JP2007158672A - Network tunneling device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a network tunneling device capable of alleviating the functional packaging of a terminal to application when the terminal terminates a tunnel directly, and obtaining the tunneling easily. <P>SOLUTION: A database, in which a packet having a same sender address, a same destination address, and a same identifier is associated with an identifier of a uniquely determined encapsulation protocol header, is provided. On the occasion of encapsulating a series of fragment packets, an identical identifier is appended. Thereby, since a status of fragment before encapsulation can be maintained after encapsulation, fragment assembly in a receiving terminal becomes easy. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention is used for tunneling transfer in an IP network.

  Tunneling is a method of encapsulating data transmitted from a terminal that supports a protocol different from the protocol operating in the relay network with the protocol used in this relay network. This is a technique for enabling this relay network to be transferred, and enabling interconnection even when a different protocol is used on the transfer network.

  A network protocol called Internet Protocol (hereinafter referred to as IP) is widely used as a network protocol for various networks such as the Internet to the corporate network. However, it differs depending on the use of IP tunneling. Connections between networks using protocols can also be realized via the Internet.

  For example, in tunneling by IP, in order to eliminate the problem of interoperability due to differences in IP versions, by connecting different versions of IP by tunneling, in order to transfer data of different versions of IP over an IP network. in use.

  For tunneling between IPs of the same version, by adding another protocol header to the original protocol header of the data transferred over the network by encapsulation with the same protocol, Data transfer through a route different from the data transfer to the destination or data transfer to a terminal different from the original destination can be performed.

  For example, for the purpose of distributing the load of a server device that is congested, for example, data having a specific destination is forcibly changed to another destination, and only the server device that is the original destination is changed. Instead, it is used for a mechanism that reduces the load on the server device by sharing the processing in the transfer destination terminal whose destination has been changed.

  In addition, in order to allow a moving IP terminal to receive data addressed to a conventional IP address even at the moving destination, “mobile IP” that transfers an IP packet from the originally existing network to the current moving destination. It is also used in a technology called.

  Non-Patent Document 1 discloses a conventional method for realizing tunneling using IP headers that are the same protocol for such IP data. The method disclosed in Non-Patent Document 1 is characterized in that each IP packet input to the tunnel is encapsulated by adding an independent encapsulation protocol header and transmitted to the tunnel.

RFC1853 IP in IP Tunneling

  Problems in the case of following the above-described conventional data encapsulation method will be described with reference to the drawings.

  FIG. 1 is a diagram showing a network configuration using general tunneling in which network tunneling devices are connected to both ends of a tunnel and the networks are connected by a tunnel. FIG. 2 shows a terminal at one end of the tunnel. The network configuration in the form of being directly accommodated is shown.

  In FIG. 1, reference numerals 1 and 2 are terminals connected to the network, reference numerals 3 and 4 are network tunneling apparatuses that connect the network and the tunnel, reference numerals 5 and 6 are networks connected by the tunnel, reference numeral 7 is the network 5 This is a tunnel connecting the network 6.

  In FIG. 2, the terminal 2 is characterized in that it has a function of directly terminating the tunnel, and the network 6 that is the connection target with the network tunneling device 4 is omitted.

  FIG. 3 shows two fragment packets 11 and 12 that have already been divided by fragments. Each fragment packet 11 and 12 is composed of headers 13 and 15 and data 14 and 16.

  FIGS. 4 and 5 explain the problem to be solved by the present invention and the fragment packet processing in the network configuration of FIG. 2 based on the fragment packet shown in FIG. FIG. 4 illustrates the conventional operation for the encapsulation operation for the fragment packet in the network tunneling apparatus 3 in the network configuration of FIG.

  In FIG. 4, first, when the network tunneling device 3 receives the fragment packets 11 and 12 input from the connected network 5, each of the received fragment packets 11 and 12 is encapsulated independently. I do.

  At this time, the network tunneling device 3 generates the encapsulation protocol headers 23 and 24 corresponding to the fragment packets 11 and 12, respectively, and the encapsulation protocol header is received at the head of the received fragment packets 11 and 12. 23 and 24 are added to generate encapsulated data 21 and 22. Thereafter, the encapsulation processing is performed by transferring each of the encapsulated data 21 and 22 to the tunnel 7.

  5 shows the terminal 2 when the encapsulated data 21 and 22 generated by the network tunneling apparatus 3 that performs the encapsulating operation described in FIG. 4 is received by the terminal 2 that directly terminates the tunnel 7 shown in FIG. The data reception operation in FIG.

  When the terminal 2 receives the encapsulated data 21 and 22, first, the encapsulation protocol headers 23 and 24 used for the transfer of the tunnel 7 are processed by the IP stack implemented in the terminal 2, With the encapsulation protocol headers 23 and 24 deleted, the fragment packets 11 and 12 are transferred to the application.

  In the application of the terminal 2, it is necessary to assemble these received fragment packets 11 and 12 and extract the data 14 and 16 that are originally intended for transfer and use them for processing.

  Based on this operation, according to the encapsulation operation in the network tunneling device 3 in the system having the tunnel configuration shown in FIG. 2, the terminal 2 that is the other end of the tunnel 7 Since the packets 11 and 12 are received individually, it is necessary to re-assemble these two packets at the application level, and the divided packet assembly function inherent in the IP stack Must be implemented separately at the application level.

  As described above, in the system using the encapsulation operation in the conventional network tunneling device 3, since it is necessary to implement the fragment function of the IP stack in the application part in the terminal 2, the terminal Since the amount of development for implementing the function for 2 increases and the processing required in the terminal 2 is equivalent to the processing equivalent to the processing in the IP stack twice, the processing time increases. There are two major problems.

  In the network tunneling apparatus 3 in the network configuration using the tunneling in which the terminal 2 directly terminates the tunnel 7 as shown in FIG. The purpose of the present invention is to reduce the function implementation for the application of the terminal 2 by implementing the encapsulation operation for the fragment packet according to the present invention, and to easily realize the tunneling by the configuration of FIG.

  The present invention is used in a data communication system for transferring data via an IP network, and encapsulating means for adding a new protocol header to the received transfer data and transferring it within the network, and the encapsulation means And a detuning means for removing the protocol header added by the network tunneling device.

  Here, a feature of the present invention is that an encapsulated data base that stores a set of information of a source address, a destination address, and an identifier of data to be encapsulated and identifier information of an encapsulation protocol header is provided. Provided, when the fragment data is processed, if there is no entry in the encapsulated data base that matches the source address, destination address, and identifier of the received packet, After determining the identifier of the encapsulating protocol header, information on the source address, destination address, and identifier of the data to be encapsulated and information on the identifier of the newly determined encapsulating protocol header are stored in the encapsulated data base. The source address registered in the encapsulated data base and the address An encapsulated protocol header including an address and an identifier of the encapsulated protocol header is generated and encapsulated, and an entry of the encapsulated data base that matches the source address, destination address, and identifier of the received packet is If it already exists, an encapsulation protocol header including the source address, the destination address, and the identifier of the encapsulation protocol header included in the matching entry of the encapsulated data base is generated and encapsulated. And in the encapsulation process for data other than the head data of the fragment before encapsulation, it is included in the encapsulated data base entry that matches the source address, destination address, and identifier of the received packet. Said source address, Serial destination address, generates encapsulation protocol header including an identifier of the encapsulation protocol header, is in place and means for replacing the encapsulation protocol header and protocol header of the received packet.

  Thus, in the present invention, the state of the fragment before encapsulation can be maintained even after encapsulation. In other words, conventionally, even if it is a series of fragmented data or single data, all of them are uniformly encapsulated independently. However, in the present invention, it is possible to perform the encapsulation by reflecting the state of the fragment before the encapsulation. The state can be recognized, and the fragment / assemble process at the receiving terminal can be simplified as compared with the conventional case.

  The encapsulated data base is used to realize the encapsulation of the present invention, and the identifier of the encapsulation protocol header uniquely determined for data having the same source address, destination address, and identifier is supported. This information is registered in the encapsulated data base, and the source address, destination address, and identifier written in the header of the received encapsulated packet are read out and registered in the encapsulated data base. By comparing with the source address, the destination address, and the identifier, it is identified whether or not the data included in the encapsulated packet is data constituting a series of fragmented data, and includes a series of fragmented data. If the packet is known, it corresponds to the series of fragmented data. That by the header information including an identifier of the encapsulation protocol header performs encapsulation by applying to the object to be encapsulated packet, so as to maintain a condition of encapsulation previous fragment even after being encapsulated.

  In this case, whether or not the encapsulated packet is a packet containing a series of fragmented data, whether it is the first packet or the last packet of a series of fragmented data. Alternatively, information such as whether the packet is an intermediate packet can also be included in the encapsulation protocol header.

  Here, the identifier is used to identify that both the data to be encapsulated and the data to which the encapsulation protocol header is added are processed as fragment data, and that the data is a series. It is. Therefore, the identifier of the encapsulation target data and the identifier of the encapsulation protocol header may be considered to be substantially the same type. That is, the former is an identifier for identifying continuity of data before encapsulation, and the latter is an identifier for identifying continuity of data after encapsulation. In that case, the role is the same.

  The network tunneling device of the present invention also includes information on the identifier of the encapsulation protocol header of the data to be decapsulated, and the source address, destination address, and identifier information of the protocol header extracted after decapsulation. A decapsulation data base for storing the set, and the decapsulation means sends an identifier of an encapsulation protocol header and a transmission source of data extracted after the decapsulation processing when processing the head data of the fragment Address, destination address, and identifier information are registered in the decapsulated data base, and when processing data other than the beginning of the fragment, the encapsulation protocol header of the received data is changed to that of the encapsulation protocol header. The decapsulated data corresponding to the identifier The source address generated by information based on the base of the existing entry, the destination address, characterized by comprising means for performing replacement by new protocol header including the identifier.

  As a result, as described above, the decapsulation can be performed on the encapsulated packet subjected to the encapsulation of the present invention. That is, in the present invention, even after the encapsulation, since the head data of the fragment and other data can be identified, when performing the decapsulation processing of the head data, the header of the packet after the decapsulation By extracting the various information to be installed in and registering the various information in the decapsulated data base, in the decapsulation processing of data other than the head, the various information registered in the decapsulated data base Since the decapsulated header information can be generated based on the information, the decapsulation process can be simplified.

  The encapsulated and decapsulated data base is provided with means for storing a data amount increase / decrease value by adding or removing an encapsulation protocol header and calculating a fragment offset value based on the increase / decrease value. Can do.

  As a result, the fragment offset information of the encapsulating protocol header can be corrected, so that it is possible to cope with the case where the encapsulating protocol header length is variable, and a flexible network tunneling system configuration is possible. It becomes.

  Also, the present invention can be grasped from the viewpoint of a network tunneling method. That is, the present invention is used in a data communication system that transfers data via an IP network. The received transfer data is encapsulated by adding a new protocol header and transferred to the network for encapsulation. This is a network tunneling method executed by a network tunneling device that decapsulates and removes transfer data before encapsulation by removing the added protocol header when the received transfer data is received.

  Here, the present invention is characterized in that the state of the fragment of the data to be encapsulated before the encapsulation is stored in the encapsulated data base, and the data to be encapsulated before the encapsulation based on the stored contents. The step of reflecting the state of the fragment in the information of the encapsulated protocol header after the encapsulation is executed.

  In addition, when decapsulation processing is performed on the head data of a fragment in decapsulation of encapsulated data in the network tunneling method of the present invention, the protocol header information of data extracted after the decapsulation processing is fetched from the head data. In the step of storing by the decapsulation data base and in the decapsulation processing for data other than the head of the fragment in decapsulation, information on a new protocol header after decapsulation processing is generated based on the stored contents The step of replacing the encapsulation protocol header of the data is executed.

  According to the present invention, in a network configuration using tunneling in which a terminal directly terminates a tunnel, the function implementation for the application of the terminal is reduced, and tunneling can be easily realized. Further, by using the encapsulation according to the present invention, the decapsulation process can be simplified as compared with the conventional case.

  Examples of the present invention will be described below. The encapsulating protocol header in this embodiment will be described as using UDP / IP. Further, the description will be made assuming that the encapsulation target data transferred on the network is also UDP / IP.

  The network configuration in this embodiment is the same as in FIG. FIG. 6 shows fragmented IP data 601 and 602 transmitted by the terminal 1. Since the IP data 601 is UDP / IP data, the IP data 601 includes an IP header 606, a UDP header 605, and data 603.

  The IP data 602 is composed of an IP header 607 and data 604. Since the IP packet 602 is data corresponding to a portion other than the head divided into two by fragments, information of the UDP header is not included.

  FIG. 7 is a table 701 showing information of the IP headers 606 and 607 regarding the information of the IP header portion of the IP data 601 and 602 shown in FIG.

SrcIP 703 is information on the source IP address of the packet, DstIP 704 is information on the destination IP address, and TL 705 is Total.
Length information, ID 706 is identifier information, DF707 is fragment prohibition bit (Don't
Fragment), MF 708 indicates an additional fragment packet presence bit (More Fragment) setting, and FO 709 indicates fragment offset information. ID 706 indicates an identifier expressed in the claims.

  SrcIP 703 of the IP data 601 is X, which indicates the IP address of the terminal 1. Also, Y is set in DstIP 704 of the IP data 601, which is an address different from that of the terminal 2. 200 and 100 are set in the TL 705 of the IP data 601 and 602, respectively, and 1 is set in the ID 706 for both data. In the DF 707, No is set for both data, and the setting for allowing the fragment operation is performed. The MF 708 is Yes in the IP data 601 and No in the IP data 602. The IP data 601 indicates that there is subsequent data as fragment data, and the IP data 602 is the final data as fragment data. It is shown. The FO 709 is 0 for the IP data 601 and 180 for the IP packet 602, and it can be determined that the IP data 601 is the top data of the fragment and the IP data 602 is the final data of the fragment together with the value of the MF 708.

  FIG. 8 shows a functional block configuration of the network tunneling apparatus 3 that implements an encapsulation function for fragment data according to the present invention.

  The network tunneling device 3 has an encapsulation processing unit 801 and a decapsulation processing unit 803 in order to configure a tunnel by encapsulation, and each process is used when generating or removing an encapsulation protocol header. Each of the encapsulated data base 802 and the decapsulated data base 804 having information is managed.

  The IP data transmission / reception unit 805 has a function of receiving IP data from the network, transferring the IP data to the encapsulation processing unit 801 or the decapsulation processing unit 803, and transferring the processing result to the network again.

  FIG. 9 is a diagram showing the configuration of the encapsulated data base 802 shown in FIG. The encapsulated data base 802 is configured as a collection of a plurality of encapsulated data base entries, and one entry is also configured from a plurality of information elements.

  Each entry is composed of a set of information relating to an original IP header 901 and an encapsulation protocol header 902 which are IP headers in the receiving-side network 5 to be encapsulated. There is a SrcIP 903 indicating IP address information, a DstIP 904 indicating destination IP address information, and an ID 905 indicating identifier information. The information of the encapsulation protocol header 902 used in the tunnel 7 is composed of an ID 906 indicating the identifier information of the encapsulation protocol header. The ID 905 indicates the identifier of the encapsulation target data expressed in the claims, and the ID 906 indicates the identifier of the encapsulation protocol header expressed in the claims.

  FIG. 10 is a diagram showing a processing flow of the encapsulation processing performed in the encapsulation processing unit 801 in the network tunneling apparatus 3 according to the present invention.

  Encapsulation processing start S1 indicates the start position of this processing flow, and the processing is started at the timing when the encapsulated data is transferred from the IP data transmission / reception unit 805 to the encapsulation processing unit 801. The IP header information acquisition S2 is a process for acquiring information set in the IP header from the IP data to be processed. The determination S3 determines whether the condition of “MF flag value is 1” or “FO flag value is 0” is satisfied based on the IP header information acquired in the process S2. It is determined whether or not the IP packet is being performed.

  In the encapsulation process for the IP data subjected to the fragmentation, first, the entry of the condition matching the information of the IP header acquired in the process S2 is searched from the encapsulated data base 802 by the process S4.

  In the process S5, the result of the entry search is confirmed. If there is an existing entry, the ID 906 of the encapsulation protocol header 902 of the entry extracted by the search is stored as shown in the process S6. When there is no existing entry, as shown in process S7, an ID of the encapsulation protocol header that does not overlap with the ID of the encapsulation protocol header currently used is acquired, and the original IP acquired in process S2 is acquired. It is registered in the encapsulated data base 802 together with the information of the header 901.

  In step S8, it is determined whether there is head data in the fragment data based on the set value of the fragment offset.

  If it is determined that the data is the head data, in step S9, the encapsulation protocol header is defined as MF = 1, FO = 0, ID = ID 905 of the original IP header, and the MF information of the original IP header is set to 0. Set to generate encapsulated data.

  If it is determined that the data is not the top data, it is determined in step S10 whether the data is the final data of the fragment. If it is not the final data, in step S11, the encapsulated data in which the encapsulating protocol header is defined as MF = 1, FO = 0 + encapsulating protocol header size, and ID = ID906 (encapsulating protocol header identifier). And the encapsulation protocol header is replaced. The difference from S9, which is the process for the top data, is that the size of the fragment offset plus the encapsulation protocol header needs to be adjusted, and the original IP header is encapsulated instead of encapsulated data. It is characterized in that it is replaced with a protocol header.

  If it is determined in the process S10 that it is the final data of the fragment, in the process S12, the encapsulation protocol header is defined as MF = 0, FO = 0 + encapsulation protocol header size, ID = ID906, Replace original IP header with encapsulation protocol header.

  FIG. 11 is a diagram showing operations related to the encapsulation process of the first packet of the fragment corresponding to the process S9 in FIG. 6 shows a state where the encapsulation operation from the IP data 601 which is the head data of the fragment shown in FIG. 6 to the encapsulated data 1101 is performed, and then the fragment is performed again.

  Reference numeral 1101 indicates encapsulated data, and reference numerals 1102 and 1103 indicate fragmented IP data for the encapsulated data. Reference numerals 1104 and 1105 are data divided by fragments, reference numeral 1106 is an encapsulation protocol header (TUDP # 1) which is a UDP header used for encapsulation, and reference numeral 1107 is used for encapsulation. The encapsulated protocol header (TIP # 1) is an encapsulated protocol header (TIP # 1) which is a fragment of the encapsulated protocol header (TIP # 1) 1107. TIP # 1-2).

  Here, the reason why the encapsulated data 1101 is divided into two by the fragment into the encapsulated data 1102 and 1103 is that the TL of the encapsulated data 1101 exceeds TL = 200 of the IP data 601 before encapsulation due to the encapsulation. This is to avoid the problem.

  FIG. 12 shows the contents of the encapsulation data 1102 shown in FIG. 11 and the encapsulation protocol headers (TIP # 1-1, TIP # 1-2) added to the encapsulation data 1103. The encapsulated data 1103 is a fragment of the encapsulated data 1101. In this example, the ID 706 (identifier of the encapsulating protocol header) is set as 100. The FO 709 of the encapsulated data 1103 is 180.

  Regarding the fragment processing from the encapsulated data 1101 to the encapsulated data 1102 and the encapsulated data 1103, this processing is not described in the processing flow in FIG. 10, but this is implemented in the IP data transmission / reception unit 805 in the network tunneling apparatus 3. It is because it is going to be done.

  FIG. 13 shows an operation of encapsulating the final data of the fragment corresponding to the process S12 in FIG. The IP data 602 is the final packet of the fragment shown in FIG. The encapsulated data 1301 replaces the IP header 607 with an encapsulation protocol header (TIP # 1-3) 1302, which is an IP header corresponding to encapsulation, by executing the processing S12 of FIG.

  FIG. 14 shows information related to the encapsulation protocol header (TIP # 1-3) 1302 of the encapsulated data 1301 shown in FIG.

  In this way, the network tunneling apparatus 3 in the present embodiment receives the IP data 601 and 602, and uses the functions of the encapsulation processing unit 801 and the IP data transmission / reception unit 805 as the encapsulated data 1102, 1103, and 1301. The data is transferred to the tunnel 7 and reaches the terminal 2 to be received. The terminal 2 can assemble these three pieces of data into one piece of IP data in a normal IP stack process, and can receive data in a form before being fragmented into two pieces of IP data 601 and 602. It becomes possible.

  With these processes, the terminal 2 does not require special processing, and the fragment / packet assembly process after decapsulation is uniquely performed by using the normal IP stack mounted in the terminal 2. Without having to receive the original data of the fragment.

  Hereinafter, the decapsulation operation in the network tunneling apparatus 3 according to the present embodiment will be described.

  In the present embodiment, the fragmented encapsulated data 1501 and 1502 transmitted by the terminal 2 shown in FIG. 15 is based on the processing flow in the decapsulation processing unit 803 of the network tunneling apparatus 3 that has received the packets. explain.

  FIG. 16 is a table showing information of the encapsulation protocol headers (TIP # 1-1, TIP # 1-2) of the encapsulated data 1501 and 1502 shown in FIG. Since the encapsulated data 1501 and 1502 in this embodiment are fragmented after encapsulation, the encapsulated data 1502 does not have a UDP header.

  17 is a data base used by the decapsulation processing unit 803 of the network tunneling device 3, and the SrcIP 1703, DstIP 1704, ID 1705 and the encapsulation protocol header of the encapsulated IP header 1701. A set of information of ID 1706 in 1702 is managed as one entry.

  FIG. 18 is a flowchart for explaining the flow of decapsulation processing in the decapsulation processing unit 803 of the network tunneling apparatus 3.

  When the network tunneling device 3 receives the encapsulated data 1501 that is the head data in the fragment of the encapsulated data, this data is transferred to the decapsulation processing unit 803 to perform the decapsulation process, and the decapsulation process is performed. The process is started (S21). Thereafter, after the information of the encapsulation protocol header is acquired by the process S22, it is determined whether or not the data is a fragmented data by the process S23, but the process is performed because MF = 1 as shown in FIG. Proceeding to S24, it is determined whether the data is the head data of the fragment. Since this is also FO = 0 as shown in FIG. 16, it progresses to process S25.

  In the process S25, the ID information set in the encapsulation protocol header (TIP # 1-1) 1507 of the encapsulated data 1501 input as shown in FIG. 19 is used as the ID 1706 of the encapsulation protocol header 1702, and at the same time The information of the encapsulated IP header 1505 is set as SrcIP 1703, DstIP 1704, and ID 1705 of the encapsulated IP header 1701, registered in the decapsulated data base 804, and then the encapsulated protocol header ( TIP # 1-1) 1507 and (TUDP # 1) 1506 are removed, MF708 is set as YES (1) for the information in the encapsulated IP header 1505, and TL705 is set as the size of the new IP data. Decapsulation To terminate the management. After the data is transferred from the decapsulation processing unit 803 to the IP data transmission / reception unit 805, the data is transferred from the IP data transmission / reception unit 805 to the network 5.

  Next, when the network tunneling apparatus 3 receives the encapsulated data 1502 other than the head in the fragment of the encapsulated data, after the encapsulation protocol header information is acquired by the process S22 of the decapsulation processing unit 803 In step S23, it is determined whether or not the data is a fragmented data. As shown in FIG. 16, although MF = 0, since FO = 180, the process proceeds to step S24 to check whether the data is the head data of the fragment. Make a decision. As a result, as shown in FIG. 16, since FO = 180, the process proceeds to step S26.

  In the process S26, the ID information set in the encapsulation protocol header (TIP # 1-2) 1509 of the encapsulated data 1502 input as shown in FIG. Information to be searched is searched from the decapsulated data base 804, and an entry of the corresponding data base is selected.

  Thereafter, the encapsulated IP header 2102 is generated using the information of the SrcIP 1703, DstIP 1704, and ID 1705 of the selected data base entry. The FO 709 of the encapsulated IP header is the size of the encapsulation protocol header (TIP # 1-1) 1507 deleted from the encapsulated data 1501 from the FO 180 of the encapsulated IP header 1509 and the encapsulation protocol header. (TUDP # 1) 28, which is the total size of 1506, is subtracted, and FO = 152 is set.

  The data 2101 is also transferred from the decapsulation processing unit 803 to the IP data transmission / reception unit 805 and then transferred from the IP data transmission / reception unit 805 to the network 5.

  Through these operations, the terminal that has received the decapsulated data 1901, 2101 that is the fragment data transferred by the network tunneling apparatus 3 can assemble the IP fragment by the IP stack of the terminal.

  Based on these operations, the network tunneling device to which the present invention is applied does not require the implementation of the function of performing the fragment processing for the application on the terminal side even in the network configuration in which the terminal directly terminates the tunnel. As a result, the amount of development on the terminal side can be reduced, which makes it possible to construct a system at a low cost.

  Further, in this embodiment, in order to show the effect of the present invention remarkably, the network configuration in which the terminal directly terminates the tunnel as shown in FIG. 2 has been described as an example, but the network shown in FIG. Even in the configuration, the decapsulation processing of the present invention described above may be performed on the fragmented encapsulated data transmitted by the network tunneling device 3 or 4 in the network tunneling device 4 or 3 that has received the encapsulated data. Therefore, the decapsulation process in the network tunneling devices 3 and 4 can be simplified as compared with the conventional case.

(Second embodiment)
Hereinafter, the second embodiment will be described. FIG. 23 is a diagram showing the configuration of the encapsulated data base 802 in the second embodiment. In FIG. 23, a correction value 2301 is added to the information for each entry with respect to the configuration of the encapsulated data base 802 shown in the first embodiment.

  As a result, first, in the processing S7 (FIG. 10) for registering an entry in the encapsulated data base 802, it is possible to register information on the header size that increases due to encapsulation as the correction value 2301.

  In addition, in the fragment offset correction process in steps S11 and S12, the fragment offset information of the encapsulation protocol header is obtained based on the correction value 2301 set in the entry of the corresponding encapsulated data base 802. By correcting, it becomes possible to cope with the case where the encapsulation protocol header length becomes variable.

  FIG. 24 is a diagram showing the configuration of the decapsulated data base 804 in the second embodiment. In FIG. 24, a correction value 2041 is added to the information for each entry with respect to the configuration of the decapsulated data base 804 shown in the first embodiment.

  As a result, first, in the process S25 (FIG. 18) for registering an entry in the decapsulated data base 804, it is possible to register information on a header size that decreases by decapsulation as the correction value 2401. .

  In addition, during the fragment offset correction process in step S26 (FIG. 18), the fragment offset of the encapsulated protocol header based on the value of the correction value 2401 set in the entry of the corresponding decapsulated data base 804. By correcting this information, it is possible to cope with a case where the encapsulated protocol header length is variable.

  This allows for a more flexible network tunneling system configuration.

  According to the present invention, in a network configuration using tunneling in which a terminal directly terminates a tunnel, the function implementation for the application of the terminal is reduced, and tunneling can be easily realized. Further, by using the encapsulation according to the present invention, the decapsulation process can be simplified as compared with the conventional case.

The figure which shows the general network structure which uses a network tunneling apparatus. The figure which shows the network structure in connection with this invention. The figure which shows the fragment packet in a prior art example. The figure explaining the encapsulation operation of the network tunneling apparatus in a prior art example. The figure explaining the data reception operation | movement with the terminal in a prior art example. The figure which shows the fragmented original data for demonstrating the encapsulation operation | movement of a 1st Example. The figure which shows the IP header information of the data shown in FIG. The figure which shows the function structure of the network tunneling apparatus of a 1st Example. The figure explaining an encapsulation data base. The flowchart explaining the flow of the encapsulation process in an encapsulation process part. The figure which showed a mode that the head data shown in FIG. 6 was encapsulated and transferred. The figure which shows the IP header information of the data shown in FIG. The figure which shows a mode that data other than the head shown in FIG. The figure which shows the IP header information of the data shown in FIG. The figure which shows the fragmented encapsulation data for demonstrating the decapsulation operation | movement of a 1st Example. The figure which shows the encapsulation protocol header information of the data shown in FIG. The figure explaining a decapsulation database. The flowchart explaining the flow of the decapsulation process in a decapsulation process part. The figure which shows a mode that the head data shown in FIG. 15 is decapsulated and transferred. The figure which shows the IP header information of the data shown in FIG. The figure which shows a mode that data other than the head shown in FIG. 15 are decapsulated and transferred. The figure which shows the IP header information of the data shown in FIG. The figure which showed the structural example of the encapsulation data base in connection with a 2nd Example. The figure which showed the structural example of the decapsulation data base in connection with a 2nd Example.

Explanation of symbols

1, 2 Terminal 3, 4 Network tunneling device 5, 6 Network 7 Tunnel 11, 12 Fragment packet 13, 15 Header 14, 16 Data 21, 22, 1101-1103, 1301, 1501, 1502 Encapsulated data 23, 24 , 902, 1106, 1107, 1108, 1109, 1302, 1506, 1507, 1509, 1702 Encapsulation protocol header 601, 602 IP data 603, 604, 1104, 1105, 1503, 1508 Data 605, 1504, UDP header 606, 607, 1505, 1902, 2102 IP header 701 Table 702 Packets 703, 903, 1703 SrcIP
704, 904, 1704 DstIP
705 TL
706, 905, 906, 1705, 1706 ID
707 DF
708 MF
709 FO
801 Encapsulation processing unit 802 Encapsulated data base 803 Decapsulation processing unit 804 Decapsulated data base 805 IP data transmitting / receiving unit 901 Original IP header 1701 Encapsulated IP header 1901, 2101 Decapsulated data 2301, 2401 Correction value

Claims (5)

Used in data communication systems that transfer data over IP networks,
Encapsulation means for adding a new protocol header to the received transfer data and transferring it within the network;
In a network tunneling apparatus comprising: a decapsulation unit that removes a protocol header added by the encapsulation unit;
An encapsulated data base for storing a set of information on the source address, destination address, and identifier of the data to be encapsulated and the identifier information of the encapsulating protocol header is provided;
The encapsulation means includes
When processing the fragment data, if there is no entry in the encapsulated data base that matches the source address, destination address and identifier of the received packet, the identifier of the encapsulation protocol header is newly determined. After that, the information of the source address, the destination address, and the identifier of the data to be encapsulated and the identifier information of the newly determined encapsulation protocol header are registered in the encapsulated data base. Generates an encapsulation protocol header that includes the source address, destination address, and identifier of the encapsulation protocol header registered in the base, performs encapsulation processing, and sends the source address, destination address, and identifier of the received packet The encapsulated database entry that matches If it exists, the encapsulation protocol header including the source address, the destination address, and the identifier of the encapsulation protocol header included in the matching entry of the encapsulated data base is generated and encapsulated. Means for
In encapsulation processing for data other than the head data of the fragment before encapsulation, the source address included in the entry of the encapsulated data base that matches the source address, destination address, and identifier of the received packet And a means for generating an encapsulation protocol header including the destination address and an identifier of the encapsulation protocol header, and replacing the encapsulation protocol header with a protocol header of a received packet. -Tunneling device. Used in data communication systems that transfer data over IP networks,
Encapsulation means for adding a new protocol header to the received transfer data and transferring it within the network;
In a network tunneling apparatus comprising: a decapsulation unit that removes a protocol header added by the encapsulation unit;
There is a decapsulation data base that stores information on the identifier of the encapsulation protocol header of the data to be decapsulated and the source address, destination address, and identifier information of the protocol header extracted after decapsulation Provided,
The decapsulating means includes an identifier of an encapsulation protocol header and a source address, a destination address, and identifier information of data extracted after the decapsulation process when processing the head data of the fragment. When registering data in the base and processing data other than the beginning of the fragment, the existing entry of the decapsulated data base corresponding to the identifier of the encapsulated protocol header is used as the encapsulation protocol header of the received data. A network tunneling device comprising: means for performing replacement with a new protocol header including the source address, the destination address, and the identifier generated based on information based on.   A means for storing an increase / decrease value of the data amount by adding or removing an encapsulation protocol header in the encapsulated or decapsulated data base, and calculating a fragment offset value based on the increase / decrease value. 3. The network tunneling device according to 1 or 2. Used in data communication systems that transfer data over IP networks,
The received transfer data is encapsulated by adding a new protocol header and transferred to the network, and when the encapsulated transfer data is received, the added protocol header is removed to decapsulate. In the network tunneling method executed by the network tunneling device that extracts the transfer data before encapsulating
Storing the state of the fragment of the data to be encapsulated prior to encapsulation by means of the encapsulated database;
Reflecting the state of the fragment of the data to be encapsulated before the encapsulation in the information of the encapsulated protocol header after the encapsulation based on the stored contents. A network tunneling method comprising: Used in data communication systems that transfer data over IP networks,
The received transfer data is encapsulated by adding a new protocol header and transferred to the network, and when the encapsulated transfer data is received, the added protocol header is removed to decapsulate. In the network tunneling method executed by the network tunneling device that extracts the transfer data before encapsulating
5. When decapsulating the first data of a fragment in decapsulating encapsulated data in the network tunneling method according to claim 4, the protocol header information of data extracted after the decapsulation processing is fetched from the first data. Storing by a decapsulated database;
A step of generating new protocol header information after the decapsulation processing based on the stored contents and replacing it with the encapsulation protocol header of the data in the decapsulation processing for data other than the head of the fragment in the decapsulation A network tunneling method characterized by executing and.

Images