JP2008172816A - Address conversion method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem of linking of DNS-ALG and Twice NAT wherein they are not scalable, due to increase in a conversion table. <P>SOLUTION: A translator 1 includes a communication means with the DNS-ALG 2. The DNS-ALG 2 detects a DNS query to a receiver terminal 4b and once converts into IPv6. The DNS-ALG 2 converts a destination virtual IPv6 address that contains an IPv4 real address which is obtained from a DNS server 3b of the destination terminal 4b with a virtual IPv6 prefix appended into the destination virtual IPv4. The coordination of IPv6-based DNS-ALG and the translator 1 enables reduction of DNS-ALG 2 processing load and reduction of a large-capacity conversion table. Inter-connections among a plurality of VPNs are enabled without having to replace existing VPNs. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

The present invention relates to a system for interconnecting networks according to the same protocol or networks according to different protocols.

For example, private networks are connected via the Internet, and one VPN (Virtual
Twice NAT (Network Address TRansl)
) technology (see http://www.ietf.org/rfc/rfc2663.txt pp12-13) and tunnel technology (http://www.ietf.org/rfc/rfc2663. txt pp22) is known. In either case, the header information of the IP packet is basically converted between IPv4 and IPv4.
For example, basic NAT converts private IPv4 addresses and public IPv4 addresses. A router that implements the so-called twice NAT technology, in which two NATs are connected in series, is called a twice NAT router. In conventional basic NAT and bidirectional NAT, either the source address or the destination address was rewritten.
In the technology, when a datagram passes between two areas connected by a twice NAT router, both the source address and the destination address are rewritten.
Twice NAT is often used when the address space in the private network and the public space conflict. If you mistakenly addressed one site and assigned another site's public address, you received an address from one provider, but for a while after switching to another provider, the address assigned by the previous provider If you continue to use and the provider has assigned the same address to another user, an address conflict will occur. In order to resolve address conflicts, Twice NAT works as follows. When Host-A in the private area starts communication with Host-X in the public area, Host-A sends a DNS address inquiry packet of Host-X. DNS-ALG (Domain Name Service-Application Level Gateway) captures this packet, converts the address for Host-X into a routable address (Host-XPRIME) in the private area, and returns it to Host-A. When DNS address resolution is complete, Host-A starts communication with Host-XPRIME. This packet is twice NAT
The source address is rewritten to the address that NAT has, and the destination address is rewritten to Host-X. The return packet from Host-X is also converted in the same way. For details on the above DNS-ALG operation, see http: //www.ietf.orf/rfc/r
Details are described in fc2693.txt.
The method using Twice NAT requires a large-capacity conversion table when communicating with many hosts via the Internet. When there are many applications that use a specific IP address, there is a problem that dynamic address translation by NAT triggered by a DNS address query cannot be performed as described above.
In order to solve the above problems, there is a method of interconnecting two regions using a tunnel technique instead of a NAT technique. In the method using tunnel technology, when the terminals in the two networks to be connected have the same address, communication between the terminals having the same address is not possible, and the two areas to be connected are the same. There is a restriction that you must have a subnet. However, since it is not necessary to have a large-capacity conversion table unlike when using Twice NAT, tunnel technology is used as a technology for interconnecting private VLANs (Virtual LANs) that share the same subnet space via the Internet. Often.
The above example is a technique used when the communication protocol of the network to which a certain terminal belongs and the network to which the communication partner terminal belongs are the same. If the communication protocol of the network to which a certain terminal belongs and the network to which the other party's terminal belongs differ, for example, a network using IPv4 as a protocol (hereinafter referred to as IPv4 network) and a network using Internet Protocol version 6 (hereinafter referred to as IPv6
NAT-PT (http://www.ietf.org/rfc/rfc2766.
txt pp6-18, and rfc2765.txt pp9-22), SOCKS64 (http: //search.ietf.
org / internet-drafts / draft-ietf-ngTRans-socks-gateway-05.txt) etc. are known.
In either case, the IP packet format is basically converted between IPv4 and IPv6.
For example, an IPv4 address and an IPv6 address are converted. An apparatus that performs this conversion is hereinafter referred to as a translator. The translator needs to create and maintain the correspondence between IPv4 address and IPv6 address before conversion for conversion. When this correspondence is dynamically created each time communication occurs, DNS (Domain Name System) name resolution is used as an opportunity (ASCII Publishing, Internet RF
(See C Encyclopedia, pp323-329).
DNS is a system that converts human-friendly names (strings) such as web URLs into IP addresses. Hereinafter, the operation of converting a name to an IP address is called name resolution. Today, almost every application on the Internet uses this DNS to obtain the IP address of the other party.
Using this fact, NAT and translators constantly monitor DNS messages exchanged at the start of communication, and use name resolution request messages as a trigger for creating translation information (IP address correspondences, etc.). Specifically, when name resolution is performed for a certain name of an IPv6 terminal, if the response IP address is IPv4, the IPv4 address is rewritten to an IPv6 address and sent back to the IPv6 terminal.
Then, associate the rewritten IPv4 address with the rewritten IPv6 address.
In other words, DNS-ALG intercepts and rewrites the name resolution response message, and creates conversion information based on the information before and after the rewriting. Since the dynamically created conversion information is temporary, it is discarded when communication is completed. Correspondence between IPv4 address and IPv4 address, or IPv4 address and IP held by DNS-ALG
The correspondence relationship of v6 addresses is discarded when communication ends, and a different one is used for each communication. That is, the content of rewriting the name resolution response message differs for each communication. Therefore, when viewed from the terminal that requested name resolution, different IP addresses are acquired for the same name.

In this way, the linkage between DNS-ALG and the translator connects the IPv6 network and IPv4 network in a situation where almost all applications on the Internet use this DNS to dynamically obtain the IP address of the communication partner. This is an essential technology. DNS-ALG and Twice NAT cooperation is a technology that solves the IPv4 private address conflict problem that occurs during the transition of public addresses.
http://www.ietf.org/rfc/rfc2663.txt pp12-13, pp22 http: //www.ietf.orf/rfc/rfc2693.txt http://www.ietf.org/rfc/rfc2766.txt pp6-18 http://www.ietf.org/rfc/ rfc2765.txt pp9-22 http://search.ietf.org/internet-drafts/draft-ietf-ngTRans-socks-gateway-05.txt ASCII Publishing, Internet RFC Encyclopedia, pp323-329

As described above, the VPN interconnection by the tunnel method has a problem that it cannot cope with the collision of IP addresses. DNS-ALG and Twice NAT cooperation is a technology that solves the IPv4 private address conflict problem that occurs during the transition of public addresses. However, the linkage between DNS-ALG and Twice NAT has the problem that the address translation table is large and is not scalable. In general, the interconnection between VPNs
In many cases, DNS-ALG and Twice NAT are installed at the edge of the network. However, when the number of VPNs to be interconnected is large, there is a problem that it is difficult to provide a service because the address conversion table becomes large.
An object of the present invention is to enable communication between both terminals even when the address space of both networks collides when the communication protocol of the network to which a certain terminal belongs and the network to which the communication partner terminal belongs are the same. There is. Another object of the present invention is a scalable and practical communication that enables communication between both terminals by basic translation when the communication protocol of a network to which a terminal belongs and a network to which a communication partner terminal belongs are different. Is to provide a simple address translation device.

The present invention is based on the linkage between IPv6 based DNS-ALG and Twice NAT-PT.
Necessary for dynamically creating necessary translation information for address translation by AT.
The processing load of DNS-ALG that generates a virtual address for the terminal on the called side can be reduced and the large-capacity conversion table can be reduced.

If the provider collectively manages the IPv6-based DNS-ALG and Twice NAT-PT according to the present invention and accommodates multiple VPNs in the translator, without replacing the existing VPN,
Interconnection between multiple VPNs is possible.

In addition to the conventional protocol conversion method represented by NAT-PT, at least the following two means are provided. (1) IPv4 address and IP address of multiple translators
DN that manages translation information required for address translation represented by the correspondence of v6 addresses
(2) Each translator has a protocol for communicating with the DNS-ALG device.

In order to dynamically create necessary translation information for address translation by Twice NAT-PT,
The S-ALG device sends a DNS inquiry from the calling terminal to the called terminal.
Inside the device, it is once converted to IPv6. The DNS-ALG device uses an IPv6 address obtained by adding a virtual IPv6 prefix to an IPv4 real address acquired by a query in the destination IPv4 DNS server as a virtual IPv6 address for the terminal on the destination side. Virtual
Convert the IPv6 address to a virtual IPv4 address and notify the originating terminal. By adopting this method, the number of conversions can be reduced by one and the conversion table size can be reduced as compared with the conventional twice NAT method.
Further, (3) each translator may be provided with means for performing protocol conversion using L2 information. By providing means for performing protocol conversion using L2 information typified by a MAC address in addition to an IP address, a plurality of VPNs can be multiplexed on one physical line.
An information network to which such an invention is applied includes a first network, a second network that can communicate with the first network, a third network that can communicate with the second network, and a first network. A first address translation device for connecting the second network; and a second address translation device for connecting the second network and the third network. The first address translation device is connected to the first network. The first virtual address obtained by adding a prefix indicating the first network to the address used in the second network is sent to the second network via the second network.
The second address translation device translates the first virtual address into a second virtual address that is not used in the third network, and sends the second virtual address to the third network. Correspondence information between the address and the second virtual address is stored. Also, the second virtual address sent from the third network is converted to the first virtual address based on the correspondence information, the prefix is deleted from the first virtual address, and the second virtual address is sent to the first network. In this case, the first network may follow the first protocol, and the second and third networks may follow the second protocol. The address to be converted may be a source address or a destination address.

A communication device used in such a network is a communication device that is arranged between the first network and the second network and mediates communication between the first network and the second network, Receives an original address used in the first network sent from the first network, forms a first virtual address with a prefix added to the original address, and sends the first virtual address to the second network. The first virtual address sent from the second network is received, the prefix is deleted from the first virtual address to form the original address, and the original address is sent to the first network.

The other communication device converts the first address sent from the second network into a second address that is not used in the first network, and sends the second address to the first network. The association of the second address is held as conversion information, the second address sent from the first network is converted to the first address based on the conversion information, and the first address is sent to the second network.

As is clear from the above embodiments, the present invention was necessary when dynamically creating translation information necessary for address translation by conventional twice NAT by cooperation of IPv6-based DNS-ALG and a translator. This makes it possible to reduce the processing load of DNS-ALG that generates a virtual address for the called terminal and to reduce the large-capacity conversion table.

If the provider and the DNS-ALG according to the present invention are collectively managed by a provider and a plurality of VPNs are accommodated in the translator, interconnection between VPNs becomes possible without replacing existing VPNs.

  A first embodiment of the present invention will be described with reference to the drawings.

FIG. 1 shows a configuration example of a network that provides an inter-VPN connection service according to the present invention. A network that provides an inter-VPN connection service includes a VPN 5 and an IP network 6. The VPN 5 includes a DNS server 3. VPN5a is, for example, a corporate base (1001
, 1002) are virtually connected to each other. In this embodiment, VPN5 uses an IPv4 private address. Although IP addresses do not overlap within one VPN, IP addresses may overlap between different VPNs. The IP network 6 includes a DNS server 8. In this embodiment, the IP network 6 uses an IPv6 address.

VPN 5 and IP network 6 are connected by translator 1 (TR). The translator 1 includes an IPv6 address / IPv4 address conversion function and means for communicating with the DNS-ALG 2. DNS-ALG2 includes means for managing translation information necessary for address translation represented by the correspondence between IPv4 addresses and IPv6 addresses possessed by a plurality of translators, and rewriting the contents of DNS inquiry and reply packets. In the first embodiment, DNS-ALG 2 exists for each VPN 5.

FIG. 2 shows a configuration example of the translator 1. Translator 1 has a line (17a
, 17b, 17c, 17n) Interface part (IF) (16a, 16b, 16c, 16n)
The memory 14 and the CPU 15 are connected by a switch or bus 18. The memory 14 stores information 11 necessary for address conversion, a program 13 for converting a data packet, and a program 12 for processing a conversion entry registration request from the DNS-ALG 2. The conversion information storage unit 11 includes a virtual prefix management table 300 shown in FIG. 9 and a conversion information table 500 shown in FIG.

FIG. 9 shows a table configuration of the virtual prefix management table 300. This table includes a plurality of entries (30 for each line number of the translator 1).
0-1 to 300-n). Each entry defines a virtual prefix 302 and a pointer 303 to the conversion information table 500 corresponding to the line number 301.

FIG. 11 shows a table configuration of the conversion information table 500. This table has
The correspondence between the IPv4 address 501 and the IPv6 address 502 is stored. This table is generated for each VPN (510, 520, 530) and stored in the conversion information storage unit 11 of the translator 1 that accommodates the VPN. For example, in FIG. 1, the VPN # 1 conversion information table 510 is stored in the translator 1a, and the VPN # 3 conversion information table 530 is stored in the translator 1b.

Returning to FIG. 2, the description of the translator 1 will be continued. The conversion entry registration process 12
The conversion information registration request is processed, and the correspondence information of the IP address is stored in the conversion information table 500 of the conversion information storage unit 11. When receiving the IPv4 packet, the data packet conversion / processing unit 13 searches the conversion information storage unit 11 and rewrites the IPv6 address with the IPv4 address. Further, when receiving the IPv6 packet, the data packet conversion / processing unit 13 searches the conversion information storage unit 11 and rewrites the IPv4 address to the IPv6 address. At this time, various information other than the IP address can be rewritten. FIG. 4 shows the IPv4 packet format. FIG. 5 shows the format of the IPv6 packet. When converting, not only the IP address but also this format is converted.

FIG. 3 shows a configuration example of DNS-ALG2. The DNS-ALG 2 is configured such that an interface unit (IF) (23a, 23b) that accommodates lines (24a, 24b), a memory 22, and a CPU 21 are connected by a bus 25.

According to the sequence shown in FIGS. 14 and 15, the terminal 4a of the VPN 5a in FIG.
A case will be described in which the terminal communicates with the terminal 4c of the VPN 5c. At the start of communication, the terminal 4a makes a DNS inquiry to the DNS server 3a to obtain the address of the name (hostC) of the terminal 4c (101). The packet format of the DNS inquiry is shown in FIG.
As shown in FIG. 6, the name hostC is written in QNAME (421), and the resource record type “A” is written in QTYPE (422).
Returning to FIG. 14, the description will be continued. Since the DNS server 3a does not know the IP address corresponding to this name hostC, it makes a DNS inquiry to the next DNS server (DNS-ALG 2a) (102).

If the DNS-ALG 2a does not know the IP address for the name hostC, FIG.
The processing routine 60 shown in FIG. DNS when QTYPE of DNS inquiry is “A”
-ALG2a converts QTYPE to "AAAA" (62, 103). The DNS-ALG 2a transmits the converted DNS inquiry to the next DNS server 8 (63, 104) and waits for a DNS response (64). The DNS server 8 transmits a DNS inquiry to the next DNS server (DNS-ALG 2b) (105). When the DNS-ALG 2b does not know the IP address for the name hostC, the DNS-ALG 2b activates the processing routine 60 shown in FIGS. When the QTYPE of the DNS inquiry is “AAAA”, the QTYPE is converted to “A” (81, 106). The DNS-ALG 2b transmits the converted DNS inquiry to the next DNS server 3c (82, 107) and waits for a DNS response (83). The DNS server 3c responds with the IPv4 address “c” for the name hostC (84, 108).

FIG. 7 shows a format of a DNS response packet from the DNS server 3c. 4 in FIG.
The detailed format of 3, 44, 45 is shown in FIG. NAME (51) with name hostC, R
The IP address “c” is described in DATA (54).
Referring to FIG. 14, DNS-ALG 2b assigns IPv4 address “c” to I for subsequent translation.
Rewrite to Pv6 address “γ + c”. This IPv6 address is composed of a virtual IPv6 prefix (γ) + IPv4 address (c) assigned to VPN 5c (109). Hereinafter, this address is referred to as “destination virtual IPv6 address”. DNS-
The ALG 2b converts the DNS response TYPE (52) from “A” to “AAAA” and RDATA (54
) Is sent to the DNS server 8 (85, 110).
The DNS server 8 sends the destination virtual IPv6 address “γ” for the name hostC to the DNS-ALG 2a.
+ C "is returned (65, 111).
The DNS-ALG 2a converts this IPv6 address “γ + c” into an IPv4 address c ′ for subsequent conversion (112). This IPv4 address is a virtual address for the name hostC, and is selected from a set of IP addresses not used in VPN 5a. Hereinafter, this address is referred to as “destination virtual IPv4 address”. DNS-ALG2a is a DNS response TY
PE (52) is converted from “AAAA” to “A”, and a DNS response in which the destination virtual IPv4 address “c ′” is set in RDATA (54) is transmitted to the terminal 4a via the DNS server 3a (6)
6, 115, 116). At this time, a correspondence conversion rule for γ + c and c ′ is created,
It transmits to the translator 1a (67, 113).
The translator 1a stores the conversion rule in the VPN # 1 conversion information table 510 in the conversion information storage unit 11, and transmits a response to the DNS-ALG 2a (114).

The terminal 4a that has received the DNS response starts transmitting an IP packet toward the terminal 4c.
The destination address of these packets is c ', the source address is the IPv4 address of the terminal
a (131).

When this packet arrives, the translator 1a sends it to the data packet conversion / processing unit 13. Here, the conversion information storage unit 11 is searched with the number of the line that received the data and the destination address c ′. Then, since the entry prepared in step 113 is found in the conversion information table 510, the destination address “c ′” is changed to “γ + C”.
Convert to The source address is a virtual address corresponding to the line number that received the data.
It is rewritten to “source virtual IPv6 address” “α + a” with the IPv6 prefix α added (132). The translator 1a transmits a packet in which “γ + c” is set as the destination address and “α + a” is set as the source address (133).
The translator 1b sends this packet to the data packet conversion / processing unit 13.
Here, the virtual IPv6 prefix γ is deleted from the destination address. In order to uniquely identify the source address “α + a” within the VPN 5c, the IPv4 address “a1 ′”
This IPv4 address is a virtual address for the source address “α + a”, and is selected from a set of IP addresses that are not used inside the VPN 5c.
Hereinafter, this address is referred to as “source virtual IPv4 address”.

The translator 1b creates an association conversion rule of “α + a” and “a1 ′” and stores it in the VPN # 3 conversion information table 530 of the conversion information storage unit 11 (134).
.
The terminal 4c receives a packet in which “c” is set as the destination address and “a1 ′” is set as the source address (135). The terminal 4c sends the destination address “to the terminal 4a”.
An IP packet in which a1 ′ ”and the source address“ c ”are set is transmitted (136).
When this packet arrives, the translator 1 b sends it to the data packet conversion / processing unit 13. Here, the conversion information storage unit 11 is searched with the number of the line that received the data and the destination address “a1 ′”. Then, since the entry prepared in step 134 is found in the conversion information table 530, the destination address is “a1 ′”.
Is converted to “α + a”. The transmission source address is a transmission source virtual IPv6 address “γ + c” with a virtual IPv6 prefix γ corresponding to the line number that received the data.
(137). The translator 1b sets “α + a” as the destination address.
Then, a packet in which “γ + c” is set as the transmission source address is transmitted (138).

When this packet arrives, the translator 1a sends it to the data packet conversion / processing unit 13. Here, the virtual IPv6 prefix α is deleted from the destination address. The conversion information storage unit 11 is searched with the virtual IPv6 prefix “α” of the destination address and the source address “γ + c”. Then, since the entry prepared earlier is found in the conversion information table 510, the transmission source address is changed from “γ + c” to “c ′”.
(139).

The terminal 4a receives a packet in which “a” is set as the destination address and “c ′” is set as the source address (140).

According to the embodiment of the present invention, the translator 1 and the DNS-ALG 2 cooperate to generate an IP network 6.
By using the virtual IPv6 prefix, mutual communication between VPNs with private IPv4 addresses becomes possible.

  A second embodiment of the present invention will be described with reference to the drawings.

FIG. 16 shows the network configuration of the second embodiment of the present invention. Compared to FIG. 1, FIG.
The network configuration of “The communication between DNS server 3 of VPN5 and DNS-ALG2 goes through translator 1”, “In the mutual communication of VPN, the DNS server that DNS-ALG2 inquires next asks another DNS server in DNS-ALG2 above. An IPv6 address is set. "

In this embodiment, DNS-ALG2 is IP compatible with VPN connected to translator 1.
It is a multihomed node with a v6 address. DNS-ALG2a in this example
If the DNS server to be inquired does not exist in the VPN that sent the DNS inquiry, the other IP of DNS-ALG2a is used as the address information of the DNS server to inquire next.
v6 address is stored. If the DNS server to be inquired next exists in the VPN that sent the DNS inquiry, the virtual IPv6 address of the DNS server in the VPN is stored as the address information of the DNS server to be inquired next. This virtual IPv6 address is composed of “virtual prefix + IPv4 address assigned to DNS server in each VPN”.

The translator 1 in this embodiment includes DNS-ALG address conversion information for each VPN,
A function for monitoring a packet including a DNS message and an address conversion function for a packet including a DNS message are further provided. DNS-ALG address conversion information for each VPN is
DNS-ALG to identify DNS-ALG inside VPN and DNS-ALG IPv6 address for VPN
Manage the correspondence with the virtual IPv4 address assigned to.

A case where the terminal 4a existing in the VPN 5a of FIG. 16 communicates with the terminal 4b existing in the VPN 5b will be described according to the sequence shown in FIGS. VPN5a and
The VPN 5b is connected to the translator 1a. The translator 1a performs address conversion of packets transmitted and received between the VPN 5a and the translator 1a, and address translation of packets transmitted and received between the VPN 5b and the translator 1a.
17 and 18, the address conversion function between the VPN 5a and the translator 1a is described as TR-O, and the address conversion function between the VPN 5b and the translator 1a is described as TR-T.

The main difference between FIG. 14 and FIG. 17 is that “the translator 1a translates the address of the packet containing the DNS message” and “the IPv6 address of the DNS-ALG 2a is VPN
It is different for every ".

Hereinafter, FIGS. 17 and 18 will be described in detail. Terminal 4a is the name of terminal 4b
In order to resolve (host B), a DNS inquiry is made to the DNS server 3a (
151). Since the DNS server 3a (IPv4 address “da4”) does not know the IP address corresponding to this name hostB, it makes a DNS inquiry to the next DNS server (DNS-ALG 2a, virtual IPv4 address “pa4”) (152) ).

The TR-O of the translator 1a detects a packet including a DNS message and converts the packet (153). The destination address is included in the translator 1a.
DNS-ALG address translation information, DNS-ALG2a VPN6a IPv6 address “α
6 ”. For the source address, refer to the virtual prefix management table 300 and add the virtual IPv6 prefix“ α ”for the VPN 5a. The TR-O of the translator 1a transmits the DNS inquiry packet obtained by converting the address to the DNS query packet. -Send to ALG2a (154).

When the DNS-ALG 2a does not know the IP address for the name hostB, the DNS inquiry is converted by the processing routine 60 (155), and the DNS inquiry is transferred (156). The DNS query forwarding destination is another IPv4 assigned to DNS-ALG2a.
Six addresses (IPv6 address “β6” for VPN 5b) are set.

DNS-ALG2a that received the DNS inquiry addressed to IPv6 address “β6” for VPN5b
If the IP address for the name hostB is not known, the converted DNS query is sent to the next DNS server 3b (virtual IPv6 address “β + db4” by the processing routine 60.
”) (157, 158).

The TR-T of the translator 1a detects a packet including a DNS message and converts the packet (159). The virtual prefix β is deleted from the destination address. The source address is converted into the virtual IPv4 address “pb4” for the IPv6 address “β6” of the DNS-ALG2a for VPN5b using the DNS-ALG address conversion information provided in the translator 1a. The TR-T of the translator 1a transmits the packet whose address is converted to the DNS server 3b (160).

The DNS server 3b responds with an IPv4 address “b” for the name hostB (161).
). TR-T of translator 1a detects a packet containing a DNS message,
The packet is converted (162). A virtual prefix β corresponding to VPN 5b is added to the source address. The destination address is the DN that the translator 1a has
Using “S-ALG address conversion information”, “pb4” is converted to “β6”. The TR-T of the translator 1a transmits the packet whose address is converted to the DNS-ALG 2a (16
3).

The DNS-ALG 2a adds the virtual prefix β to the IPv4 address “b” for the name hostB and rewrites it to “β + b” (164).

DNS-ALG2a sends RDATA to the IPv6 address “α6” for VPN5a of DNS-ALG2a.
A DNS response in which “β + b” is set is transmitted (165).

The DNS-ALG 2a that has received the DNS response uses the IPv6 address “β + b” for subsequent translation.
"Is converted to a destination virtual IPv4 address" b '"(166). This IPv4 address is a virtual address for the name hostB and is selected from a set of IP addresses not used in the VPN 5a.

The DNS-ALG 2a transmits the destination virtual IPv4 address “b ′” for the name hostB to the terminal 4a via the DNS server 3a (169, 171, 172). When the translator 1a detects the DNS response 169, the translator 1a converts the packet (170). The virtual prefix α is deleted from the destination address. The source address is converted from “α6” to “pa4” using the DNS-ALG address conversion information provided in the translator 1a. TR-O of translator 1a sends the packet whose address is converted to DNS
It is transmitted to 3a (171).

The DNS-ALG 2a creates a correspondence conversion rule for “β + b” and “b ′” and sends it to the translator 1a (167). The translator 1a stores the conversion rule in the VPN # 1 conversion information table 510 of the conversion information storage unit 11, and transmits a response to the DNS-ALG 2a (168).

The main difference between FIG. 15 and FIG. 18 is that “Translator 1 translates the destination address and the source address (182), routes the packet within the translator (184), and again receives the destination address and the source address. (185)
That ’s it.

The terminal 4a starts transmitting an IP packet toward the terminal 4b. The destination address of these packets is b ', and the source address is the IPv4 address a of the terminal (181)
).

When this packet arrives, the translator 1a sends it to the data packet conversion / processing unit 13. Here, the conversion information storage unit 11 is searched with the number of the line that received the data and the destination address b ′. Then, since the entry prepared in step 167 is found in the conversion information table 510, the destination address “b ′” is changed to “β +”.
The virtual IPv6 prefix α corresponding to the line number that received the data is added to the source address (182).

The translator 1a has “β + b” as the destination address and “α +” as the source address.
The packet set with a ″ is transmitted (183). This packet is routed in the translator 1a (184).

The translator 1 a sends this packet to the data packet conversion / processing unit 13. Here, the virtual IPv6 prefix β is deleted from the destination address. The translator 1a converts the source address “α + a” into the IPv4 address “a ′”. This IPv4 address is a virtual address for the IPv6 address “α + a” and is selected from a set of IP addresses not used in the VPN 5b.

The translator 1a creates a correspondence conversion rule between “α + a” and “a ′”
The data is stored in the VPN # 2 conversion information table 520 of the conversion information storage unit 11 (185).

The terminal 4b receives the packet in which “b” is set as the destination address and “a ′” is set as the source address (186).

The terminal 4b sends a destination address “a ′” and a source address “b” to the terminal 4a.
A packet set with "" is transmitted (187).

When this packet arrives, the translator 1a sends it to the data packet conversion / processing unit 13. Here, the conversion information storage unit 11 is searched with the number of the line that received the data and the destination address “a ′”. Then, since the entry prepared in step 185 is found in the conversion information table 520, the destination address “a ′” is changed to “α +”.
A virtual IPv6 prefix “β” corresponding to the line number that received the data is added to the source address (188).

Translator 1a has “α + a” as the destination address and “β +” as the source address.
The packet set with b ″ is routed in the translator 1a (189,
190).

The translator 1 a sends this packet to the data packet conversion / processing unit 13. The virtual IPv6 prefix α is deleted from the destination address “α + a”. Here, when the conversion information storage unit 11 is searched with the destination virtual IPv6 prefix α and the source address “β + b”, the previously prepared entry is converted into the conversion information table 51.
Since it is found at 0, the source address is converted from “β + b” to “b ′” (19
1).

The terminal 4a receives a packet in which “a” is set as the destination address and “b ′” is set as the source address (192).

According to the embodiment of the present invention, cooperation between a translator and DNS-ALG, and virtual IPv6
By using prefixes, translators connected to multiple VPNs can uniquely identify terminals with private IPv4 addresses, even if the addresses overlap. Therefore, mutual communication is possible between VPNs having private IPv4 addresses.

In addition, DNS-ALG for each VPN is reduced to one physical device, so that DNS-A between VPNs
LG devices can be shared.

  A third embodiment of the present invention will be described with reference to the drawings.

FIG. 19 shows the network configuration of the third embodiment of the present invention. Compared with FIG. 16, this example shows that “a plurality of VPNs share DNS-ALG” and “a plurality of translators
“Share DNS-ALG”. The DNS-ALG 2a in the present embodiment has a function of separately setting a name resolution transfer destination for each domain. Specifically, as address information of the DNS server to be inquired next, the correspondence relationship between the domain name of each VPN and the virtual IPv6 address of the DNS server existing in the VPN is managed. This virtual IPv6 address is "Virtual prefix + IP assigned to the DNS server in each VPN.
v4 address ”.

The DNS-ALG 2a has a function of performing name resolution with “A” and “AAAA” regardless of the value of the QTYPE of the name hostB instead of the processing routine 60. In addition to the function of the translator 1 in the first embodiment, the translator 1 in the present embodiment has a DNS-AL
G address translation information, a function to monitor packets containing DNS messages, and DNS
The address translation function of the packet including the message is provided.

The DNS-ALG address translation information manages the correspondence between the DNS-ALG IPv6 address and the virtual IPv4 address assigned to the DNS-ALG in order to identify the DNS-ALG inside the VPN.

Hereinafter, a case where the terminal 4a existing in the VPN 5a resolves the name of the terminal 4b existing in the VPN 5b will be described.

In this embodiment, the translator 1a uses the DNS-ALG2a IPv6 address “alg6”.
And the virtual IPv6 correspondence assigned to the DNS-ALG 2a in order to identify the DNS-ALG inside the VPN for each VPN.

The terminal 4a makes a DNS inquiry to obtain the address of the name (host B) of the terminal 4b. Since the DNS server 3a cannot resolve the name hostB, the next DNS server (D
Send DNS query to NS-ALG2a). A virtual IPv4 address “pa4” assigned by the VPN 5a to the DNS-ALG 2a is set as the destination address of the packet header of the DNS inquiry, and an IPv4 address “da4” of the DNS 3a is set as the source address.

When the translator 1a detects this DNS inquiry, the destination address is changed from “pa4” to the DNS-ALG2a IPv6 address “alg6” by referring to the DNS-ALG address conversion information.
Add the IPv6 prefix α for VPN5a to the source address and replace it with “α + da4”.

The DNS-ALG 2a that has received the DNS inquiry makes an inquiry to the next DNS server when it does not know the IP address for the name hostB. Here, to resolve the name hostB, the virtual IPv6 address “β + db4” is used as the DNS server to be inquired next.
Is set. “Β + db4” is the virtual IPv6 address of the DNS server 3b of the VPN 5b.

The DNS-ALG 2a transmits a DNS inquiry to the DNS server 3b and waits for a response. This D
DNS-ALG2a IPv6 address “alg6” is set as the source address of NS inquiry, and “β + db4” is set as the destination address.

Translator 1a detects the above DNS inquiry packet and DNS-by-VPN
The source address is converted to the DNS-ALG2a IPv6 address “al” using the ALG address conversion information.
g6 ”is converted to a virtual IPv4 address“ pb4 ”that identifies DNS-ALG2a in VPN5b. Prefix β is deleted from the destination address, and“ β + db4 ”is rewritten to“ db4 ”.

The DNS server 3b responds to the DNS-ALG 2a with the IPv4 address “b” for the name hostB.

The DNS-ALG 2a rewrites the IPv4 address “b” to the destination virtual IPv6 address “β + b” for subsequent conversion, and then changes “β + b” to the destination virtual IPv4 address “
The IPv4 address “b ′” is a virtual address for the name hostB, and is selected from a set of IP addresses not used in the VPN 5a.

The DNS-ALG 2a transmits the destination virtual IPv4 address “b ′” for the name hostB to the terminal 4a via the DNS server 3a.

  The subsequent processing flow is the same as in the second embodiment.

According to the embodiment of the present invention, even when the DNS-ALG is not a multihomed node, the DNS-ALG can be shared between VPNs, and the processing in the DNS-ALG can be further reduced.

  A fourth embodiment of the present invention will be described with reference to the drawings.

FIG. 20 shows the network configuration of the fourth embodiment of the present invention. Compared to FIG. 16, FIG.
The network configuration of 0 is “Translator line with L2SW7 for each VPN5 (17a, 17b)
Is multiplexed ”. The L2SW 7 in this embodiment is the VPN shown in FIG.
A management table 320 is provided.

FIG. 21 shows a table configuration of the VPN management table 320. This table is MAC
It consists of a plurality of entries (320-1 to 320-n) generated for each layer 2 (L2) information represented by an address and IEEE 802.1Q TAG ID. Each entry defines a VPN identifier 322 and a line number 323 for the translator for the L2 information 321.

In this embodiment, the L2SW 7 that has received a packet from the VPN 5a reads the VPN management table 320 from the L2 information (for example, the source MAC address, IEEE 802.1Q, etc.) of the received packet.
TAG ID). The L2SW 7 transmits a packet from the line 17a corresponding to the VPN 5a to the translator 1a.

According to the embodiment of the present invention, the VPN accommodated by the translator corresponding to the line is set to L2S.
Can be multiplexed with W.

  A fifth embodiment of the present invention will be described with reference to the drawings.

FIG. 22 shows the network configuration of the fifth embodiment of the present invention. Compared to FIG. 16, FIG.
The network configuration of 2 is that “a plurality of VPNs (5a, 5b) are accommodated in the line 17a of the translator 1a” and “the virtual 1a shown in FIG. 10 instead of the virtual prefix management table 300 shown in FIG. A prefix management table 310 is provided, and the VPN is identified from the L2 information ”.

FIG. 10 shows a table configuration of the virtual prefix management table 310. This table includes a plurality of entries (310-1 to 310-n) generated for each layer 2 (L2) information typified by a MAC address and IEEE 802.1Q TAG ID. Each entry includes a VPN identifier 312 and a virtual prefix 313 corresponding to the L2 information 311.
Define

In this embodiment, the translator 1a that receives the packet from the VPN 5a
The virtual prefix management table 310 is searched with the L2 information (for example, the source MAC address or IEEE 802.1Q TAG ID) of the received packet. Then, the virtual prefix α corresponding to the L2 information is found in the virtual prefix management table 310. The translator 1a identifies the VPN by the virtual prefix.

According to the embodiment of the present invention, a plurality of VPNs can be accommodated in one line of a translator.

1 is a block diagram showing an interconnection configuration of VPN via an IP network according to a first embodiment of the present invention. 1 is a block diagram of an example of a translator 1. FIG. The block diagram of an example of DNS-ALG2. IPv4 packet format diagram. IPv6 packet format diagram. DNS query format diagram. DNS response format diagram. Detailed format diagram of DNS response. The table figure of the virtual prefix management table with which the translator 1 is provided. The table figure of the virtual prefix management table with which the translator 1 is provided in the 5th Example of this invention. The table figure of the conversion information table with which the translator 1 is provided. The flowchart of the DNS message conversion process routine with which DNS-ALG2 is provided. The flowchart of the DNS message conversion process routine with which DNS-ALG2 is provided. The sequence diagram of the name resolution in the 1st Example of this invention. FIG. 3 is a sequence diagram when VPNs communicate with each other in the first embodiment of the present invention. The block diagram which shows the network structure in case a some VPN is connected to the translator which is the 2nd Example of this invention. The sequence diagram of the name resolution in the 2nd Example of this invention. The sequence diagram in case the VPN in 2nd Example of this invention communicates. The block diagram which shows the network structure in case the some VPN which is the 3rd Example of this invention uses one DNS-ALG apparatus. The block diagram which shows the network structure in case L2SW7 which is the 4th Example of this invention multiplexes VPN. The table figure of the VPN management table with which L2SW7 is provided in the 4th Example of this invention. The block diagram which shows the network structure in case the translator 1 which is a 5th Example of this invention utilizes L2 information and identifies VPN.

Explanation of symbols

1 Translator, 2 DNS-ALG, 3 DNS server with VPN5, 4 VPN terminal, 5 VPN
, 6 IP network, 7 L2SW, 8 DNS server in IP network 6, 31 Source IPv4 address, 32 Destination IPv4 address, 33 IPv4 payload, 34 Source IPv6 address, 35 Destination IPv
6 addresses, 36 IPv6 payload, 41 DNS message header part, 42 DNS inquiry part, 43 DNS response part, 60 DNS conversion processing routine.

Claims (5)

Connecting the first network, the second network that can communicate with the first network, the third network that can communicate with the second network, and the first network and the second network A first address translation device, and a second address translation device for connecting the second network and the third network,
The first address translation device adds a first virtual address obtained by adding a prefix indicating the first network to an address used in the first network via the second network. Sent to the address translator
The second address translation device translates the first virtual address into a second virtual address that is not used in the third network, and sends the second virtual address to the third network,
An information network for storing a correspondence status between the first virtual address and the second virtual address.   The second virtual address sent from the third network is converted to the first virtual address based on the correspondence information, the prefix is deleted from the first virtual address, and the first network The information network according to claim 1, wherein the information network is sent to:   2. The information network according to claim 1, wherein the first network follows a first protocol, and the second network and the third network follow a second protocol. A communication device that is arranged between a first network and a second network and mediates communication between the first network and the second network;
Receiving an original address used in the first network sent from the first network, generating a first virtual address with a prefix added to the original address, and sending the first virtual address to the second network Send,
Receiving the first virtual address sent from the second network, generating the original address by removing the prefix from the first virtual address, sending the original address to the first network,
The first address sent from the second network is converted to a second address not used in the first network and sent to the first network,
Holding the relationship between the first address and the second address as conversion information based on information supplied from DNS-ALG,
The second address sent from the first network is converted to the first address based on the conversion information,
A communication apparatus that sends the first address to the second network.   The communication apparatus according to claim 4, wherein the DNS-ALG manages information necessary for conversion between the first protocol and the second protocol.

Images