JP2006279771A - Method and program for packet transmission - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a packet transmission method which switches transmission methods in a packet unit based on the immediacy required for communications that use a VPN to achieve high-quality communications. <P>SOLUTION: When a communication packet 31 is transmitted through a VPN tunnel 102, the header of the communication packet 31 is analyzed and it is determined whether or not the communication packet 31 is used for immediate communications. Based on the result, its transmission method is changed in a packet unit. If the communication packet 31 requires high immediacy (transmission delay is not permitted), it is individually encapsulated (a VPN header is added), and then transmitted as an individual VPN packet 32a. If the communication packet 31 does not require immediacy (transmission delay is permitted), a plurality of packets are connected, and then encapsulated to be transmitted as a connected VPN packet 32b. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a packet transmission method in a VPN (Virtual Private Network), and in particular, determines whether or not a packet to be transmitted is used for highly-immediate communication, and based on the result, determines a transmission method for each packet. The present invention relates to a packet transmission method for changing the packet.

  2. Description of the Related Art In recent years, a technique for connecting a plurality of LANs (Local Area Networks) existing at remote locations and operating the plurality of LANs as one wide area LAN has been widely used. This technology is often used mainly to connect bases in a company. When communication between bases (for example, e-mail or the like), communication data may be wiretapped or tampered via the Internet. On the other hand, in a wide area LAN (private network) using a frame relay or a dedicated line, the confidentiality of communication data is high and the quality of the line is also high. For this reason, many companies that place importance on security have introduced both private networks and the Internet, and are using them properly. However, the private network is subject to physical restrictions such as communication lines and is expensive, and thus has a disadvantage that it cannot be easily introduced like the Internet.

  In recent years, a service called VPN (Virtual Private Network) using a public network (for example, the Internet) has appeared as a method for solving this problem. VPN is a technique for connecting a plurality of LANs to each other through a public network or the like, and realizing transparent communication between them (communication without having to be aware that a public network exists between the LANs). Since the VPN uses a cheap public network to form a virtual private network, there is an advantage that it can be easily introduced at a lower cost than when using a frame relay or a dedicated line.

  There are several types of VPNs depending on the control method. For example, there are L2TP (Layer 2 Tunneling Protocol), IP (Internet Protocol) -VPN, SSL (Secure Socket Layer) -VPN, software VPN, and the like. What can be said in common with each of the above-described systems is that when data is transmitted through a public network, security is secured by using encryption technology, authentication technology, or the like.

  L2TP creates a VPN packet by adding a TCP (Transmission Control Protocol) header or an IP (Internet Protocol) header to a layer 2 packet (for example, Ethernet (registered trademark) frame) and encapsulating it, and the like. This is a method for realizing VPN using a public network. In this method, it is possible to perform communication corresponding to a multi-protocol (for example, NetBEUI (NetBIOS Extended User Interface)).

  The IP-VPN is a VPN realized by encrypting a packet using a technology called IPsec implemented in layer 3 (network layer). In IP-VPN, security is improved by adding an IP header to the IP header of the packet and encrypting it. However, there is a restriction that IPsec can be used only in communication using IP as a protocol (communication protocol). For this reason, IP-VPN using IPsec is also subject to similar restrictions.

  SSL-VPN is a VPN realized by encrypting a packet by using a technology called SSL implemented in layer 5 (session layer). Since tunneling of packets is performed in units of applications, the installation environment is limited compared to other VPNs. Moreover, it has the fault that it can be used only by the application corresponding to SSL. On the other hand, it has the advantage of being easy to install.

  Software VPN is a common name of VPN constructed using VPN software such as Soft Ether and Tiny VPN. Since there is no known official name at present, the name software VPN is used in this specification for convenience. The software VPN has characteristics that are greatly different from the above VPNs. While each of the above VPNs is a technology for virtually interconnecting a plurality of existing physical networks, a software VPN is a virtual network (virtual network) that does not depend on a physical configuration. ) On the physical network.

  In a virtual network, communication is performed using a virtual NIC (Network Interface Card), a virtual hub, or the like. This virtual network can also be connected to a physical network by setting. Therefore, for example, by constructing one virtual network and connecting a plurality of physical networks thereto, it is possible to connect a plurality of physical networks as a result. Software VPN is easy to introduce, but it is also said to be a technology that poses a serious problem in terms of security because users can freely construct a VPN without the eyes of the network administrator.

  In the conventional VPN excluding the software VPN, when packet encapsulation (VPN packet creation) is performed, each packet is individually encapsulated. However, in this method, for example, when a large amount of data having a relatively small packet size exists, a VPN header (a header used for transmission control in the VPN) is added to each packet. For this reason, the ratio of the VPN header in the total data to be transmitted is increased, and there is a risk of reducing the transmission efficiency of the network.

As an invention for solving the above-described problem, Patent Document 1 discloses a packet concatenated transmission method in which a plurality of packets are encapsulated together. In the packet concatenated transmission method of Patent Document 1, for example, when a packet is transmitted from a LAN to a public network, a concatenated packet is created by concatenating the packets using a layer 2 tunneling device, and a VPN header is added to the concatenated packet. Is encapsulated and transmitted to the public network. The receiving LAN that has received the VPN packet through the public network uses the layer 2 tunneling device to remove the VPN header from the VPN packet and extract the concatenated packet. The extracted concatenated packet is divided to restore a plurality of packets, and each packet is transmitted to the transmission destination. Note that most of the software VPNs employ this packet concatenation transmission method.
JP 2004-258501 A

  Each of the above two transmission methods (methods that do not concatenate packets) has both advantages and disadvantages. The disadvantage of the method of encapsulating packets individually is that, as described above, when the packet size is relatively small, the ratio of the VPN header in the transmission data becomes large, which may reduce the transmission efficiency of the network. is there. Conversely, as an advantage, there is no need to perform packet concatenation or disassembly processing as in the packet concatenation transmission method at the time of packet-to-VPN packet conversion, or vice versa. Excellent in immediacy.

  On the other hand, the transmission method of Patent Document 1 has advantages and disadvantages that are completely opposite to those described above. As an advantage, for example, when a large number of packets having a relatively small size exist, the ratio of the VPN header in the transmission data can be reduced, so that the transmission efficiency of the network can be increased. On the other hand, the disadvantage is that the packet is concatenated or decomposed when the packet is converted into a VPN packet, or vice versa, so that communication delay is likely to occur and data that requires immediacy (for example, IP phone) May not be suitable for transmission of voice data, etc.).

  As described above, L2TP, IP-VPN, and SSL-VPN employ a method of individually encapsulating packets, whereas most software VPNs employ a method of concatenating and encapsulating packets. ing. Thus, which method is used is determined by the type of VPN and cannot be arbitrarily selected by the user. For this reason, for example, when a highly-immediate communication such as an IP phone is performed using software VPN, a packet is forcibly connected and encapsulated even though a method of individually encapsulating the packet is preferable. Therefore, there has been a problem that packet transmission delay occurs and sufficient quality cannot be obtained.

The present invention has been made to solve the above problems,
In order to more efficiently transmit packets in VPN,
Analyzing the header of the packet to determine whether the packet is used in a highly instantaneous communication;
Based on the determination result, changing the transmission method in packet units to create and transmit a VPN packet;
Determining the transmission method of the VPN packet from the VPN header when receiving the VPN packet;
Based on the determination result, restoring the packet from the VPN packet in a different manner for each transmission method;
It aims at providing the packet transmission system characterized by this.

In order to achieve the above object, the packet transmission method of the present invention provides:
An individual encapsulation step of individually encapsulating packets transmitted to the VPN to create a VPN packet;
A concatenated encapsulation step in which a plurality of packets are concatenated and then encapsulated to create a VPN packet;
An immediacy determination step of analyzing the header of the packet when transmitting the packet to the VPN and determining whether the packet is used for highly-immediate communication;
As a result of the immediacy determination step, the individual VPN packet transmission step of creating and transmitting the VPN packet using the individual encapsulation step, the packet determined to be used for highly immediate communication,
As a result of the immediacy determination process, a concatenated VPN packet transmission process for creating and transmitting the VPN packet by using the concatenated encapsulation process for the packet that has not been determined to be used for highly immediate communication; ,
It is characterized by having.

  According to this configuration, when a packet is transmitted to the VPN, by analyzing the header part of the received packet, for example, what kind of application the packet is used or to what extent transmission delay is permitted Information is acquired, and the transmission method is changed on a packet-by-packet basis. Packets having high immediacy (transmission delay is not permitted) are individually encapsulated (adding a VPN header) to create a VPN packet. In this case, the relationship between the VPN packet and the packet is one-to-one. Conversely, a packet with low immediacy (transmission delay is permitted) is encapsulated after concatenating a plurality of packets and converted into a VPN packet. In this case, the relationship between VPN packets and packets is one-to-many.

The packet transmission system of the present invention is
A VPN packet receiving step for receiving the VPN packet transmitted by the individual VPN packet transmission step and the concatenated VPN packet transmission step;
A VPN header analyzing step of analyzing a VPN header which is a header portion of the VPN packet received in the VPN packet receiving step;
When it is determined that the VPN packet is composed of a single packet as a result of the VPN header analysis step, the individual VPN packet restoration is performed to restore the single packet by releasing the encapsulation of the VPN packet. Process,
When it is determined as a result of the VPN header analysis step that the VPN packet is composed of a plurality of the packets, the encapsulation of the VPN packet is released and the plurality of connected packets are divided. A concatenated VPN packet restoring step for restoring a plurality of the packets by:
It is characterized by having.

  According to this configuration, the number of packets included in the VPN packet is determined by analyzing the VPN header of the VPN packet received through the VPN. When a single packet is included in the VPN packet, the packet is restored, for example, by removing the VPN header. When there are a plurality of packets included in the VPN packet, the plurality of packets are restored by, for example, removing the VPN header and dividing the packet.

According to the present invention,
When creating a VPN packet to be transmitted to a VPN, it is determined whether or not the original packet is used in highly-immediate communication, and the transmission method is changed on a packet-by-packet basis. . For this reason, it can transmit using the optimal transmission system for every packet. For example, in communication with high immediacy such as an IP telephone, a communication delay is prevented by creating a single VPN packet from a single packet. On the other hand, for example, data transmission amount is more weighted than immediacy, such as data communication using HTTP (Hyper Text Transfer Protocol) (even if a slight delay occurs, we want to reduce the transfer data amount as much as possible by data compression etc.) In communication, a plurality of packets are concatenated to create a single VPN packet. Thereby, the total number of VPN headers can be reduced and the network bandwidth can be used effectively.

  Further, according to the present invention, since the transmission method is not fixed as in the prior art, it is not necessary to select the VPN in consideration of whether communication immediacy is required when introducing the VPN. For example, when a VPN is mainly used for IP telephone communication, which is a highly immediate communication, there is no restriction that a software VPN, which is likely to cause a delay due to packet connection, is excluded from introduction targets.

  Further, according to the present invention, since the transmission method is changed only by a device on the transmission path or software installed in the device, the user does not need to be aware of the packet transmission method in the VPN. For this reason, for example, when performing highly-immediate communication, it is not necessary to change the setting of a transmission device such as a router.

The packet transmission system of the present invention will be described below with reference to the drawings.
[Embodiment]
<1. Network configuration>
Here, the configuration of the main part of the network to which the present invention is applied will be described with reference to the block diagram of FIG. In the present embodiment, an embodiment of the present invention in a VPN using software VPN is shown.

  As shown in the block diagram of FIG. 1, the network to which the present invention is applied is configured to include, for example, a gateway 1, a server 2, a PC 3, and an IP telephone 4. The gateway 1, the PC 3, and the IP phone 4 are connected to each other using a LAN cable or the like, thereby forming one component (node) that constitutes the LAN 91. Further, the gateway 1 and the server 2 are connected to each other via the public network 101 to form one node constituting the global network 92. Further, the gateway 1 and the server 2 are connected to each other via the VPN tunnel 102, thereby becoming one node constituting the VPN 93. Each node communicates with each other using a communication packet 31 or a VPN packet 32.

  The gateway 1 is an information processing apparatus connected to the three networks of the LAN 91, the global network 92, and the VPN 93, and has a role of relaying communication between the networks using a routing table (not shown). The gateway 1 includes a local NIC 11, a global NIC 12, and a virtual NIC 13 as interfaces for connecting to the three networks described above.

  The local NIC 11 is a physical interface for connecting the gateway 1 to the LAN 91. A local IP address is assigned to the local NIC 11, and the gateway 1 is uniquely recognized by the LAN 91 based on the local IP address. For this reason, the gateway 1 can communicate with other nodes (for example, the PC 3) in the LAN 91.

  The global NIC 12 is a physical interface for connecting the gateway 1 to the global network 92. A global IP address is assigned to the global NIC 12, and the gateway 1 is uniquely recognized in the global network 92 based on this. For this reason, the gateway 1 can communicate with another node (for example, the server 2) of the global network 92.

  The virtual NIC 13 is a virtual interface for connecting the gateway 1 to the VPN 93. The virtual NIC 13 is a virtual device that does not physically exist, and is controlled by software installed in the gateway 1. The OS (Operating System) of the gateway 1 recognizes the virtual NIC as if it were a physical NIC. Therefore, various applications operating on the OS can perform communication using the virtual NIC in the same manner as the method of performing communication using the physical NIC. A local IP address is assigned to the virtual NIC 13, and the gateway 1 is uniquely recognized by the VPN 93 based on this. For this reason, the gateway 1 can communicate with other nodes (for example, the server 2) of the VPN 93.

  The server 2 is an information processing apparatus connected to two networks of the global network 92 and the VPN 93, and receives a request (for example, a data transmission request) from a client (for example, the PC 3) via both or one of the networks. In order to provide various services upon request. The server 2 includes a global NIC 21 and a virtual NIC 22 as interfaces for connecting to the two networks.

  The global NIC 21 is a physical interface for connecting the server 2 to the global network 92. The global NIC 21 has the same characteristics as the global NIC 12 described above. For this reason, the server 2 can communicate with other nodes (for example, the gateway 1) of the global network 92.

  The virtual NIC 22 is a virtual interface for connecting the server 2 to the VPN 93. The virtual NIC 22 has the same characteristics as the virtual NIC 13 described above. For this reason, the server 2 can communicate with other nodes (for example, the gateway 1) of the VPN 93.

  The PC 3 is an information processing terminal connected to the LAN 91 and can communicate with other nodes (for example, the server 2) via the LAN 91. The PC 3 includes a NIC (not shown) for connecting to the LAN 91.

  The IP phone 4 is a voice communication terminal connected to the LAN 91, and can communicate with other nodes via the LAN 91. The IP phone 4 includes a NIC (not shown) for connecting to the LAN 91.

  The communication packet 31 is a packet used when a physical NIC (such as a global NIC or a local NIC) communicates with a physical NIC, or when a physical NIC and a virtual NIC communicate with each other. Created based on communication protocol.

  The VPN packet 32 is a packet used when communication is performed between virtual NICs to which different nodes belong. For example, when the virtual NIC 13 transmits a communication packet 31 to the virtual NIC 22, the communication packet 31 is encapsulated by VPN software (not shown) installed in the gateway 1, converted into a VPN packet 32, and passed to the global NIC 12. (Arrow α in the figure). The global NIC 12 that has received the VPN packet 32 transmits the VPN packet 32 to the physical NIC (in this case, the global NIC 21) of the node (in this case, the server 2) where the virtual NIC 22 exists. The server 2 that has received the VPN packet 32 by the global NIC 21 extracts the communication packet 31 from the encapsulated VPN packet 32 by VPN software. The communication bucket 31 obtained by the extraction is transferred to the virtual NIC 22 of the server 2 (arrow β in the figure). As described above, communication from the virtual NIC 13 to the virtual NIC 22 is performed.

<2. VPN packet configuration>
Here, the configuration of the VPN packet 32 will be described with reference to FIGS. FIG. 2 is a diagram showing an example of the configuration of the individual VPN packet 32a created by the individual encapsulation process of the present invention in the VPN packet 32. FIG. 3 is a diagram showing an example of the configuration of a concatenated VPN packet 32b created by the concatenated encapsulation process of the present invention in the VPN packet 32.

  As shown in FIG. 2, the individual VPN packet 32 a created by the individual encapsulation process of the present invention is composed of a VPN header part 41 and a VPN data part 42. The VPN header portion 41 is a portion that stores transmission control information for transmitting the individual VPN packet 32a in a physical network (for example, a global network). The VPN header 41 is composed of, for example, a MAC header, an IP header, a TCP header, and the like. The VPN data unit 42 is a part that stores data (for example, the communication packet 31) transmitted by the individual VPN packet 32a. The VPN data part 42 of the individual VPN packet 32 a includes one communication packet 31. Note that additional data other than the communication packet 31 (for example, a flag check sequence) can be stored in the VPN data unit 42.

  As shown in FIG. 3, the concatenated VPN packet 32b created by the concatenated encapsulation process of the present invention includes a VPN header part 43 and a VPN data part 44. The VPN header portion 43 is a portion that stores transmission control information for transmitting the concatenated VPN packet 32b in the physical network. The VPN header 43 is composed of, for example, a MAC header, an IP header, a TCP header, and the like. The VPN data unit 44 is a part that stores data transmitted by the VPN packet. The VPN data unit 44 includes a plurality of communication packets 31. The VPN data unit 44 can store additional data other than the communication packet 31 (for example, a flag indicating a boundary between the connected communication packets 31).

<3-1. Packet transmission method on the VPN packet sender side>
Here, the packet transmission system on the VPN packet transmission side in the packet transmission system of the present invention will be described with reference to the block diagram of FIG. 1 and the flowchart of FIG.

  This processing is started when a control unit (not shown) of the gateway 1 detects a VPN communication start request between the virtual NIC 13 and a virtual NIC of another node (for example, the virtual NIC 22 of the server 2) (S1). ).

  For example, the processing when the PC 3 shown in FIG. 1 transmits the communication packet 31 to the virtual NIC 22 of the server 2 will be described below. The communication packet 31 transmitted from the PC 3 reaches the local NIC 11 of the gateway 1 that is the default gateway. The gateway 1 that has received the communication packet 31 by the local NIC 11 refers to a routing table (not shown) and searches for a network in which the virtual NIC 22 that is the destination of the communication packet 31 exists. As a result of the search, it is found that the virtual NIC 22 exists on the VPN 93. Based on this result, the gateway 1 attempts to transmit the packet 31 to the virtual NIC 22 via the virtual NIC 13 that exists on the VPN 93 as with the virtual NIC 22 (arrow α in FIG. 1). At this time, a VPN communication start request (communication start request from the virtual NIC 13 to the virtual NIC 22) is issued.

  The control unit that detects the request analyzes the header part of the communication packet 31 that the virtual NIC 13 intends to transmit to the virtual NIC 22, and the communication packet 31 is a communication with high immediacy (the delay prevention is higher than the transmission efficiency and reliability). (S2).

  For example, check the values of TCP header port number, UDP header port number, IP header Tos, IP header destination and source IP address, VLAN header ID, VLAN header Priority (Cos), etc. Thus, the high level of immediacy required when the communication packet 31 is transmitted is derived. For example, the Tos in the IP header represents the communication quality from the viewpoint of reliability, throughput, and delay. If the Tos of the communication packet 31 is set to be low reliability, high throughput, and low delay, it is determined that the communication packet 31 is used for highly immediate communication.

  If it is determined that the immediacy of the communication packet 31 is high as a result of the header analysis process in S2, the process proceeds to S4 described later. Conversely, if it is not determined that the immediacy is high, the process proceeds to S5 described later (S3).

  As a result of S2, the communication packet 31 determined to have high immediacy is obtained by adding one VPN header (VPN header part 41) to one packet (VPN data part 42) as shown in FIG. The private VPN packet 32a is converted (encapsulated) (S4).

  On the contrary, as a result of S2, the communication packet 31 that has not been determined to have high immediacy waits until a certain amount of communication packet 31 is received, and then concatenates a plurality of packets 31 to create a concatenated packet (not shown). (S5). Then, one VPN header (VPN header part 43) is added to one concatenated packet (VPN data part 44), so that it is converted into a concatenated VPN packet 32b (S6).

  The VPN packet 32 (individual VPN packet 32a or concatenated VPN packet 32b) created as described above is transmitted to the global NIC 21 of the server 2 using the global NIC 12 and the public network 101 (S7).

<3-2. VPN packet receiver side packet transmission system>
Here, the packet transmission method on the VPN packet receiving side in the packet transmission method of the present invention will be described with reference to the block diagram of FIG. 1 and the flowchart of FIG.

  This process is started when a control unit (not shown) of the server 2 detects reception of the VPN packet 32 by the global NIC 21 (S1). In addition, in a present Example, said Example <3-1. VPN packet transmission side packet transmission method>, it is assumed that the VPN packet 32 (VPN packet 32 transmitted from the PC 3 to the server 2 via the virtual NIC 13) has been received. .

  The control section removes the VPN header section 41 (or the VPN header section 43) from the received VPN packet 32 and releases the encapsulation of the VPN packet 32 (S2). Next, based on the information included in the removed VPN header part 41 (or VPN header part 43), it is determined whether the received VPN packet 32 is an individual VPN packet 32a or a concatenated VPN packet 32b. Judgment is made (S3). If it is the individual VPN packet 32a, the process proceeds to S4a described later. In the case of the concatenated VPN packet 32b, the process proceeds to S4b described later.

  As a result of S3, when the received VPN packet 32 is the individual VPN packet 32a, the single communication packet 31 is restored from the data part 42 of the individual VPN packet 32a (S4a). Conversely, if the received VPN packet 32 is a concatenated VPN packet 32b, the concatenated packet is extracted from the data portion 44 of the concatenated VPN packet 32b and then decomposed, and a plurality of communication packets 31 are restored (S4b).

  As a result of S4a or S4b, the restored single or plural communication packets 31 are transmitted from the global NIC 21 to the virtual NIC 22 as the transmission destination as indicated by the arrow β in FIG. 1 (S5).

  In this embodiment, the transmission side of the communication packet 31 is the virtual NIC 13 of the gateway 1 and the reception side is the virtual NIC 22 of the server 2. However, even when the transmission side and the reception side are reversed, the virtual NIC 22 to the virtual NIC 13 are used. The transmission process is performed in the same procedure.

<4. Various features of the present invention>
According to this embodiment,
When the VPN packet 32 is created, the header of the communication packet 31 that is the source of the VPN packet 32 is analyzed (S2 of 3-1) to determine whether the packet is used in highly immediate communication. (3-1 of S3-1). Based on this result, the individual VPN packet 32a or the concatenated VPN packet 32b is created, so that transmission can be performed using an optimum transmission method in units of packets.

  Therefore, for example, when the communication packet 31 transmitted from the PC 3 and the communication packet 31 transmitted from the IP phone 4 are received at the same time, the respective headers are analyzed to determine whether the packet is used for highly immediate communication. To do. If it is determined that the communication packet 31 transmitted from the PC 3 is, for example, an HTTP packet using HTTP with low immediacy, the transmission of the HTTP packet is temporarily suspended. Next, it is assumed that the header of the communication packet 31 previously issued from the IP telephone 4 is analyzed, and it is determined that the voice packet has high immediacy. As a result, the voice packet is first encapsulated and converted into the individual VPN packet 32a, and is transmitted with priority. Thereafter, after a certain amount of HTTP packets received from the PC 3 are accumulated, a plurality of HTTP packets are concatenated and encapsulated, converted into a concatenated VPN packet 32b, and transmitted.

  The merit of the individual VPN packet 32a created as described above is that it does not wait for a certain number of packets to be accumulated unlike the creation of the concatenated VPN packet 32b. For this reason, a communication delay hardly occurs. Conversely, the connection VPN packet 32b is likely to cause a communication delay. For example it is assumed that in an environment where voice packets 100byte are endlessly transmitted, transmission by connecting VPN packet 32b has been performed. In this case, if the data is collectively encapsulated in units of 1500 bytes, the voice packet is kept waiting in the gateway 1 until 1500 bytes / 100 bytes = 15 packets are accumulated. Assuming that one packet includes 20 ms of voice data, the creation of the concatenated VPN packet 32b is not performed until 20 ms × 15 = 300 ms of voice data is accumulated. For this reason, even if the receiving side application performs processing assuming that one packet is received every 20 ms, 15 voice packets are simultaneously received every 300 ms, so the receiving side cannot perform normal processing. The problem occurs.

  Conversely, the advantage of the concatenated VPN packet 32b is that the amount of data applied to the VPN header can be reduced, so that the network bandwidth can be used effectively. For example, when the VPN header is composed of a MAC header, an IP header, and a TCP header as shown in FIG. 3, the size of the VPN header is 54 bytes. Here, if 10 pieces of 10-byte data are sent, the total data amount when the individual VPN packet 32a is used is (54 bytes + 10 bytes) × 10 = 640 bytes. Conversely, when the concatenated VPN packet 32b is used, the total data amount is 54 bytes + (10 bytes × 10) = 154 bytes. Thus, the data amount when using the concatenated VPN packet 32b is less than a quarter of the data amount when using the individual VPN packet 32a.

  Further, according to the present invention, the transmission method for transmitting packets using VPN as in the prior art is not fixed by the VPN specification.

  Therefore, for example, when newly introducing a VPN, it is not necessary to select the type of VPN to be introduced in consideration of the high degree of immediacy of communication required during VPN operation. For this reason, for example, when using VPN in IP telephone communication with high immediacy, there is no restriction that a VPN (for example, software VPN) adopting the packet connection method is excluded from the introduction target.

  In addition, according to the present invention, since the transmission method is automatically switched by a device on the transmission path (for example, a gateway, a router, etc.) or software installed in the device, the user can transmit the VPN packet using any transmission method. There is no need to be conscious of what it is.

  Therefore, for example, when VPN is used in IP telephone communication with high immediacy, there is no need to perform work such as manually specifying the setting of the transmission apparatus to the individual packet transmission method.

[Other embodiments]
The present invention has been described with reference to the preferred embodiments and examples. However, the present invention is not necessarily limited to the above embodiments and examples, and various modifications may be made within the scope of the technical idea. Can be implemented.

  For example, it goes without saying that this can also be achieved by implementing the processing method of the software VPN that realizes the functions of the above-described embodiments in a program code (for example, firmware) executed in a transmission apparatus (for example, a router) other than the gateway 1. Yes.

  In this case, the program itself executed by the transmission apparatus realizes the functions of the above-described embodiments, and the transmission apparatus storing the program code constitutes the present invention.

  As a device for storing the program code, for example, a router, a bridge, an L2 switch, an L3 switch, an ATM switch, an L2 tunneling device, a PC, a workstation, or the like can be used.

  Further, by executing the program code read by the apparatus, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the apparatus based on the instruction of the program code. It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the actual processing and the processing is included.

  Furthermore, based on the instruction of the program code in the memory provided in the function expansion board inserted into the device or the function expansion unit connected to the computer, the CPU provided in the function expansion board or function expansion unit is part of the actual processing. Or, it goes without saying that the case where the functions of the above-described embodiment are realized by performing all of the above processing is also included.

It is a block diagram showing the network component of this invention. It is a block diagram showing the structure of the separate VPN packet of this invention. It is a block diagram showing the structure of the connection VPN packet of this invention. It is a flowchart of the packet transmission process of the VPN packet transmission side of this invention. It is a flowchart of the packet transmission process of the VPN packet receiving side of this invention.

Explanation of symbols

31 Communication packets (packets)
32 VPN packet 32a Individual VPN packet 32b Concatenated VPN packet 91 LAN
92 Global network 93 VPN
101 public network 102 VPN tunnel

Claims (3)

In packet transmission method in VPN,
An individual encapsulation step of individually encapsulating packets transmitted to the VPN to create a VPN packet;
A concatenated encapsulation step in which a plurality of packets are concatenated and then encapsulated to create a VPN packet;
An immediacy determination step of analyzing the header of the packet when transmitting the packet to the VPN and determining whether the packet is used for highly-immediate communication;
As a result of the immediacy determination step, the individual VPN packet transmission step of creating and transmitting the VPN packet using the individual encapsulation step, the packet determined to be used for highly immediate communication,
As a result of the immediacy determination process, a concatenated VPN packet transmission process for creating and transmitting the VPN packet by using the concatenated encapsulation process for the packet that has not been determined to be used for highly immediate communication; ,
A packet transmission system characterized by comprising: A VPN packet receiving step for receiving the VPN packet transmitted by the individual VPN packet transmission step and the concatenated VPN packet transmission step;
A VPN header analyzing step of analyzing a VPN header which is a header portion of the VPN packet received in the VPN packet receiving step;
When it is determined that the VPN packet is composed of a single packet as a result of the VPN header analysis step, the individual VPN packet restoration is performed to restore the single packet by releasing the encapsulation of the VPN packet. Process,
When it is determined as a result of the VPN header analysis step that the VPN packet is composed of a plurality of the packets, the encapsulation of the VPN packet is released and the plurality of connected packets are divided. A concatenated VPN packet restoring step for restoring a plurality of the packets by:
The packet transmission system according to claim 1, comprising: A packet transmission program using the packet transmission method according to claim 1 or 2.

Images