JP2009038731A - Function adding apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a function adding apparatus that relays a network terminal and network equipment and adds a new function to the network equipment. <P>SOLUTION: The function adding apparatus 100 includes: first and second network interfaces 206 and 208; a packet relay processing section that uses the network interfaces 206 and 208 to relay a packet between terminals on both networks without changing address information of transmission source and transmission destination terminals of the packet; an HTTP/HTTPS decode processing section 252 and an HTTPS/HTTP encode processing section 258 for converting an HTTPS packet which is addressed to equipment on a first network, among packets relayed by the packet relay processing section, into an HTTP packet and converting an HTTP packet from the equipment on the first network into an HTTPS packet to a transmission source of the HTTPS packet. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a function addition device in the field of networks, and more particularly to a function addition device that operates as if a new function is added to the network device by being connected to the network device.

  With the recent development of computer networks (hereinafter referred to as “networks”), various network devices are rapidly spreading. Generally, current network devices perform communication using a transport layer protocol such as TCP / IP (Transmission Control Protocol / Internet Protocol) or UDP / IP (User Datagram Protocol / Internet Protocol). These protocols are simply composed of address information representing an own node on the network called an IP address and a port number associated with an application in the node.

  In today's networks, with the increasing demand for social infrastructure, many application protocols are being used and are becoming larger and more complex.

  As described above, the recent network environment is becoming larger and more complicated, and not only in network terminals such as workstations and PCs (Personal Computers) but also in built-in network devices, there are a wide variety. There is a need to support the protocol.

  Normally, network terminals such as workstations and PCs can flexibly cope with the emergence of a wide variety of protocols as hardware and software become more sophisticated. However, it is considered that it will be more difficult in the future to deal with a wide variety of protocols, especially in the built-in network devices, because of limited hardware and software resources.

  As typical examples, there are HTTP (HyperText Transport Protocol) communication and HTTPS (HTTP Security) communication. HTTP is a protocol for transmitting and receiving normal WWW (World Wide Web) information, and is normally installed in relatively old network devices. In network devices that do not have a user interface, it is common to access a setting screen from a PC and input setting parameters using a simple WWW server function. On the other hand, HTTPS is a protocol in which a security function is added to HTTP.

  In general, current WWW servers support both HTTP and HTTPS protocols. However, network devices that are embedded devices do not have a high degree of freedom in software and hardware compared to workstations and PCs, and inevitably have no security function even when secure communication is desired. Currently, HTTP communication is used. Therefore, risks such as information leakage triggered by such a network device with a low security level are increasing day by day.

  Another typical example is SLP (Service Location Protocol) communication. SLP communication is a protocol that allows service information on a network to be detected and configured. Moreover, since it corresponds to IPv4 and IPv6, it is a specification that is considered to be frequently used in the future.

  However, many of the built-in network devices that are popular today do not support SLP. Such a device cannot respond to SLP communications, and therefore cannot obtain service information from such network devices using SLP communications.

  On the other hand, there is SNMP (Simple Network Management Protocol) as a protocol for obtaining network information. SNMP is used to monitor and control network devices on the network, and can provide various information about each network device. Many of the built-in network devices are compatible with SNMP. However, in SNMP, network information may be acquired by a broadcast address, and in this case, it cannot be applied to a network using IPv6.

Furthermore, network security is expected to become a problem in the future. Many old network devices do not have a security function, and it is dangerous to continue using such devices as they are.
JP 2006-139429 (paragraphs 0036, 0046, 0047)

  Therefore, it is expected that there will be a desire to operate the network device as if it was provided with a new function without any modification. In that case, it seems necessary to reduce the burden on the user as much as possible.

  For example, there is an apparatus described in Patent Document 1 as an apparatus that performs protocol conversion. The apparatus described in Patent Document 1 uses a server / client model that employs HTTP as a communication protocol. For a legacy device that does not have a specific function, the function is specified and the fact is displayed, or the legacy apparatus cannot be used from the outside.

  However, since the system described in Patent Document 1 employs a server / client model, it is a large-scale system as a whole. In addition, it is necessary to prepare a DHCP (Dynamic Host Configuration Protocol) server or a similar function in the system and set an IP address for each component. Such setting work is troublesome for the user. Also, as usual in the server / client model, it is a difficult task to set up this system consistently for users who are not very familiar with the network. Further, this system does not disclose adding a function to a legacy device having no specific function. In particular, there is no disclosure about adding the security function without changing the legacy device.

  In this way, it is expected that the need to add new functions to these network devices with simple operations while utilizing the hardware assets of the existing network devices will increase. To date, however, there is no clear recognition of such problems and no solutions to such problems have been suggested in the prior art.

  Therefore, an object of the present invention is to provide a function adding device that can add a function to a network device having no function with a simple operation.

  Another object of the present invention is to improve a network device such as a workstation or a PC even if communication using the function is performed from a network device having a function not supporting a certain protocol. An object of the present invention is to provide a function addition device for a network device that enables communication without any problem.

  Another object of the present invention is to provide a function adding device capable of adding a certain security function to a network device that does not have a sufficient security function by a simple operation.

  Another object of the present invention is to provide a function adding device having a packet filtering function capable of transmitting only packets adapted to a built-in network device to the network device.

  Still another object of the present invention is to provide a function adding device having a function that makes it difficult to check a port number used in a network device from the outside.

  The function addition apparatus according to the first aspect of the present invention is provided between a first packet transmitting / receiving unit for transmitting / receiving a packet to / from a terminal on the first network and a terminal on the second network. Using a second packet transmitting / receiving unit for transmitting / receiving a packet, a first packet transmitting / receiving unit and a second packet transmitting / receiving unit, between a terminal on the first network and a terminal on the second network And packet relay means for relaying the packet without changing the address information of the source terminal and the address information of the destination terminal of each packet. The function adding device further includes a first packet processing means for performing a predetermined process on a packet satisfying a specific condition among the packets received by the packet relay means, whereby A function by a predetermined process is added to the terminal.

  The packet relay means relays a packet between a terminal on the first network and a terminal on the second network. Of the packets received by the packet relay means, a packet that satisfies a specific condition is subjected to predetermined processing by the first packet processing means. That is, the first packet processing means adds a function based on a predetermined process to a terminal on the first network. Therefore, even if a terminal on the first network does not have a specific function realized by a predetermined process, this function adding device is connected to the second network without any modification to the terminal. Communication by the function can be additionally performed only by interposing between them. At this time, an address for the function adding device is not necessary.

  Preferably, the first packet processing means includes an address storage means for extracting and storing address information of the transmission source terminal from a packet received by the first packet transmission / reception means from a terminal on the first network, and a packet relay. Of the packets relayed from the second network to the first network by the means for performing a predetermined process on a packet having the address information stored in the address storage means as the address information of the destination terminal. 2 packet processing means.

  When a packet is transmitted from a terminal on the first network to a terminal on the second network, the address storage means extracts and stores the address information of the transmission source terminal in the packet. For a packet transmitted from a terminal on the second network, the packet is transmitted on the first network by comparing the address information of the transmission destination of the packet with the address information stored in the address storage means. It can be determined whether or not the terminal is the destination. Based on such determination, the second packet processing means performs a predetermined process when a packet is transmitted to a terminal on the first network as a transmission destination. Therefore, the function addition device can perform a predetermined process instead of the packet having the terminal as the transmission destination without any modification to the terminal on the first network.

  More preferably, the second packet processing means transmits the address information stored in the address storage means among the packets from the terminals on the second network received by the packet relay means from the second packet transmitting / receiving means. First protocol conversion means for converting a packet for communication according to a specific first protocol into a packet for communication according to a specific second protocol, which is held as address information of the destination terminal including.

  If this function addition device is relayed, the first protocol conversion means converts the packet according to the first protocol destined for the terminal on the first network into the second protocol. Therefore, even if the terminal on the first network cannot communicate with the first protocol, if the communication with the second protocol is possible, the terminal on the first network is not improved. , Packets from the second network according to the first protocol can be received and processed.

  More preferably, the second packet processing means further determines the source terminal and source application of the packet from the packet from the terminal on the second network received by the packet relay means from the second packet transmitting / receiving means. Source specifying information storage means for extracting and storing source specifying information for specifying is included. The second packet processing means further includes a destination terminal and a destination of a packet for communication according to the second protocol from a terminal on the first network received by the packet relay means from the first packet transmitting / receiving means. A second protocol converting unit for converting the packet into a packet for communication using the first protocol when the application matches the source specifying information stored in the source specifying information storing unit; Including.

  It is assumed that terminals on the first network can communicate with the second protocol, and terminals on the second network can communicate with the first protocol. When a packet on the first protocol is transmitted from a terminal on the second network to a terminal on the second network, the packet is converted into a packet based on the second protocol in the function addition device, and the first Sent to the terminal on the network. At the same time, the transmission source identification information of the terminal of the second network that is the transmission source is stored in the transmission source identification information storage means. After receiving this packet, the terminal on the first network returns a packet according to the second protocol for response. The function addition device converts the packet into a first protocol and transmits the packet to a designated transmission destination. At this time, the function addition device does not unconditionally convert the protocol. Such protocol conversion is performed when the packet received from the first network is the second protocol, and the transmission destination terminal and the application are stored in the transmission source identification information storage means. As a result, protocol conversion is performed only on the response packet to the packet according to the first protocol transmitted from the terminal on the second network to the terminal on the first network. As a result, even if the terminal on the first network does not have the function of processing the packet according to the first protocol, the terminal on the second network can process the packet according to the first protocol. looks like. That is, this function adding device adds a communication function based on the first protocol to the terminal on the first network.

  More preferably, the first protocol is a protocol for performing communication using a packet encrypted using an electronic self-signed certificate created from address information, and the second protocol is a packet that is not encrypted. It is a protocol for performing communication with. The function adding device further includes certificate storage means for creating and storing an electronic self-signed certificate using the source address information of the received packet. The second protocol conversion means includes a destination terminal and a destination application of packets for communication according to the second protocol from a terminal on the first network received by the packet relay means from the first packet transmitting / receiving means. Is encrypted with the electronic self-signed certificate stored in the certificate storage means when it matches the transmission source identification information stored in the transmission source identification information storage means, Means for converting into a packet for communication according to the first protocol is included.

  Even if the terminal on the first network cannot communicate with the encrypted packet, the function adding device relays between the first network and the second network, so that the terminal on the first network Communication with encrypted packets by the terminal becomes possible, and a certain security function can be added.

  More preferably, the first protocol is HTTPS and the second protocol is HTTP.

  For example, it is assumed that the terminal on the first network is a network device that does not support HTTPS. By interposing the function addition device between this terminal and the second network, the terminal on the first network seems to support HTTPS. As a result, it is possible to add an HTTPS communication function to the network device without improving the network device on the first network.

  More preferably, the function adding device is further connected to the first packet transmitting / receiving means, detects that the link with the terminal on the first network is lost, and stores the terminal stored in the address storage means Monitoring means for deleting the address information.

  The monitoring means detects the state of the link with the terminal on the first network, and when the link with the terminal on the first network is lost, the address information of the terminal is deleted from the address storage means. As a result, when a packet whose destination is the device on the first network is received from a terminal on the second network, a predetermined process is not performed on the packet. As a result, when the function addition device receives a packet from the second network, it is possible to perform appropriate processing according to whether or not a terminal is connected to the first network.

  More preferably, the second packet processing means generates an inquiry packet of the first protocol for inquiring information relating to the network device in response to newly storing some address information in the address storage means. Packet transmission means for sending the address information newly stored in the storage means as destination address information to the first network via the first packet transmission / reception means, and a response packet for the inquiry packet in the first In response to receiving from the packet transmission / reception means, network device information storage means for storing information relating to the network equipment included in the packet, and address information stored in the address storage means from the second network are transmitted. Inquire about information about network devices In response to receiving the inquiry packet of the second protocol for the network, information on the network device stored in the network device information storage unit is included, and the address information stored in the address storage unit is held as source address information. Generating a response packet of the second protocol having the transmission source terminal of the inquiry packet of the second protocol as a transmission destination, and sending the response packet to the second network via the second packet transmission / reception means .

  For example, it is assumed that a terminal on the first network can use the first protocol and cannot use the second protocol in order to reply to an inquiry about information about the network device. Further, it is assumed that the terminal on the second network can use the second protocol and cannot use the first protocol in order to inquire information about the network device. When a new terminal is connected to the first network, the packet transmitting means transmits an inquiry packet of the first protocol to the terminal. The network device information storage means stores network device information related to the terminal from the response packet to this packet. Further, if there is an inquiry about the network device information of the terminal on the first network by the second protocol from the terminal on the second network, this function adding device is based on the information stored in the network device information storage means. Responds with the second protocol. Therefore, if this function addition device is relayed, a terminal on the second network can acquire information on the terminal on the first network by an inquiry packet of the second protocol. There is no need to improve the terminal on the first network so that it can support the second protocol.

  More preferably, the first packet processing means includes condition storage means for storing a condition to be satisfied by a packet prohibited from being relayed from the second network to the first network. The first packet processing means determines whether or not the condition stored in the condition storage means is satisfied by the packet received from the second network by the second packet transmitting / receiving means, and if the condition is satisfied A means for discarding the packet; otherwise, relaying the packet to the first network via the first packet transmitting / receiving means.

  The function adding device discards the packet when the packet transmitted from the terminal on the second network satisfies the condition stored in the condition storage unit. Therefore, only the packet adapted to the terminal on the first network is transmitted to the terminal. Inappropriate packets that do not apply to terminals on the first network are discarded. As a result, the terminal on the first network is less likely to receive an inappropriate packet, and the security of the terminal can be improved.

  More preferably, the condition storage means further stores a condition to be satisfied by a packet prohibited from being relayed from the first network to the second network. The first packet processing means further determines whether or not the condition stored in the condition storage means is satisfied by the packet received from the first network by the first packet transmitting / receiving means, and if the condition is satisfied Includes means for discarding the packet, otherwise relaying the packet to the second network via the second packet transmitting / receiving means.

  Similarly, the function addition apparatus transmits only a packet adapted to the terminal on the second network, even if the packet is transmitted from the terminal on the first network to the terminal on the second network. Can do.

  More preferably, the first packet processing means includes a condition storage means for storing a condition to be satisfied by a packet permitted to be relayed from the second network to the first network, and a second packet transmitting / receiving means. The packet received from the second network determines whether or not the condition stored in the condition storage means is satisfied. If the condition is satisfied, the packet is transmitted to the first packet transmission / reception means via the first packet transmitting / receiving means. It includes means for relaying to the network and otherwise discarding the packet.

  The function addition device relays the packet to the first network only when the packet transmitted from the terminal on the second network satisfies the condition stored in the condition storage means, and otherwise In this case, the packet is discarded. Therefore, only the packet adapted to the terminal on the first network is transmitted to the terminal. Inappropriate packets that do not apply to terminals on the first network are discarded. As a result, the terminal on the first network is less likely to receive an inappropriate packet, and the security of the terminal can be improved.

  More preferably, the condition storage means further stores a condition to be satisfied by a packet permitted to be relayed from the first network to the second network. The first packet processing means further determines whether or not the condition stored in the condition storage means is satisfied by the packet received from the first network by the first packet transmitting / receiving means, and if the condition is satisfied Includes means for relaying the packet to the second network via the second packet transmitting / receiving means, and for discarding the packet otherwise.

  The function addition apparatus can transmit only a packet adapted to a terminal on the second network, even a packet transmitted from a terminal on the first network to a terminal on the second network.

  More preferably, each packet includes application specifying information for specifying an application that should process the packet at the destination terminal. The first packet processing means includes a table storage means for storing an application specific information conversion table storing a plurality of pairs of application specific information. Each of the plurality of pairs includes first application specifying information and second application specifying information. The first packet processing means further searches the table storage means for second application specifying information that matches the application specifying information of the packet from the second network received from the second network transmitting / receiving means, Means for replacing the application specific information in the packet with the second application specific information paired with the second application specific information.

  The function addition device replaces the application specifying information of the packet with the application specifying information adapted to each network for the packet received from the second network. Therefore, for the purpose of knowing the contents of services performed by the terminal on the first network, or for the purpose of unauthorized access, it is accessed from the terminal on the second network using commonly used application specifying information. Even if you try, it is not easily accessible. It also becomes difficult to know what service is provided with what application specific information in the terminal on the first network. As a result, the function addition device can enhance the security function of a terminal on the first network that does not have a sufficient security function.

  More preferably, the first packet processing means further searches the table storage means for first application specifying information that matches the application specifying information of the packet from the first network received from the first network transmitting / receiving means. Means for replacing the application specific information in the packet with the second application specific information paired with the retrieved first application specific information.

  For the packet from the first network, the application specific information is inversely converted by searching the table in reverse, and transmitted to the second network. Therefore, if this conversion table is known, packets relating to a specific application can be transmitted and received between terminals on the first and second networks. It is not easy to know from the outside what value is used as the application specifying information at that time. As a result, the function addition device can enhance the security function of a terminal on the first network that does not have a sufficient security function.

  More preferably, the first packet processing means further has no second application specifying information in the table storage means that matches the application specifying information of the packet from the second network received from the second network transmitting / receiving means. In response, including means for discarding the packet.

  A packet having application information that is not stored in the application specifying information is discarded by the first packet processing means. Therefore, it is possible to eliminate access from a terminal that does not grasp the contents of the conversion table to a terminal on the first network due to unauthorized information. As a result, the function addition device can protect a terminal on the first network that does not have a sufficient security function from unauthorized access.

  Hereinafter, the present invention will be described based on embodiments. In the drawings, the same parts are denoted by the same reference numerals, and detailed description thereof will not be repeated.

[First Embodiment]
<Configuration>
FIG. 1 shows a network environment diagram of a function addition device 100 according to the first embodiment of the present invention as an example of a function addition device according to the present invention.

  Referring to FIG. 1, a network 90 includes a network line 108, network terminals 104 and 106 connected to the network line 108, and a network device 102 having an HTTP communication function but not an HTTPS communication function. including. However, the network device 102 is connected to the network line 108 via the function adding device 100 for adding the function of HTTPS communication to the network device 102 according to the present embodiment. The network device 102 is connected to the function adding device 100 via a communication line 110. In the present embodiment, it is assumed that only one network device is connected to the function adding device 100 via the communication line 110.

  In the following description, it is assumed that the network device 102 is a built-in network device equipped with a WWW server that does not support HTTPS. On the other hand, it is assumed that the network terminal 104 and the network terminal 106 can communicate by HTTPS.

  FIG. 2 shows a hardware configuration diagram of the function addition device 100 according to the present embodiment. Referring to FIG. 2, function adding device 100 includes a CPU (Central Processing Unit) 200 and a ROM (Read-Only Memory) 202 that stores a bootup program of function adding device 100 and a program executed by CPU 200. Including. The function adding device 100 provides a connection to the communication line 110 and a RAM (Random Access Memory) 204 serving as a storage area for providing a work area used by the CPU 200, and a network terminal on the communication line 110. A first network interface 206 for sending and receiving packets between them and a second network interface 208 for providing a connection to the network line 108 and sending and receiving packets to and from network terminals on the network line 108 Further included.

  FIG. 3 is a functional block diagram of the function adding device 100. Referring to FIG. 3, function adding apparatus 100 transmits a packet based on the HTTPS protocol (hereinafter simply referred to as “HTTPS packet”) received by second network interface 208 from a network terminal connected to network line 108. The source terminal information storage area 260 for storing the original IP address and the port number, the IP address of the network device (in this embodiment, the network device 102) connected to the first network interface 206, and the HTTPS communication A certificate information storage area 262 for storing a certificate for storing the certificate. This IP address is acquired from a packet transmitted from the network device 102 by the function adding device as will be described later. Note that the first network interface 206 and the second network interface 208 in FIG. 3 include software programs such as the TCP / IP protocol for operating these physical interfaces described with reference to FIG.

  As will be described in detail later, the first network interface 206 and the second network interface 208 are network devices connected to the function addition apparatus 100 via the network and network devices in order to establish a TCP connection, respectively. 102 and a TCP connection establishment packet are transmitted / received to / from the network terminal. Here, the “TCP connection establishment packet” is a generic term for “TCP connection”, “TCP connection / response”, and “TCP response confirmation” packets, which will be described later.

  The function addition apparatus 100 further includes a transmission destination terminal information storage area 264 for storing a transmission source IP address and a MAC (Media Access Control) address of a packet received by the first network interface 206 from the network device 102. The network device 102 transmits such a packet only when a packet destined for the network device 102 is received from the outside. Therefore, here, the IP address of the network device 102 is called a “destination” address.

  The function addition device 100 further includes a first packet reception processing unit 250, an HTTP / HTTPS decoding processing unit 252, and a link monitoring unit 254. The first packet reception processing unit 250 has a first output path connected to an HTTP / HTTPS decode processing unit 252 described later, and a second output path connected to the first network interface 206. The first packet reception processing unit 250 receives the packet transmitted from the second network interface 208, and whether or not the transmission destination IP address and MAC address of the received packet are registered in the transmission destination terminal information storage area 264. Determine whether. If it is not registered, and even if it is registered, and the received packet is a packet other than a TCP connection establishment packet and a packet other than HTTPS, the first packet reception processing unit 250 receives the reception on the second output path. On the other hand, if the packet is an HTTPS packet, the received packet is transmitted to the first output path. On the other hand, in the case of a TCP connection establishment packet with a port number of 443, the first packet reception processing unit 250 establishes a TCP connection for HTTPS communication between the network terminal 104 and the function addition device 100 that is itself. In order to establish (port number = 443), the second network interface 208 is instructed to transmit and receive a TCP connection establishment packet with the network terminal 104, and the packet is discarded. The HTTP / HTTPS decoding processing unit 252 has an input connected to the first output path of the first packet reception processing unit 250, and is a network device 102 that is a transmission destination of an HTTPS packet received from the first output path. In order to establish a TCP connection (port number = 80) for HTTP communication between the network device 102 and the function addition apparatus 100, the first network interface 206 is instructed to send and receive a TCP connection establishment packet with the network device 102. The received packet is decoded into an HTTP packet with reference to the certificate information storage area 262, and the transmission source terminal information storage area 260 stores the IP address and port number of the transmission source of the packet. When the link monitoring unit 254 constantly monitors the link state between the first network interface 206 and the network device 102 and detects a transition from the connected state to the disconnected state, the link monitoring unit 254 sends the IP address and MAC address of the network device 102 to the transmission destination. Delete from the terminal information storage area 264.

  The function addition device 100 further includes a second packet reception processing unit 256 and an HTTP / HTTPS encoding processing unit 258. The second packet reception processing unit 256 includes a first output path connected to an HTTP / HTTPS encoding processing unit 258 described later and a second output path connected to the second network interface 208. The second packet reception processing unit 256 receives the packet from the first network interface 206 and extracts the transmission source IP address and the MAC address of the received packet. If they are not stored in the destination terminal information storage area 264, the second packet reception processing unit 256 registers each address in the destination terminal information storage area 264, and proves the corresponding to the source IP address of the packet If the certificate does not exist in the certificate information storage area 262, a self-signed certificate is created and stored in the certificate information storage area 262 together with the IP address of the network device 102. The second packet reception processing unit 256 further determines the source port number of the received packet, and if the source port number of the received packet is 80, outputs the received packet to the first output path, On the other hand, for other packets, the received packet is output to the second output path. The HTTP / HTTPS encoding processing unit 258 receives the packet from the second packet reception processing unit 256, and if the packet is an HTTP packet in response to the HTTPS packet, encodes it to HTTPS and outputs it to the second network interface 208. In other cases, the data is output to the second network interface 208 as it is.

  The HTTP / HTTPS encoding processing unit 258 determines whether or not the received packet should be encoded into HTTPS as follows. When the HTTP / HTTPS decoding processing unit 252 receives an HTTPS packet addressed to the network device 102, it stores the IP address and port number of the transmission source terminal of the packet in the transmission source terminal information storage area 260. When the HTTP / HTTPS encoding processing unit 258 receives a packet from the second packet reception processing unit, the HTTP / HTTPS encoding processing unit 258 refers to the transmission source terminal information storage area 260 and the combination of the IP address and port number of the transmission destination of the packet is the transmission source terminal If it does not exist in the information storage area 260, it is transmitted to the second network interface 208 as it is. If present, the certificate information storage area 262 is referred to, the IP address and the port number stored in the transmission source terminal information storage area 260 after being encoded into an HTTPS packet and transmitted to the second network interface 208 Delete the combination. In this way, the HTTP / HTTPS encoding processing unit 258 can determine whether or not the received packet should be encoded into HTTPS.

  That is, the first packet reception processing unit 250, the HTTP / HTTPS decoding processing unit 252, the second packet reception processing unit 256, and the HTTP / HTTPS encoding processing unit 258 include the first network interface 206 and the second network interface. 208, the packet is relayed between the terminal of the first network interface 206 and the terminal on the network line 108 without changing the IP address of the transmission source terminal and the IP address of the transmission destination terminal of each packet. Has function. However, as described above, these have a function of executing a specific process called protocol conversion on a relayed packet for a packet that satisfies a specific condition.

  The function addition apparatus 100 according to the present embodiment does not have its own IP address, and performs communication using the IP address of each network terminal connected to the network device 102 and the network line 108.

  FIG. 4 is a flowchart showing a control structure of a program when the function of the first packet reception processing unit 250 is realized by a computer program. All of the computer programs described below are stored in the ROM 202 shown in FIG. 2 and are executed as processes by the CPU 200 to realize the functions of the functional blocks.

  Referring to FIG. 4, in step 300, first packet reception processing unit 250 determines whether a packet is received from second network interface 208 or not. If the determination result is YES, the control proceeds to step 302, otherwise returns to step 300.

  In step 302, the first packet reception processing unit 250 determines whether or not the transmission destination IP address and MAC address of the received packet are registered in the transmission destination terminal information storage area 264. If the determination result is YES, the control proceeds to step 310, otherwise proceeds to step 306.

  In step 310, the first packet reception processing unit 250 determines whether or not the received packet is a TCP connection establishment packet. If the determination result is YES, the control proceeds to step 312, otherwise proceeds to step 304.

  In step 312, the first packet reception processing unit 250 determines whether the received TCP connection establishment packet is a packet for port number = 443. If the determination result is YES, the control proceeds to step 314, otherwise proceeds to step 306.

  In Step 314, the first packet reception processing unit 250 establishes a TCP connection with the network terminal that has transmitted the TCP connection establishment packet (port number = 443) to the second network interface 208. Instructs the terminal to send and receive a TCP connection establishment packet, and discards the packet. Thereafter, control returns to step 300.

  In step 304, the first packet reception processing unit 250 determines whether the received packet is based on HTTPS communication or not. If the determination result is YES, the control proceeds to step 308, otherwise proceeds to step 306.

  In step 308, the first packet reception processing unit 250 transmits the packet to the HTTP / HTTPS decoding processing unit 252 in order to decode the packet by HTTPS communication into a packet for HTTP, and returns to step 300. The actual operation in step 308 is performed by delivering packet data from the process functioning as the first packet reception processing unit 250 to the HTTP / HTTPS decoding process.

  On the other hand, in step 306, no processing is performed on the received packet, and the packet is transmitted to the first network interface 206. Thereafter, control returns to step 300.

  FIG. 5 is a flowchart showing a control structure of the program when the function of the link monitoring unit 254 is realized by a computer program. Referring to FIG. 5, in step 320, link monitoring unit 254 determines whether or not the link between first network interface 206 and network device 102 is disconnected. If the determination result is YES, the process proceeds to step 322, and otherwise, the process returns to step 320.

  In step 322, since the link with the network device 102 is disconnected, the link monitoring unit 254 deletes the IP address and MAC address stored in the transmission destination terminal information storage area 264 and returns to step 320. That is, the link monitoring unit 254 always monitors the first network interface 206, and when the link with the connected device is disconnected, the IP of the device stored in the destination terminal information storage area 264 is stored. A function of deleting an address and a MAC address is realized.

  FIG. 6 is a flowchart showing a control structure of a program when the function of the second packet reception processing unit 256 is realized by a computer program. Referring to FIG. 6, in step 330, second packet reception processing unit 256 determines whether a packet has been received from first network interface 206 or not. If the determination result is YES, the process proceeds to step 332; otherwise, the process returns to step 330.

  In step 332, the second packet reception processing unit 256 determines whether or not the IP address and MAC address of the network device 102 that is the transmission source of the received packet is stored in the transmission destination terminal information storage area 264. To do. If the determination result is YES, the process proceeds to step 344, and otherwise, the process proceeds to step 334.

  In step 334, the second packet reception processing unit 256 stores the transmission source IP address and MAC address of the packet in the transmission destination terminal information storage area 264. Control continues to step 336.

  In step 336, the second packet reception processing unit 256 determines whether an electronic self-signed certificate for HTTPS encoding already exists in the certificate information storage area 262 or not. If the determination result is YES, the process proceeds to step 338, and otherwise, the process proceeds to step 342.

  In step 338, referring to the certificate information storage area 262, the IP address of the self-signed certificate stored here and the source IP address of the packet received from the first network interface 206 (that is, the network device 102). IP address) is different or not. If the determination result is YES, the process proceeds to step 342, and otherwise, the process proceeds to step 344.

  In step 342, since the certificate for the IP address of the network device 102 connected to the first network interface 206 is not currently stored in the certificate information storage area 262, the second The packet reception processing unit 256 creates a new self-signed certificate for the IP address of the source terminal of the received packet. The second packet reception processing unit 256 stores the self-signed certificate and the source IP address of the received packet in the certificate information storage area 262 in association with each other, and proceeds to step 344.

  In step 344, the second packet reception processing unit 256 determines whether or not the transmission source port number of the received packet is 80. If the determination result is YES (port number = 80), the control proceeds to step 340, otherwise proceeds to step 346.

  In step 346, the second packet reception processing unit 256 transmits the received packet as it is to the second network interface 208, and the control returns to step 330.

  In step 340, the second packet reception processing unit 256 transmits the packet received from the first network interface 206 to the HTTP / HTTPS encoding processing unit 258. Thereafter, control returns to step 330.

  FIG. 7 is a flowchart showing the control structure of the program when the function of the HTTP / HTTPS encoding processing unit 258 is realized by a computer program. Referring to FIG. 7, in step 350, HTTP / HTTPS encoding processing unit 258 determines whether a packet is received from second packet reception processing unit 256 or not. If the determination result is YES, the process proceeds to step 352, and otherwise, the process returns to step 350.

  In step 352, first, the HTTP / HTTPS encoding processing unit 258 determines whether the received packet is an HTTP packet. As a result, if the packet is not an HTTP packet, control proceeds to step 356. If the packet is an HTTP packet, the HTTP / HTTPS encoding processing unit 258 determines whether the transmission destination IP address and the MAC address of the packet are present in the transmission source terminal information storage area 260 or not. This step is for determining whether the received packet is a response to the HTTPS packet decoded by the HTTP / HTTPS decoding processing unit 252 or not. If the received packet is a response to HTTP obtained by decoding HTTPS, the transmission source terminal information storage area 260 stores the transmission source IP address and port number of the original HTTPS packet. This is because the destination IP address and the port number of the HTTP packet transmitted from the network device 102 should match each other. If the determination result is YES, that is, if the transmission destination IP address and the MAC address of the packet exist in the transmission source terminal information storage area 260, the control proceeds to step 354, otherwise proceeds to step 356.

  In step 354, the HTTP / HTTPS encoding processing unit 258 refers to the self-signed certificate corresponding to the IP address of the network device 102 stored in the certificate information storage area 262, and converts the HTTP packet into an HTTPS packet. Encode. Next, the HTTP / HTTPS encoding processing unit 258 deletes the transmission destination IP address of the HTTP packet received from the transmission source terminal information storage area 260 and the corresponding port number. Thereafter, control proceeds to step 356.

  In step 356, the HTTP / HTTPS encoding processing unit 258 transmits the packet to the second network interface 208. Thereafter, control returns to step 350 to wait for the next packet.

<Operation>
The function addition device 100 described above operates as follows. Hereinafter, the operation will be described separately for the case of performing HTTP communication and the case of performing HTTPS communication.

  Referring to FIG. 3, initially, network device 102 is not connected to first network interface 206, and transmission source terminal information storage area 260, certificate information storage area 262, and transmission destination terminal information storage area 264. It is assumed that no information is stored in.

  When the function addition apparatus 100 starts to operate, the link monitoring unit 254 is activated, and starts monitoring the link state between the first network interface 206 and devices connected to the first network interface 206.

  Assume that the network device 102 is connected to the first network interface 206. In this case, the link monitoring unit 254 detects the establishment of the link between the first network interface 206 and the network device 102, but does nothing further. Thereafter, the link monitoring unit 254 monitors whether the link between the first network interface 206 and the network device 102 has been disconnected, that is, whether the link has been lost.

  When the link is disconnected, the link monitoring unit 254 refers to the transmission destination terminal information storage area 264 and deletes the registered information if the IP address and MAC address of the network device 102 are registered.

-HTTP communication-
FIG. 8 is a sequence diagram when HTTP communication is performed from the network terminal 104 connected to the network line 108 shown in FIG. 3 to the network device 102 via the function addition device 100. Referring to FIG. 8, it is assumed that HTTP communication is performed from network terminal 104 to network device 102.

  With reference to FIG. 8, first, an arrow 370 indicates that an ARP (Address Resolution Protocol) request is transmitted from the network terminal 104 to the network device 102. Initially, the network terminal 104 knows the IP address of the packet transmission destination, but does not know the MAC address corresponding to the IP address. This ARP request is broadcast by the network terminal 104 on the network line 108 in order to know the other party's MAC address.

  With reference to FIG. 3, the ARP request packet transmitted from the network terminal 104 is received by the first packet reception processing unit 250 via the second network interface 208. In the destination terminal information storage area 264, the IP address and MAC address of the network device 102 are not stored. Therefore, the first packet reception processing unit 250 gives the ARP request packet to the first network interface 206. The first network interface 206 transmits this ARP request packet to the network device 102. If the ARP request relates to the IP address of the network device 102, the network device 102 returns its own MAC address to the network terminal 104 as an ARP response. If the ARP request does not relate to its own IP address, the network device 102 returns nothing. In the following description, it is assumed that the ARP request is related to the IP address of the network device 102.

  With reference to FIG. 8, an arrow 372 indicates that the network device 102 returns an ARP response including the MAC address of the network device 102 to the network terminal 104.

  With reference to FIG. 3, the ARP response first reaches the second packet reception processing unit 256 from the network device 102 via the first network interface 206. The second packet reception processing unit 256 refers to the transmission destination terminal information storage area 264 and stores the IP address and MAC address of the network device 102 that is the transmission source of the ARP response packet in the transmission destination terminal information storage area 264. Check whether it is. At present, since nothing is registered in the destination terminal information storage area 264, the second packet reception processing unit 256 stores the source IP address and MAC address of the received packet in the destination terminal information storage area 264. sign up. Thereafter, the second packet reception processing unit 256 creates a self-signed certificate for this IP address, and stores the created certificate in the certificate information storage area 262 in association with the IP address. Thereafter, the second packet reception processing unit 256 transmits the packet to the HTTP / HTTPS encoding processing unit 258.

  In this way, the function addition device 100 can know the IP address and MAC address of the network device 102 by relaying communication between the network device 102 and other devices.

  The HTTP / HTTPS encoding processing unit 258 determines whether or not the combination of the transmission destination IP address and the port number of this packet is stored in the transmission source terminal information storage area 260. Here, nothing is stored in the source terminal information storage area 260, so the HTTP / HTTPS encoding processing unit 258 gives the packet to the second network interface 208 as it is. The second network interface 208 sends this packet over the network line 108. As a result, the ARP response reaches the network terminal 104. As a result, the network terminal 104 can know the MAC address of the network device 102.

  Referring to FIG. 8, an arrow 374 indicates that network terminal 104 performs packet communication with network device 102 to establish a TCP connection with a port number of 80. This means that a TCP connection is started on the HTTP port. At this time, the function addition apparatus 100 does not perform any processing on the packet transmitted from the network terminal 104, and the second network interface 208, the first packet reception processing unit 250, and the first network interface 206. The packet is transmitted to the network device 102 via. As described above with reference to FIG. 4, the reason is that the received TCP connection packet is one of the TCP connection establishment packets, but the port number is not 443. This is because the data is not processed and transmitted to the first network interface 206 as it is.

  With reference to FIG. 8, an arrow 376 indicates that the network device 102 transmits a packet response to the TCP terminal to the network terminal 104 in response to the TCP connection packet received by the arrow 374. At that time, the function addition device 100 does not perform any processing on the packet transmitted from the network device 102, and the first network interface 206, the second packet reception processing unit 256, and the HTTP / HTTPS encoding processing unit 258. The packet is transmitted to the network terminal 104 via the second network interface 208. The reason for this is that, referring to FIG. 6, since the transmission source port number of the received TCP connection / response packet is 80, this packet is transmitted to the HTTP / HTTPS encoding processing unit 258, and then, see FIG. Then, since the IP address and MAC address of the network terminal 104 are not registered in the transmission source terminal information storage area 260, the received TCP connection / response packet is not processed and is directly sent to the second network interface 208. It is because it is transmitted.

  An arrow 378 indicates that the network terminal 104 receives a response to the TCP connection from the network device 102 and transmits a packet for confirming the TCP response to the network device 102. The function addition device 100 does not perform any processing on this packet and transmits it to the network device 102. As described above with reference to FIG. 4, the reason is that the received TCP response confirmation packet is one of the TCP connection establishment packets, but the port number is not 443. Therefore, the first packet reception processing unit 250 This is because nothing is processed and the data is transmitted to the first network interface 206 as it is.

  As a result of such negotiation, a TCP connection between the network terminal 104 and the network device 102 is established.

  With reference to FIG. 8, an arrow 380 indicates that the network terminal 104 transmits a packet for an HTTP request to the network device 102.

  Referring to FIG. 3, function adding device 100 does not perform any processing for this HTTP request, and as a result, this packet reaches network device 102.

  Referring to FIG. 8, an arrow 382 indicates that the network device 102 transmits an HTTP response packet to the network terminal 104 in response to the received HTTP request.

  Referring to FIG. 3, since this packet is not a response to the HTTPS packet, function adding device 100 does not perform any processing on the packet, and first network interface 206, second packet reception processing unit 256, HTTP The packet is transmitted to the network terminal 104 via the / HTTPS encoding processing unit 258 and the second network interface 208.

-HTTPS communication-
FIG. 9 is a sequence diagram when performing HTTPS communication with the network device 102 from the network terminal 104 connected to the network line 108 shown in FIG. Referring to FIG. 9, it is assumed that network terminal 104 performs HTTPS communication with network device 102 as a destination.

  Referring to FIG. 9, arrows 390 and 392 indicate the same processes as arrows 370 and 372 shown in FIG. 8, respectively. If the IP address and the MAC address of the network device 102 are not stored in the transmission destination terminal information storage area 264, they are stored in the transmission destination terminal information storage area 264 through this process.

  Referring to FIG. 9, arrow 394 indicates that network terminal 104 performs packet communication with network device 102 to establish a TCP connection with port number = 443. This means that a TCP connection is started with the HTTPS protocol. Since the network device 102 does not support HTTPS communication, it cannot normally perform HTTPS communication. However, the function addition apparatus 100 according to the present embodiment allows the network device 102 to return an HTTPS response to this HTTPS packet as follows.

  The TCP connection for port number = 443 from the network terminal 104 is first received by the first packet reception processing unit 250 via the second network interface 208 of the function addition device 100. Since the received TCP connection packet is one of the TCP connection establishment packets and the port number is 443, the first packet reception processing unit 250 uses the network terminal 104 and itself with respect to the second network interface 208. An instruction is issued to establish a TCP connection with a certain function addition apparatus 100. Therefore, it is assumed that the following TCP connection negotiation (arrows 396 and 398) is executed by the second network interface 208 in the present embodiment.

  An arrow 396 indicates that a response to the TCP connection is transmitted from the second network interface 208 to the network terminal 104 in response to the TCP connection packet received at the arrow 394.

  When the network terminal 104 receives this response, as shown by an arrow 398, a packet for confirming the TCP response is transmitted to the network device 102 as the destination. Through the above negotiation, the network terminal 104 recognizes that the TCP connection with the network device 102 is established at the HTTPS port.

  Referring to FIG. 9, network terminal 104 transmits an HTTPS request packet to function adding device 100 as indicated by arrow 400. The second network interface 208 shown in FIG. 3 receives this packet and transmits it to the first packet reception processing unit 250.

  The first packet reception processing unit 250 refers to the transmission destination terminal information storage area 264 and confirms whether the transmission destination IP address and the MAC address of the packet are registered. Here, the IP address and MAC address of the network device 102 have already been registered. Therefore, the first packet reception processing unit 250 transmits the packet to the HTTP / HTTPS decoding processing unit 252.

  The HTTP / HTTPS decoding processing unit 252 shown in FIG. 3 is used for HTTP communication between the network device 102 that is the transmission destination of the HTTPS packet given from the first packet reception processing unit 250 and the function adding device 100. The first network interface 206 is instructed to establish a TCP connection (port number = 80) (arrows 412 414 416 in FIG. 9). This TCP connection is established with the source address and MAC address of the HTTPS request received at arrow 400 as the source address.

  Then, the received HTTPS packet is decoded into an HTTP packet (HTTPS → HTTP decoding process 402 in FIG. 9). At this time, the HTTP / HTTPS decoding processing unit 252 stores the source IP address and port number of the packet in the source terminal information storage area 260.

  Referring to FIG. 9, the HTTP / HTTPS decoding processing unit 252 is decoded using the TCP connection (port number = 80) established by the arrows 412, 414, and 416 as indicated by the arrow 404. An HTTP request is transmitted to the network device 102 via the first network interface 206.

  In response to this HTTP request, the WWW server in the network device 102 transmits an HTTP response to the function adding device 100 as indicated by an arrow 406.

  Referring to FIG. 3, first network interface 206 of function adding device 100 receives this HTTP response packet and provides it to second packet reception processing unit 256. The second packet reception processing unit 256 checks whether or not the transmission source IP address and MAC address of this packet are stored in the transmission destination terminal information storage area 264. Here, these pieces of information are already stored in the transmission destination terminal information storage area 264. The second packet reception processing unit 256 gives this packet to the HTTP / HTTPS encoding processing unit 258.

  The HTTP / HTTPS encoding processing unit 258 shown in FIG. 3 refers to the transmission source terminal information storage area 260 and confirms whether the received packet is a response packet to the decoded HTTP request. That is, the HTTP / HTTPS encoding processing unit 258 refers to the transmission source terminal information storage area 260, and whether the combination of the transmission destination IP address and the port number of the received packet is stored in the transmission source terminal information storage area 260. Determine whether or not. Here, these are stored in the source terminal information storage area 260 by the HTTP / HTTPS decoding processing unit 252. Therefore, the HTTP / HTTPS encoding processing unit 258 refers to the certificate information storage area 262, reads out the self-signed certificate corresponding to the source IP address of the received packet, and transmits the received HTTP response packet for the HTTPS response. Encode into a packet. Thereafter, the HTTP / HTTPS encoding processing unit 258 deletes the combination of the transmission destination IP address and the port number stored in the transmission source terminal information storage area 260. These processes are shown as HTTP → HTTPS encoding process 408 in FIG.

  The HTTP / HTTPS encoding processing unit 258 gives the HTTPS response packet obtained in this way to the second network interface 208, and the second network interface 208 sends the packet onto the network line 108. As a result, the encoded HTTPS response packet is transmitted to the network terminal 104 as indicated by an arrow 410 in FIG.

<Effect of the first embodiment>
By using the function addition device 100 according to the present embodiment, the function addition device 100 can additionally provide the network device 102 with an HTTPS communication function that the network device 102 does not have. Further, the function addition apparatus 100 does not need an IP address uniquely, and the user needs to make some settings in advance for any of the function addition apparatus 100, the network device 102, and the network terminal on the network line 108. Absent. If a network terminal on the network line 108 attempts HTTPS communication with the network device 102, the combination of the network device 102 and the function adding device 100 operates as if the HTTPS communication function has been added to the network device 102. That is, even if a network device has an HTTP communication function but does not have an HTTPS communication function, the function adding device 100 is interposed between the network line 108 and an external HTTPS protocol. Can respond. In this sense, the function adding device 100 can be said to be a device for adding an HTTPS communication function to the network device 102. Furthermore, no special setting is required for peripheral devices (including the function adding device 100) such as the network device 102, and the function adding device 100 may be simply installed between the network line 108 and the network device 102. Therefore, the function addition device 100 can meet the needs of consumers at all levels.

[Second Embodiment]
<Configuration>
FIG. 10 shows a functional block diagram of a function adding device 450 according to the second embodiment of the present invention. The function addition device 450 is for adding a communication function based on SLP to a network device that does not have a communication function based on SLP.

  As a network environment of the function addition device 450, a network environment almost similar to the network 90 shown in FIG. 1 is assumed. The function addition apparatus 450 described below is exactly the same as the function addition apparatus 100 shown in FIG. 1, and includes a target device (in this description, a network device 466 as shown in FIG. 10) and the network line 108. Can be installed between. Note that the network device 466 has an SNMP communication function but does not have an SLP communication function.

  Referring to FIG. 10, function adding device 450 includes a first network interface 206, a second network interface 208, a destination terminal information storage area 264, and a link monitoring unit 254 similar to those shown in FIG. . The function addition device 450 further includes a network device information storage area 452 and a first packet reception processing unit 456. The network device information storage area 452 stores network device information related to the network device 466 connected to the first network interface 206. The first packet reception processing unit 456 has an input path connected to the second network interface 208, and in response to receiving a packet from the second network interface 208, a destination terminal information storage area H.264 determines whether or not the IP address and MAC address of the transmission destination of the received packet are registered. If the received packet is not registered, and if the received packet is not a packet by SLP, the second If the packet is transmitted to the network interface 206, and the transmission destination IP address and the MAC address of the received packet are registered in the transmission destination terminal information storage area 264, and the packet is an SLP packet, the network device information Network devices stored in the storage area 452 To SLP response packet from the information as a response to the inquiry to the terminal that has transmitted the inquiry packet to generate a transmission via the second network interface 208.

  The function addition device 450 further includes a second packet reception processing unit 462 and an SNMP request transmission processing unit 458. The second packet reception processing unit 462 includes a first output path connected to an SNMP response analysis processing unit 464, which will be described later, a second output path connected to the second network interface 208, and a first output path. If the packet has an input path connected to the network interface 206, and the packet is received from the first network interface 206, the IP address and MAC address of the packet transmission source are not registered in the transmission destination terminal information storage area 264 The process of registering each address and the process of outputting to the first output if the received packet is a response packet to SNMP, and to the second output if the received packet is any other packet are performed. The SNMP request transmission processing unit 458 monitors whether the IP address and MAC address are registered in the destination terminal information storage area 264. When the IP address and MAC address are registered, the registered IP address is used as the destination. An SNMP request packet for requesting acquisition of the information of the network device is generated and transmitted to the network device 466 via the first network interface 206.

  The function adding device 450 further has an input connected to the first output of the second packet reception processing unit 462, receives the SNMP response packet from the second packet reception processing unit 462, analyzes the packet, An SNMP response analysis processing unit 464 for acquiring network information of the network device 466 and storing the acquired information in the network device information storage area 452 is included.

  FIG. 11 is a flowchart showing a control structure of the program when the function of the first packet reception processing unit 456 is realized by a computer program. Referring to FIG. 11, in step 480, first packet reception processing unit 456 determines whether a packet has been received from second network interface 208 or not. If the determination result is YES, the process proceeds to step 482, and otherwise, the process returns to step 480.

  In step 482, the first packet reception processing unit 456 determines whether the transmission destination IP address and MAC address of the received packet are registered in the transmission destination terminal information storage area 264 or not. If the determination result is YES, the process proceeds to step 484, and otherwise, the process proceeds to step 488.

  In step 484, it is determined whether the packet is an SLP request or not. If the determination result is YES, the process proceeds to step 486, and otherwise, the process proceeds to step 488.

  In step 486, the first packet reception processing unit 456 refers to the network device information storage area 452, acquires information on the network device 466, and generates a packet for an SLP response. The first packet reception processing unit 456 further transmits the generated packet to the network terminal that has transmitted the SLP request via the second network interface 208, and returns to step 480.

  On the other hand, in step 488, the packet is transmitted to the first network interface 206, and the process returns to step 480. That is, if the destination IP address and MAC address of the received packet are not registered in the destination terminal information storage area 264, and if it is registered but the packet is not an SLP request, nothing is done The packet is transmitted from the first network interface 206 to the network device 466.

  FIG. 12 is a flowchart showing a control structure of a program when the function of the second packet reception processing unit 462 is realized by a computer program. Referring to FIG. 12, in step 500, second packet reception processing unit 462 determines whether a packet has been received from first network interface 206 or not. If the determination result is YES, the process proceeds to step 502, and otherwise, the process returns to step 500.

  In step 502, the second packet reception processing unit 462 determines whether the transmission source IP address and the MAC address of the packet are registered in the transmission destination terminal information storage area 264 or not. If the determination result is YES, the process proceeds to step 504, and otherwise, the process proceeds to step 506.

  In step 506, the transmission source IP address and MAC address of the received packet are stored in the transmission destination terminal information storage area 264, and the process proceeds to step 504.

  In step 504, it is determined whether the packet is an SNMP response or not. If the determination result is YES, the control proceeds to step 508, otherwise proceeds to step 510.

  In step 508, the second packet reception processing unit 462 transmits the packet to the SNMP response analysis processing unit 464 and returns to step 500. On the other hand, in step 510, the second packet reception processing unit 462 transmits the packet to the second network interface 208 and returns to step 500.

<Operation>
The function addition device 450 described above operates as follows.

  Referring to FIG. 10, it is assumed that no information is initially stored in network device information storage area 452 and transmission destination terminal information storage area 264. Also, it is assumed that no network device is connected to the first network interface 206. When the network device 466 is connected to the first network interface 206, the link monitoring unit 254 starts monitoring whether or not the link between the first network interface 206 and the network device 466 is disconnected.

  FIG. 13 is a sequence diagram when the network terminal 104 connected to the network line 108 shown in FIG. 10 performs SLP communication using the network device 466 as a destination via the function addition device 100.

  Referring to FIG. 13, first, as indicated by an arrow 520, some packet, for example, an ARP request is transmitted from the network terminal 104 to the network device 466.

  Referring to FIG. 10, the ARP request packet transmitted from network terminal 104 is received by first packet reception processing unit 456 via second network interface 208. In this state, the destination IP address and the MAC address of the packet are not yet stored in the destination terminal information storage area 264 (NO in step 482 in FIG. 11). Therefore, the first packet reception processing unit 456 transmits this packet to the network device 466 via the first network interface 206 (FIG. 11, step 488).

  Referring to FIG. 13, as indicated by an arrow 522, the network device 466 returns an ARP response to which the MAC address information of the network device 466 is added to the network terminal 104. At this time, referring to FIG. 10, the ARP response is first received by the second packet reception processing unit 462 from the network device 466 via the first network interface 206. The second packet reception processing unit 462 refers to the destination terminal information storage area 264 and confirms whether the source IP address and the MAC address of the ARP response packet are stored. At present, nothing is registered (NO in step 502 in FIG. 12), so the source IP address and MAC address of the packet are registered in the destination terminal information storage area 264 (step 506 in FIG. 12). Since this packet (ARP response) is not an SNMP response packet (NO in step 504 in FIG. 12), the second packet reception processing unit 462 gives this ARP response packet to the second network interface 208 (FIG. 12). , Step 510), so that the packet reaches the network terminal 104.

  When the ARP response passes through the function addition device 450, the IP address and MAC address of the network device 466 are stored in the destination terminal information storage area 264 (FIG. 12, step 506). Is detected. Therefore, the SNMP request transmission processing unit 458 generates an SNMP request packet for acquiring information on the network device 466 and transmits the packet to the network device 466 via the first network interface 206 as indicated by an arrow 524. To do.

  Referring to FIG. 13, in response to this SNMP request, an SNMP response packet is transmitted from network device 466 to function adding device 450 as indicated by arrow 526. Referring to FIG. 10, the packet for the SNMP response is given from first network interface 206 to second packet reception processing unit 462. Since the IP address and MAC address of the network device 466 are already registered in the destination terminal information storage area 264 (YES in step 502 in FIG. 12), the second packet reception processing unit 462 determines whether the received packet is an SNMP response. It is determined whether or not (FIG. 12, step 504). Since the received packet is an SNMP response (YES in step 504), second packet reception processing unit 462 transmits this SNMP response packet to SNMP response analysis processing unit 464. The SNMP response analysis processing unit 464 analyzes the SNMP response packet and acquires information of the network device 466. The acquired information is stored in the network device information storage area 452.

  Referring to FIG. 13, it is assumed that network terminal 104 on network line 108 starts a TCP connection with network device 466 at the SLP port as indicated by arrow 528. The second network interface 208 of the function adding device 450 receives this packet.

  The second network interface 208 of the function addition device 450 transmits a response to the TCP connection to the network terminal 104 as indicated by an arrow 530. In response to this, the network terminal 104 transmits a packet for TCP response confirmation with the network device 466 as the destination as indicated by an arrow 532. In this way, the network terminal 104 recognizes that a TCP connection is established with the network device 466 at the SLP port.

  The network terminal 104 transmits an SLP request with the network device 466 as the destination, as indicated by an arrow 534 in FIG. The destination of the SLP request is the network device 466, but the first packet reception processing unit 456 (see FIG. 10) of the function adding device 450 responds to the SLP request, and the network device information storage area 452 to the network device 466 The device information is read and an SLP response packet is transmitted to the network terminal 104 as indicated by an arrow 536. The SLP response packet reaches the network terminal 104 via the second network interface 208 and the network line 108.

  Note that SLP communication is possible not only by TCP but also by UDP, and in this case, step 528, step 530, and step 532 become unnecessary.

<Effects of Second Embodiment>
By using the function addition device 450 according to the present embodiment, the network device 466 that does not support SLP can respond to the SLP request from the network terminal 104. Actually, the function adding device 450 makes this response, but when viewed from the network terminal 104, it appears that the network device 466 is responding. Therefore, the network terminal 104 can acquire network information of the network device 466 that does not support SLP by using SLP communication. At this time, it is not necessary to assign a unique IP address to the network device 466, and the user does not need to make any settings in advance for the function adding device 450, the network device 466, and the network terminal 104. Therefore, the function addition apparatus 450 can respond to consumer needs at all levels. Furthermore, it becomes possible to connect a network device that does not support SLP to a network that employs IPv6 and does not use broadcast, and can use it from other network terminals.

[Third Embodiment]
<Configuration>
FIG. 14 shows a functional block diagram of a function adding device 550 according to the third embodiment of the present invention. This function addition device 550 is also installed between the target device and the network line, as in the first and second embodiments. In the following description, it is assumed that the network device 560 is connected to the function adding device 550.

  Referring to FIG. 14, function adding apparatus 550 includes first network interface 206 and second network interface 208 and a packet transmitted from a network terminal connected to network line 108 to network device 560 as a destination. A filter information storage area 552 for storing filter information, which is a condition for specifying what should be discarded, and a condition connected to receive a packet from the second network interface 208 and stored in the filter information storage area 552 The first packet reception processing unit 554 for discarding packets matching the above and transmitting other packets to the network device 560 via the first network interface 206, and packets from the first network interface 206 A second packet reception processing unit 556 for discarding packets that are connected to receive and meet the conditions stored in the filter information storage area 552 and transmitting other packets to the second network interface 208 as they are. Including.

  In the function addition device 550 according to the present embodiment, the filter information storage area 552 stores the port number, IP address, and MAC address of the packet. The first packet reception processing unit 554 uses the port number, IP, or IP address stored in the filter information storage area 552 as one of the port number, IP address, and MAC address of the packet received from the second network interface 208. It is determined whether or not the address and the MAC address match. If there is a match, the packet is discarded, and if it does not match, the packet is transmitted to the first network interface 206. The function of the second packet reception processing unit 556 is the same as that of the first packet reception processing unit 554.

  Note that the user can determine in advance whether or not to perform this filtering process.

  FIG. 15 is a flowchart showing a control structure of a program when the function of the first packet reception processing unit 554 is realized by a computer program. Referring to FIG. 15, in step 570, first packet reception processing section 554 determines whether a packet has been received from second network interface 208 or not. If the determination result is YES, the process proceeds to step 572, and otherwise, the process returns to step 570.

  In step 572, the first packet reception processing unit 554 determines whether one of the port number, IP address, and MAC address of the received packet matches that stored in the filter information storage area 552. judge. If the determination result is YES, the process proceeds to step 574, and otherwise, the process proceeds to step 576.

  In step 574, the first packet reception processing unit 554 discards the received packet and returns to step 570.

  On the other hand, in step 576, the first packet reception processing unit 554 transmits the received packet to the first network interface 206, and returns to step 570.

<Operation>
The function addition device 550 whose configuration has been described above operates as follows. Referring to FIG. 14, it is assumed that a packet is transmitted from network terminal 104 connected to network line 108 to network device 560. It is assumed that a plurality of port numbers, IP addresses, and MAC addresses to be discarded are stored in the filter information storage area 552 in advance.

  The packet transmitted from the network terminal 104 reaches the first packet reception processing unit 554 via the network line 108 and the second network interface 208. The first packet reception processing unit 554 determines whether any one of the port number, IP address, and MAC address of the received packet matches that stored in the filter information storage area 552. If stored (YES in step 572 in FIG. 15), the first packet reception processing unit 554 discards the received packet (step 574); otherwise (NO in step 572), the first packet reception processing unit 554 discards the first packet. The data is transmitted to the network interface 206 (step 576). The first network interface 206 transmits the packet to the network device 560, and the packet reaches the network device 560 via the communication line 110.

  Since the received packet is addressed to itself, the network device 560 performs some processing on this packet, generates a response packet, and transmits the response packet to the network terminal 104. This packet is received by the second packet reception processing unit 556 via the communication line 110 and the first network interface 206.

  The second packet reception processing unit 556 matches the port number, IP address, and MAC address of the received packet with any of the port number, IP address, and MAC address stored in the filter information storage area 552. It is determined whether or not the condition is satisfied. If the condition is satisfied, the second packet reception processing unit 556 discards the packet, and transmits the packet to the second network interface 208 otherwise. The second network interface 208 transmits this packet over the network line 108. As a result, the response packet reaches the network terminal 104.

<Effect of the third embodiment>
By using the function addition device 550 according to the present embodiment, the function addition device 550 can discard a packet having an invalid port number, IP address, or MAC address for the network device 560. Therefore, the network device 560 that does not have a sufficient security function can be protected from unauthorized access by the above filtering process.

  In this embodiment, filtering processing is performed not only on packets addressed to the network device 560 but also on packets from the network device 560. However, the present invention is not limited to such an embodiment. Only one of the first packet reception processing unit 554 and the second packet reception processing unit 556 may be employed.

  In this embodiment, when a packet satisfies a certain condition, the packet is discarded and another packet is relayed. However, the present invention is limited to such an embodiment. Not. For example, when a packet satisfies a certain condition, the packet is relayed. In other cases, the packet may be discarded.

[Fourth Embodiment]
<Configuration>
FIG. 16 shows a functional block diagram of a function adding device 600 according to the fourth embodiment of the present invention. The network environment of the function addition device 600 is almost the same as the network environment shown in FIG. Further, the hardware configuration of the function adding device 600 is almost the same as the hardware configuration shown in FIG.

  Function addition apparatus 600 according to the present embodiment converts a destination port number of a packet received from outside by function addition apparatus 600 into a port number used by a network device connected to function addition apparatus 600, and reversely functions. It has a function of performing the reverse conversion to the transmission source port number transmitted from the network device connected to the additional device 600.

  Referring to FIG. 16, function adding device 600 includes a first network interface 206 and a second network interface 208. Network devices are connected to the first network interface 206, and the second network interface 208 is connected to the network line 108. In the following description, it is assumed that the network device connected to the first network interface 206 is the network device 610.

  The function addition device 600 further stores a correspondence between a port number used between network terminals connected to the network line 108 and a port number used by an application (service) operating on the network device 610. A packet is received from the port number conversion information storage area 602 and the second network interface 208, and the port number of the received packet is applied to the application of the network device 610 according to the correspondence stored in the port number conversion information storage area 602. The first packet reception processing unit 604 for transmitting the updated packet to the first network interface 206, the packet received from the first network interface 206, and the port of the received packet Number Second packet reception processing for returning to the port number for the external network device in accordance with the association stored in the port number conversion information storage area 602 and transmitting the updated packet to the second network interface 208 Part 606.

  An example of information stored in the port number conversion information storage area 602 is shown in Table 1, and details of this information will be described with reference to Table 1.

このテーブル１は、外部ポート番号と、内部ポート番号との対からなるエントリを複数個格納している。

This table 1 stores a plurality of entries consisting of pairs of external port numbers and internal port numbers.

  Here, the external port number refers to a port number that looks like a port number used by a service provided by the network device 610 when viewed from a network terminal connected to the network line 108. That is, the external port number is a port number before being converted by the first packet reception processing unit 604. On the other hand, the internal port number is a port number used in a service provided by the network device 610.

  The internal port number is also a port number to be replaced by the second packet reception processing unit 606. That is, the second packet reception processing unit 606 receives a packet transmitted from the network device 610 from the first network interface 206, and refers to the corresponding external port with reference to Table 1 for its port number (internal port number). It has the function of converting it into a number and sending the updated packet over the network.

  In the present embodiment, among the packets received from the outside, a packet having a port number not included in the external port number of Table 1 is discarded by the first packet reception processing unit 604. Similarly, of the packets output from the network device 610, packets having a port number other than the internal port number held in the port number conversion information storage area 602 are also discarded by the second packet reception processing unit 606. Therefore, even if the internal port number is directly designated from the outside and the packet is transmitted to the network device 610, the first packet reception processing unit 604 is not used unless the external port number matching the internal port number is in the table 1. Causes the packet to be discarded. Even if the designated port number coincides with the external port number in the table 1, the port number is converted into a port number completely different from the original number and transmitted to the network device 610. Therefore, a desired service cannot be received from the network device 610 unless the contents of the table 1 are known.

  FIG. 17 is a flowchart showing a program control structure when the function of the first packet reception processing unit 604 is realized by a computer program. Referring to FIG. 17, in step 620, first packet reception processing unit 604 determines whether a packet is received from second network interface 208 or not. If the determination result is YES, the process proceeds to step 622, and otherwise, the process returns to step 620.

  In step 622, the first packet reception processing unit 604 refers to the port number conversion information storage area 602 to check whether the destination port number of the received packet exists in the external port number column shown in Table 1 or not. Judge whether or not. If the determination result is YES, the process proceeds to step 624, and otherwise, the process proceeds to step 628.

  In step 628, the first packet reception processing unit 604 discards the received packet and returns to step 620.

  In step 624, the destination port number of the packet is replaced with the corresponding internal port number. Control continues to step 626.

  In step 626, the packet is transmitted to the first network interface 206. Control returns to step 620.

  FIG. 18 is a flowchart illustrating a control structure of a program when the function of the second packet reception processing unit 606 is realized by a computer program. Referring to FIG. 18, in step 640, second packet reception processing unit 606 determines whether a packet has been received from first network interface 206 or not. If the determination result is YES, the process proceeds to step 642, and otherwise, the process returns to step 640.

  In step 642, the second packet reception processing unit 606 refers to the port number conversion information storage area 602 and determines whether the source port number of the received packet exists in the internal port number column shown in Table 1. Determine if not. If the determination result is YES, the process proceeds to step 644, and otherwise, the process proceeds to step 648.

  In step 648, the second packet reception processing unit 606 discards the received packet and returns to step 640.

  In step 644, the transmission source port number of the packet is converted into an external port number corresponding to the internal port number matched in step 642. Control continues to step 646.

  In step 646, the packet is sent to the second network interface 208. Thereafter, control returns to step 640.

<Operation>
The function addition apparatus 600 having the above-described configuration operates as follows. Referring to FIG. 16, packet transmission is performed from network terminal 104 connected to network line 108 to network device 610, and response is returned from network device 610 to transmission source network terminal 104. The operation will be described. In the port number conversion information storage area 602, it is assumed that a plurality of entries including an external port number and an internal port number are stored in advance as shown in Table 1.

  Referring to FIG. 16, the packet transmitted from network terminal 104 reaches first packet reception processing unit 604 via network line 108 and second network interface 208.

  The first packet reception processing unit 604 refers to the port number conversion information storage area 602, converts the port number if the destination port number of the received packet is to be converted, and transmits the converted port number to the first network interface 206. To do. If not converted, the packet is discarded.

  The first network interface 206 transmits the received packet to the network device 610. The packet reaches the network device 610 via the communication line 110.

  If the destination IP address of the received packet is its own IP address and the port number matches the port number of the application service provided by the network device 610, the network device 610 executes the service and receives the received packet A response packet having the same port number as the transmission source port number is generated and transmitted to the network terminal 104. The response packet reaches the second packet reception processing unit 606 via the communication line 110 and the first network interface 206. On the other hand, if the destination IP address of the received packet does not match the IP address of the network device 610, or does not match the port number of the application service provided by the network device 610, the network device 610 does nothing. .

  The second packet reception processing unit 606 refers to the port number conversion information storage area 602 and determines whether the source port number of the received packet exists in the internal port number column. If it exists, the source port number of the received packet is converted into a corresponding external port number and transmitted to the second network interface 208. If it does not exist, the packet is discarded.

  In this way, the packet transmitted from the network device 610 reaches the network terminal 104 via the second network interface 208 and the network line 108.

  For example, it is assumed that the destination port number of a packet transmitted from an external network terminal to the network device 610 is “62947”. Referring to Table 1, since the external port number has “62947”, the first packet reception processing unit 604 converts the destination port number of the received packet into the corresponding internal port number “443”. The packet updated in this way is transmitted to the network device 610. If the network device 610 is a device capable of HTTPS communication and the WWW server is activated in the network device 610, the WWW server outputs an HTTPS response packet as a response to this packet.

  In this case, the source port number of the response packet is again 443. The second packet reception processing unit 606 finds the external port number “62947” corresponding to the internal port number “443” from the table 1, replaces the transmission source port number with this value, and sends the updated packet to the first packet. 2 to the outside via the network interface 208. The external network terminal receives this packet and performs predetermined processing. Since the destination port number of the packet transmitted first by the network terminal is also “62947”, this network terminal can take a correspondence between the transmitted packet and the received packet.

  On the other hand, it is assumed that an external network terminal transmits, for example, a packet with port number = 443 to the network device 610. The first packet reception processing unit 604 of the function addition device 600 discards this packet because the external port number = 443 is not in the table 1. Therefore, an external network terminal cannot receive an HTTPS communication service by the network device 610.

  Thus, by replacing the port number between the inside and the outside, the port number provided by the network device 610 is actually the same as the general port number, but the service provided by the network device 610 is externally provided. The port number appears to be a special number. Therefore, it is not possible from outside to know what kind of service the network device 610 provides, or what port number is used to access the service by which protocol. As a result, when the network device 610 does not have a sufficient security function, the security can be increased by the function adding device 600.

<Effect of the fourth embodiment>
As described above, by using the function addition device 600 according to the present embodiment, for the purpose of knowing the service contents of the network device 610 from the network terminal connected to the network line 108, or for the purpose of unauthorized access, Even if an attempt is made to access the network device 610 using a commonly used port number, it cannot be easily accessed. It also becomes difficult to know what service is provided by what port number in the network device 610. As a result, the security function of a network device that does not have a sufficient security function can be enhanced by the function adding device 600.

  Note that the network terminal 104 and the network terminal 106 described in the operations of the first to fourth embodiments do not have to be PCs, and may be any network terminals.

  The embodiment disclosed herein is merely an example, and the present invention is not limited to the above-described embodiment. The scope of the present invention is indicated by each claim in the claims after taking into account the description of the detailed description of the invention, and all modifications within the meaning and scope equivalent to the wording described therein are intended. Including.

It is a figure which shows the network environment of the function addition apparatus 100 which concerns on the 1st Embodiment of this invention. It is a figure which shows the hardware constitutions of the function addition apparatus 100 which concerns on the 1st Embodiment of this invention. It is a block diagram which shows the schematic functional structure of the function addition apparatus 100 which concerns on the 1st Embodiment of this invention. 4 is a flowchart showing a control structure of a computer program that implements a first packet reception processing unit 250 of FIG. 3. It is a flowchart which shows the control structure of the computer program which implement | achieves the link monitoring part 254 of FIG. 4 is a flowchart showing a control structure of a computer program that implements a second packet reception processing unit 256 of FIG. 3. 4 is a flowchart showing a control structure of a computer program for realizing the HTTP / HTTPS encoding processing unit 258 of FIG. 3. It is a figure which shows the sequence when performing HTTP communication in the function addition apparatus 100 which concerns on the 1st Embodiment of this invention. It is a figure which shows the sequence at the time of performing HTTPS communication in the function addition apparatus 100 which concerns on the 1st Embodiment of this invention. It is a block diagram which shows the schematic functional structure of the function addition apparatus 450 which concerns on the 2nd Embodiment of this invention. It is a flowchart which shows the control structure of the computer program which implement | achieves the 1st packet reception process part 456 of FIG. It is a flowchart which shows the control structure of the computer program which implement | achieves the 2nd packet reception process part 462 of FIG. It is a figure which shows the sequence of the process which acquires the information of a network device by SLP communication in the function addition apparatus 450 which concerns on the 2nd Embodiment of this invention. It is a block diagram which shows the schematic functional structure of the function addition apparatus 550 which concerns on the 3rd Embodiment of this invention. It is a flowchart which shows the control structure of the computer program which implement | achieves the 1st packet reception process part 554 of FIG. It is a block diagram which shows the schematic functional structure of the function addition apparatus 600 which concerns on the 4th Embodiment of this invention. It is a flowchart which shows the control structure of the computer program which implement | achieves the 1st packet reception process part 604 of FIG. It is a flowchart which shows the control structure of the computer program which implement | achieves the 2nd packet reception process part 606 of FIG.

Explanation of symbols

90 network 100, 450, 550, 600 function adding device 104, 106 network terminal 108 network line 110 communication line 206 first network interface 208 second network interface 250, 456, 554, 604 first packet reception processing unit 252 HTTP / HTTPS decoding processing unit 254 Link monitoring unit 256, 462, 556, 606 Second packet reception processing unit 258 HTTP / HTTPS encoding processing unit 260 Source terminal information storage area 262 Certificate information storage area 264 Transmission destination terminal information storage Area 452 Network device information storage area 458 SNMP request transmission processing section 464 SNMP response analysis processing section 552 Filter information storage area 602 Port number conversion information storage area

Claims (15)

First packet transmitting / receiving means for transmitting / receiving packets to / from a terminal on the first network;
Second packet transmitting / receiving means for transmitting / receiving packets to / from a terminal on the second network;
Address information of the source terminal of each packet between the terminal on the first network and the terminal on the second network using the first packet transmitting / receiving means and the second packet transmitting / receiving means. And packet relay means for relaying the packet without changing the address information of the destination terminal,
A first packet processing unit for performing a predetermined process on a packet satisfying a specific condition among the packets received by the packet relay unit;
Thereby, a function adding device for adding a function by the predetermined process to the terminal on the first network. The first packet processing means includes:
Address storage means for extracting and storing address information of a source terminal from a packet received by the first packet transmitting / receiving means from a terminal on the first network;
Of the packets relayed from the second network to the first network by the packet relay means, the packet having the address information stored in the address storage means as the address information of the destination terminal The function adding device according to claim 1, further comprising second packet processing means for performing a predetermined process.   The second packet processing means receives the address information stored in the address storage means among the packets from the terminals on the second network received by the packet relay means from the second packet transmitting / receiving means. A first protocol conversion for converting a packet for communication according to a specific first protocol into a packet for communication according to a specific second protocol, which is held as address information of a destination terminal The function adding device according to claim 2, comprising means. The second packet processing means further includes
Source identification information for identifying the source terminal and source application of the packet is extracted from the packet from the terminal on the second network received by the packet relay means from the second packet transmitting / receiving means. Transmission source specific information storage means for storing and storing;
A destination terminal and a destination application of a packet for communication according to the second protocol from a terminal on the first network received by the packet relay means from the first packet transmitting / receiving means are the transmission Second protocol conversion means for converting the packet into a packet for communication using the first protocol when it matches the transmission source identification information stored in the original identification information storage means The function addition apparatus according to claim 3. The first protocol is a protocol for performing communication with a packet encrypted using an electronic self-signed certificate created from address information, and the second protocol is a communication with an unencrypted packet. Is a protocol for performing
The function adding device further includes certificate storage means for creating and storing the electronic self-signed certificate using the source address information of the received packet,
The second protocol conversion unit is a transmission destination of a packet for communication according to the second protocol from a terminal on the first network received by the packet relay unit from the first packet transmission / reception unit. When the terminal and the destination application coincide with the transmission source identification information stored in the transmission source identification information storage unit, the packet is transferred to the electronic self-signed certificate stored in the certificate storage unit. The function adding device according to claim 4, further comprising means for converting into a packet for communication according to the first protocol by using and encrypting.   The function addition device according to claim 5, wherein the first protocol is HTTPS (HyperText Transfer Protocol Security), and the second protocol is HTTP (HyperText Transfer Protocol).   Further, it detects that the link with the terminal on the first network is lost, connected to the first packet transmitting / receiving means, and deletes the address information of the terminal stored in the address storage means. The function addition apparatus according to claim 2, comprising monitoring means for performing the operation. The second packet processing means includes:
In response to the fact that some address information has been newly stored in the address storage means, an inquiry packet of a first protocol for inquiring information on network equipment is generated, and the address information newly stored in the address storage means Packet transmission means for sending to the first network via the first packet transmission / reception means as destination address information,
In response to receiving a response packet to the inquiry packet from the first packet transmitting / receiving unit, network device information storage unit for storing information about the network device included in the packet;
In response to receiving an inquiry packet of a second protocol for inquiring information about a network device, using the address information stored in the address storage means as a transmission destination from the second network, the network device information Including the information on the network device stored in the storage means, having the address information stored in the address storage means as source address information, and having the source terminal of the inquiry packet of the second protocol as a destination The function adding device according to claim 2, further comprising: means for generating a response packet of the second protocol and sending the response packet to the second network via the second packet transmitting / receiving means. The first packet processing means includes:
Condition storage means for storing a condition to be satisfied by a packet prohibited from being relayed from the second network to the first network;
The second packet transmission / reception means determines whether or not the condition stored in the condition storage means is satisfied by the packet received from the second network. If the condition is satisfied, the packet is discarded. In other cases, the function adding device according to claim 1, further comprising means for relaying the packet to the first network via the first packet transmitting / receiving means. The condition storage unit further stores a condition to be satisfied by a packet prohibited from being relayed from the first network to the second network. The first packet processing unit further includes the first packet transmitting / receiving unit. Determines whether the condition stored in the condition storage means is satisfied by the packet received from the first network. If the condition is satisfied, the packet is discarded. Otherwise, the packet is discarded. The function adding device according to claim 9, further comprising means for relaying the packet to the second network via the second packet transmitting / receiving means. The first packet processing means includes:
Condition storage means for storing a condition to be satisfied by a packet permitted to be relayed from the second network to the first network;
The second packet transmission / reception means determines whether or not the condition stored in the condition storage means is satisfied by the packet received from the second network. 2. The function adding device according to claim 1, further comprising: a relay unit that relays the packet to the first network via one packet transmission / reception unit, and discards the packet otherwise. The condition storage means further stores a condition to be satisfied by a packet that is permitted to be relayed from the first network to the second network. The first packet processing means further includes the first packet transmitting / receiving means. Determines whether the condition stored in the condition storage means is satisfied by a packet received from the first network, and if satisfied, the packet is transmitted via the second packet transmitting / receiving means. The function adding device according to claim 11, further comprising means for relaying to the second network and otherwise discarding the packet. Each packet includes application specifying information for specifying an application that should process the packet at the destination terminal,
The first packet processing means includes table storage means for storing an application specific information conversion table storing a plurality of pairs of the application specific information, and each of the plurality of pairs includes first application specific information. And second application specific information,
The first packet processing means further includes
The second application specifying information that matches the application specifying information of the packet from the second network received from the second network transmitting / receiving means is searched in the table storage means, and the searched second The function adding device according to claim 1, further comprising means for replacing the application specifying information in the packet with the second application specifying information paired with the application specifying information. The first packet processing means further includes
The first application specifying information that matches the application specifying information of the packet from the first network received from the first network transmitting / receiving means is searched in the table storage means, and the searched first first 14. The function adding device according to claim 13, comprising means for replacing the application specifying information in the packet with the second application specifying information paired with the application specifying information.   The first packet processing means further includes the second application specifying information matching the application specifying information of the packet from the second network received from the second network transmitting / receiving means in the table storage means. 15. The function adding device according to claim 13, further comprising means for discarding the packet in response to the absence.

Images