL device 1251 again.
Returned to 3. The IP packet 118 after encapsulation
Is the physical IP address of the server 1051, the IP packet 118 is passed from the table 123 to the interface 129 through the physical IP device 127, and is transferred from the interface 129 via the server 1051 to the other terminal. Sent to terminal 1013.

On the other hand, the IP packet 120 including the virtual IP address of the mobile terminal 1014, the virtual IP address E of the mobile terminal 1011, and communication data (IP packet)
Is passed from the AP 121 i to the table 123, the IP packet 120 is sorted in the table 123. As a result of the distribution, the IP packet 12
0 is the virtual IP address of the other party of the IPTL device 1252 (that is, the mobile terminal 1014), the IP packet 120
3 to the IPTL device 1252. The above IP
The packet 120 is encapsulated in the IPTL device 1252 by adding a header in which the destination address is the physical IP address of the server 1052 and the source address is the physical IP address of the mobile terminal 1011. The IP packet 120 after encapsulation has an IPT
The L device 1252 returns to the table 123 again. Since the destination address of the encapsulated IP packet 120 is the physical IP address of the server 1052, the IP packet 120 is transmitted from the table 123 through the physical IP device 127 to the interface 12.
9 to the server 1052 from the interface 129.
Is transmitted to the mobile terminal 1014 which is the partner terminal via the communication terminal.

FIG. 23 is an explanatory diagram in the case where one mobile terminal 1011 belongs to any of two virtual sub-networks having a hierarchical structure in the communication system shown in FIG. is there.

In FIG. 23, since the mobile terminal 1011 currently belongs to the subnetwork C, it has the subnetwork address of the subnetwork C as a physical IP address. On the other hand, the mobile terminal 1011 has two sub-networks as virtual sub-networks,
That is, it also belongs to the sub-network D and the sub-network E. Therefore, the mobile terminal 1011 has the sub-network addresses of these two sub-networks D and E as virtual IP addresses.

FIG. 24 is a block diagram of the configuration shown in FIG.
The mobile terminal 1011 sends an IP packet (communication data) to each of the mobile terminals 1013 and 1014 directly connected by the IP tunnel.
It is an explanatory view showing the processing operation of each unit of the module 111 when transmitting the data.

Referring to FIG. 24, in the mobile terminal 1011,
In advance, the IPTL device 1251 is
Then, IPTL devices 1252 are assigned to subnetwork E, respectively. First, the virtual IP of the mobile terminal 1013
Address and the virtual IP address D of the mobile terminal 1011
And an IP packet 118 including communication data (IP packet) from the AP 121 1 to the table 123. Thus, the IP packets 118 are sorted in the table 123. As a result of the distribution, the destination address of the IP packet 118 is the virtual IP address of the other party of the IPTL device 1251 (that is, the mobile terminal 1013).
Is passed from the table 123 to the IPTL device 1251. In the IP packet 118, in the IPTL device 1251, the destination address is the physical IP address of the server 1051, and the source address is the mobile terminal 1011.
Is encapsulated by adding a header having the physical IP address of. The above IP packet 11 after encapsulation
8 is the table 12 from the IPTL device 1251 again.
Returned to 3. The IP packet 118 after encapsulation
Is the physical IP address of the server 1051, the IP packet 118 is passed from the table 123 to the interface 129 through the physical IP device 127, and is transferred from the interface 129 via the server 1051 to the other terminal. Sent to terminal 1013.

On the other hand, the IP packet 120 including the virtual IP address of the mobile terminal 1014, the virtual IP address E of the mobile terminal 1011, and communication data (IP packet)
Is passed from the AP 121 i to the table 123, the IP packet 120 is sorted in the table 123. As a result of the distribution, the IP packet 12
0 is the virtual IP address of the other party of the IPTL device 1252 (that is, the mobile terminal 1014), the IP packet 120
3 to the IPTL device 1252.

In the IP packet 120, the IPTL device 1252 uses the destination address as the physical IP address of the server 1052 and the source address as the mobile terminal 10
Encapsulation is performed by adding a header having the virtual IP address D of 11.

The above IP packet 120 after encapsulation
From the IPTL device 1252 again to the table 123
To the IPTL device 1251 from the table 123. Then, the IPTL device 1251
, The destination address is set to the physical IP address of the server 1051.
After being encapsulated by adding a header having the physical IP address of the mobile terminal 1011 as the source address, the IPTL device 1251 returns the packet to the table 123 again. The destination address of the encapsulated IP packet 120 is the physical I
Since it is a P address, the IP packet 120
Is passed from the table 123 to the interface 129 through the physical IP device 127. Then, after being transmitted from the interface 129 to the server 1051, it is transmitted from the server 1051 to the server 1052,
2 to the mobile terminal 1014 which is the other terminal.

Next, a terminal having the above-described module configuration including the IPTL device according to one embodiment of the present invention (a module configuration according to one embodiment of the present invention) and a module configuration including a conventional IPTL device (conventional one). A connection mode with a terminal having a module configuration will be described. There are two types of modes for connecting between a terminal having a module configuration according to an embodiment of the present invention and a terminal having a conventional module configuration.

(1) A case where a mobile terminal having a conventional module configuration is connected to a server having a module configuration according to an embodiment of the present invention.

(2) A case where a mobile terminal having a module configuration according to an embodiment of the present invention is connected to a server having a conventional module configuration.

FIG. 25 is a flowchart showing a processing operation when a mobile terminal having a conventional module configuration is connected to a server having a module configuration according to an embodiment of the present invention. In FIG. 25, the mobile terminal 1011
Is a mobile terminal having a module configuration according to an embodiment of the present invention, and mobile terminal 1012 is a mobile terminal having a conventional module configuration.

In FIG. 25, mobile terminals 1011 and 1011
When each of the terminals 12 connects to the server 105, the server 12 notifies the server 105 of whether or not the terminal is a mobile terminal having a module configuration according to an embodiment of the present invention. It is assumed that the server 105 knows in advance whether or not each mobile terminal in the virtual network it is serving is a mobile terminal having a module configuration according to an embodiment of the present invention. .

As shown in FIG. 25, first, the mobile terminal 10
When the physical IP address of the server 105 is input on the 11 side (step S191), the IPTL device 12
51 is the mobile terminal 1011 based on the physical IP address.
Is transmitted to the server 105 (step S192). When the server 105 receives this (step S193), the IPTL device 1251 on the server 105 is activated and the IPTL device 1251 on the mobile terminal 1011 side is activated.
A first IP tunnel is constructed with the device 1251 (steps S194 and S195).

On the other hand, also on the mobile terminal 1012 side, when the physical IP address of the server 105 is input (step S196), the IPTL device 1251
The physical IP address of the mobile terminal 1012 is transmitted to the server 105 based on the address (step S197). After constructing the first IP tunnel, the server 105 receives it (step S198), and
A second IP tunnel is constructed between the IPTL device 1251 on the fifth side and the IPTL device 1251 on the mobile terminal 1012 side (steps S199 and S200).

Next, after the IP packet to be transmitted to the mobile terminal 1012 is encapsulated in the IPTL device 1251 on the mobile terminal 1011 side, the IP packet is transmitted to the server 105 (step S20).
1, S202). Upon receiving the IP packet, the IPTL device 1251 on the server 105 side performs decapsulation and recapsulation, and then performs
12 (step S203). Upon receiving the IP packet, decapsulation is performed in the IPTL device 1251 on the mobile terminal 1012 side (step S204). In the processing illustrated in FIG. 25, the notification of the physical IP address of the mobile terminal 1011 to the mobile terminal 1012 and the notification of the physical IP address of the mobile terminal 1012 to the mobile terminal 1011 as in the processing illustrated in FIG. Not done.

Next, the IP packet to be transmitted to the mobile terminal 1012 is encapsulated in the IPTL device 1251 on the mobile terminal 1011 side, and transmitted to the server 105 (steps S205 and S206). The above IP
Upon receiving the packet, the IPTL device 1251 on the server 105 decapsulates and recapsulates the IP packet, and transmits the decapsulated packet to the mobile terminal 1012 (step S207). Upon receiving the IP packet, decapsulation is performed in the IPTL device 1251 of the mobile terminal 1012 (step S208).

On the other hand, when a mobile terminal having a module configuration according to an embodiment of the present invention is connected to a server having a conventional module configuration, the server must transmit the physical IP address of the receiving mobile terminal. Notification to the device,
Also, it does not notify the receiving mobile terminal of the physical IP address of the transmitting mobile terminal. Therefore, both the IPTL device of the transmitting-side mobile terminal and the IPTL device of the receiving-side mobile terminal execute the same processing operation as the conventional IPTL device.

As is clear from the above description, the module configuration including the IPTL device according to the embodiment of the present invention and the conventional module configuration including the IPTL device can be connected to each other for communication. It is possible.

Next, in the communication using the module configuration according to the embodiment of the present invention, an encrypted communication to which IPsec or the like is applied will be described.

There are the following two types of modes for connecting a terminal having a module configuration according to an embodiment of the present invention to a terminal having a conventional module configuration.

(1) A method in which key distribution and key exchange are performed by a user or an AP in a user space.

(2) A method in which IPTL devices also perform key distribution and key exchange.

FIG. 26 is a flowchart showing a processing operation when a user or an AP in a user space performs key distribution and key exchange in communication using a module configuration according to an embodiment of the present invention.

As shown in FIG. 26, first, the mobile terminal 10
When the physical IP address of the server 105 is input on the 11 side (step S211), the IPTL device 12
51 is the mobile terminal 1011 based on the physical IP address.
Is transmitted to the server 105 (step S212). When the server 105 receives this (step S213), the IPTL device 1251 of the server 105 is activated and sets the public key of the mobile terminal 1011 (step S214). On the other hand, the mobile terminal 1011
The server also sets the public key of the server 105 (step S215). Next, the server 105 and the mobile terminal 101
In step S21, a common key is created by a user or an AP (user or the like) in a user space from each other's public keys set by the user and the common keys are exchanged (step S21).
6, S217). Subsequently, the server 105 and the mobile terminal 10
A first IP tunnel is constructed between the first IP tunnel and the first IP tunnel (steps S218 and S219).

On the other hand, also on the mobile terminal 1012 side, when the physical IP address of the server 105 is input (step S220), the IPTL device 1251
The physical IP address of the mobile terminal 1012 is transmitted to the server 105 based on the address (step S221). After constructing the first IP tunnel and receiving it (step S222), the server 105 sets the public key of the mobile terminal 1012 (step S223).
On the other hand, the mobile terminal 1012 also sets the public key of the server 105 (step S224). Next, between the server 105 and the mobile terminal 1012, a common key is created by the user or the like from each other's public key set by the user and the common keys are exchanged (steps S225 and S22).
6). Subsequently, a second IP tunnel is constructed between the server 105 and the mobile terminal 1012 (step S).
227, S228).

Next, after the IP packet to be transmitted to the mobile terminal 1012 is encapsulated and encrypted in the IPTL device 1251 on the mobile terminal 1011 side,
The IP packet is transmitted to server 105 (steps S229, S230). When the IP packet is received, decapsulation and decryption, recapsulation and encryption are performed in the IPTL device 1251 on the server 105 side, and then transmitted to the mobile terminal 1012 (step S231). When the IP packet is received, decapsulation and decoding are performed in the IPTL device 1251 on the mobile terminal 1012 side (step S232). Subsequently, when the IPTL device 1251 on the server 105 side notifies the physical IP address of the mobile terminal 1011 (Step S
233), the IPTL device 12 on the mobile terminal 1012 side
51 receives it (step S234). Also,
When the IPTL device 1251 on the server 105 side notifies the public key of the mobile terminal 1011 (step S235),
The IPTL device 1251 on the mobile terminal 1012 side receives it (step S236). Similarly to the above, the IPTL device 1251 on the server 105 side
12 is notified (step S23).
7), the IPTL device 1251 on the mobile terminal 1011 side
Receives it (step S238). Also, the IPTL device 1251 on the server 105 side
Upon notifying the public key of No. 12 (step S239), the IPTL device 1251 of the mobile terminal 1011 receives it (step S240).

Next, between the mobile terminals 1011 and 1012,
A common key is created by a user or the like from each other's public keys set by each user, and the common keys are exchanged (step S
241, S242). Subsequently, the mobile terminals 1011, 10
A third IP tunnel is constructed between the nodes 12 (steps S243 and S244). Then, the mobile terminal 1011
In the IPTL device 1251, the mobile terminal 10
12, the IP packet to be transmitted is encapsulated and transmitted to the mobile terminal 1012 (step S24).
5, S246). Upon receiving the IP packet, the IPTL device 1251 of the mobile terminal 1012 performs decapsulation and decoding (step S247).

In the processing operation described above, the mobile terminal 101
Although it has been described that the process of transmitting the public key 1 and the process of generating the common key from the public key and exchanging them with each other are performed by the user or the like, the respective IPTL devices 1251 may perform the process.

As described above, according to one embodiment of the present invention, mobile terminals belonging to a virtual subnetwork can easily communicate with each other via the shortest route.
Communication speed can be improved. In addition, it is possible to easily perform processing for a terminal to belong to one virtual subnetwork or a plurality of virtual subnetworks.

Note that the above-described content relates to one embodiment of the present invention, and does not mean that the present invention is limited to only the above-described content.

[0123]

As described above, according to the present invention,
Even if the user or the application in the user space does not perform complicated processing, the terminals can communicate with each other via the shortest route.

[Brief description of the drawings]

FIG. 1 is an explanatory diagram showing a network in which communication between mobile terminals using an IP tunneling device is performed.

FIG. 2 is an explanatory diagram showing a processing operation of each unit of a module in a terminal when performing star-type communication.

FIG. 3 is a flowchart showing a processing operation of each module in the terminal when performing star-type communication.

FIG. 4 is an explanatory diagram showing a processing operation of each unit of a module in a terminal when a mesh type connection is made.

FIG. 5 is a flowchart showing a processing operation of each module in the terminal when a mesh connection is made.

FIG. 6 is an explanatory diagram of IP tunneling.

FIG. 7 is a block diagram showing a configuration of a module including an IP tunneling device, a physical IP device, a network interface, and the like.

FIG. 8 is an explanatory diagram showing the processing operation of each section of the module when transmitting an IP packet from a terminal represented by the module configuration of FIG. 7 to a partner terminal through an IP tunnel.

9 is an explanatory diagram showing the processing operation of each module when the terminal represented by the module configuration in FIG. 7 receives an IP packet transmitted from a partner terminal through an IP tunnel.

FIG. 10 is an explanatory diagram showing an example of a virtual sub-network.

FIG. 11 is an explanatory diagram showing a route of communication performed between mobile terminals.

FIG. 12 is an explanatory diagram showing a communication system including a plurality of terminals having an IPTL device according to an embodiment of the present invention.

FIG. 13 is a functional block diagram showing the internal configuration of a terminal having an IPTL device according to an embodiment of the present invention.

FIG. 14 is an explanatory diagram of an IP tunnel established between a mobile terminal and a server in the communication system of FIG. 12;

FIG. 15 is an explanatory diagram showing an aspect of communication performed between mobile terminals using the IP tunnel of FIG. 14;

FIG. 16 is an explanatory diagram of an IP tunnel established between mobile terminals in the communication system of FIG. 12;

FIG. 17 shows a case where a mobile terminal transmits communication data of a second packet or later to a partner mobile terminal directly connected by an IP tunnel, and a case where communication data is transmitted to another partner mobile terminal connected via a server. FIG. 4 is an explanatory diagram showing a processing operation of each section of the module.

FIG. 18 shows a case where a mobile terminal transmits the first packet of communication data to a partner mobile terminal via a server, and the second and subsequent packets of communication data to the partner mobile terminal after being directly connected by an IP tunnel. 5 is a flowchart showing processing operations of each module when transmitting.

FIG. 19 shows two packets transmitted from the partner mobile terminal when the mobile terminal receives communication data for the first packet transmitted from the partner mobile terminal via the server and after being directly connected by the IP tunnel. FIG. 7 is an explanatory diagram showing processing operations of each module of the module when receiving communication data of the first and subsequent eyes.

FIG. 20 is a flowchart showing a process of reconstructing an IP tunnel when a mobile terminal moves.

FIG. 21 is an explanatory diagram of a case where one specific mobile terminal belongs to two or more virtual sub-networks in the communication system of FIG. 12;

FIG. 22 is an explanatory diagram showing a processing operation of each module when one specific mobile terminal transmits an IP packet to a plurality of mobile terminals directly connected by an IP tunnel in the configuration shown in FIG. 21;

FIG. 23 is an explanatory diagram of a case where one specific mobile terminal belongs to any of two virtual sub-networks having a hierarchical structure in the communication system shown in FIG. 12;

24 is an explanatory diagram showing the processing operation of each module when one specific mobile terminal transmits an IP packet to a plurality of mobile terminals directly connected by an IP tunnel in the configuration shown in FIG. 23;

FIG. 25 is a flowchart showing a processing operation when a mobile terminal is connected to a server having a module configuration according to an embodiment of the present invention in the communication system of FIG. 12;

FIG. 26 is a flowchart illustrating a processing operation when a user or an application in a user space performs key distribution and key exchange in communication using a module configuration according to an embodiment of the present invention.

[Explanation of symbols]

1011, 1012, 1013 Mobile terminal 1031, 1032 Router 105 Server 111 Module configuration 1211, 121i Application (AP) 123 Routing table (table) 1251-125n IP tunneling device (IPT)
L device) 127 Physical IP device 129 Network interface (interface)

────────────────────────────────────────────────── ───

[Procedure amendment]

[Submission date] April 15, 1999 (1999.4.1
5)

[Procedure amendment 1]

[Document name to be amended] Statement

[Correction target item name] FIG. 27

[Correction method] Added

[Correction contents]

FIG. 27 is a module configuration according to an embodiment of the present invention .
Key distribution and key exchange in communication using
Or the processing when the user space application performs
5 is a flowchart showing a logical operation.

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Yasuhiro Kohata 3-3-3 Toyosu, Koto-ku, Tokyo Inside NTT Data Corporation (72) Inventor Akihiro Hayakawa 3-chome Toyosu, Koto-ku, Tokyo No. 3-3 F-term in NTT Data Corporation (reference) 5K030 GA02 GA15 HD03 HD09 JT02 JT09 KA05 LB05 LD19 5K033 AA01 AA02 CB01 CB06 CB08 DA05 DB12 DB16 DB19 EC04 9A001 BB03 BB04 CC06 CC07 DD06 EJ25 JJ27 LL03

Claims (17)

[Claims] 1. A means for holding a given physical address indicating a sub-network to which a plurality of terminals on a network actually belong and a virtual address indicating a sub-network not actually belonging to the same terminal from among the plurality of terminals Means for forming terminals having the same virtual address, forming the same virtual sub-network among these terminals, and extracting the physical address and virtual address of each terminal performing communication from the physical address and virtual address. Means for setting a communication path between each terminal between sub-networks or within a virtual sub-network and establishing one or a plurality of tunnels between the terminals according to the communication path. . 2. The tunneling device according to claim 1, wherein the network is the Internet, and the tunneling device is an IP (Internet Protocol) tunneling device. 3. The tunneling device according to claim 2, wherein the IP tunneling device is a virtual device. 4. The tunneling device according to claim 1, wherein the physical address is a physical IP address, and the virtual address is a virtual IP address. 5. A plurality of the tunneling devices in a module built in the terminal together with a physical IP device or a network interface which is a physical device, a routing table for distributing IP packets, and a user space application. The tunneling device according to claim 1, wherein the device is provided. 6. The tunneling device according to claim 5, wherein the terminal is a plurality of mobile terminals and a server excluding a relay device on a network. 7. The tunneling device according to claim 1, wherein the communication data exchanged between the terminals is an IP packet. 8. The tunneling device according to claim 1, wherein the plurality of tunnels are between a terminal that performs communication by a user or an application in a user space and a terminal that mediates communication, and the other terminal that performs communication. And a first tunnel respectively constructed between the terminal and the terminal that mediates the communication, and after the first tunnel is constructed, automatically constructed between the one terminal and the other terminal. And a second tunnel. 9. The tunneling device according to claim 8, wherein the second tunnel is provided with the physical address of the other terminal from the intermediary terminal to the one terminal, and
A tunneling device which is automatically constructed by giving the physical address of the one terminal to the other terminal from the intermediary terminal. 10. A system in which a plurality of mobile terminals communicate on a network through an intermediary terminal, wherein each terminal forms the same virtual sub-network with terminals having the same virtual address and extracts A communication path between the terminals is set between the sub-networks or within the virtual sub-network based on the physical address and the virtual address of each terminal performing the communication, and one between the terminals according to the communication path. Or, if a tunneling device for establishing a plurality of tunnels is provided, and one of the other terminals communicating with the other terminal moves, the tunneling device of the moved terminal changes the physical address of the own terminal after the movement. By notifying the tunneling device of the intermediary terminal, a tunnel between the moved terminal and the intermediary terminal is established. A communication system for reconstructing a tunnel between the two terminals by notifying the physical address to the tunneling device of the terminal to which the tunneling device of the intermediary terminal has not moved after the reconfiguration. . 11. The communication system according to claim 10, wherein when one of the communicating terminals and one of the other communicating terminals belong to two independent virtual sub-networks, One of the common sub-networks to one of the tunneling devices of the other terminal
And a second one of the virtual sub-networks being assigned to another one of the tunneling devices of the other terminal. 12. The communication system according to claim 10, wherein a tunneling device having neither the sub-network forming function nor the tunnel building function is built in one of the communication terminals and the other of the communication terminals. The tunneling device of the intermediary terminal establishes a tunnel with the one terminal by transmitting a physical address from the tunneling device of the one terminal, and the tunneling device of the other terminal. Transmitting a physical address from the terminal to establish a tunnel with the other terminal to mediate communication between the two terminals. 13. The communication system according to claim 10, wherein the tunneling device exchanges keys between one of the communicating terminals and the intermediary terminal, and between the other of the communicating terminals and the intermediary terminal. And then
Establishing a first tunnel between the one terminal and the intermediary terminal and between the other terminal and the intermediary terminal, respectively, after the first tunnel is established, the one terminal and the other A second tunnel is established between the terminal and the terminal. 14. The communication system according to claim 13, wherein the exchanged key is a key used for performing encrypted communication between the one terminal and the other terminal.
A communication system wherein the communication performed through the first and second tunnels is an encrypted communication. 15. The communication system according to claim 14, wherein the encrypted communication performed through the first tunnel and the encrypted communication performed through the second tunnel are performed using different keys. A communication system, comprising: 16. A tunneling device built in each terminal of a communication system in which a first terminal and a second terminal transmit and receive communication data via a third terminal on a communication network, Between a third terminal and the first terminal; and
Means for constructing a first tunnel for connecting between the first terminal and the second terminal, respectively, and a virtual terminal of the other terminal provided to the first and second terminals via the first tunnel, respectively. Means for constructing a second tunnel that directly connects the first and second terminals based on information including a virtual address indicating a subnetwork and a physical address indicating an actually belonging subnetwork. Characterized tunneling device. 17. A means for holding a given physical address indicating a sub-network to which a plurality of terminals on a network actually belong and a virtual address indicating a sub-network not actually belonging to the same terminal from among the plurality of terminals Means for forming terminals having the same virtual address, forming the same virtual sub-network among these terminals, and extracting the physical address and virtual address of each terminal performing communication from the physical address and virtual address. Means for setting a communication path between each terminal between sub-networks or within a virtual sub-network and establishing one or a plurality of tunnels between the terminals according to the communication path. Carries a computer program for operating a computer as each of the above means. Computer readable program medium.